BusyBox man Section Name Handling NULL Pointer Dereference Local DoS
BusyBox [1.33.0, 1.33.1], fixed in 1.34.0
The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.
A NULL pointer dereference was found in the man
applet, which leads to denial of service when a section name is supplied but no page argument is given.
An attacker that controls man
command line arguments can trigger this issue.
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue
(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog