Please Install the Updated Packages.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries. A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially-crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168) The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname. A malicious DHCP server could send such an option with a specially-crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716) This update also fixes the following bugs: * Prior to this update, the &quot findfs&quot command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. (BZ#751927) * If the &quot grep&quot command was used with the &quot -F&quot and &quot -i&quot options at the same time, the &quot -i&quot option was ignored. As a consequence, the &quot grep -iF&quot command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the &quot -F&quot and &quot -i&quot options works as expected. (BZ#752134) * Prior to this update, the msh shell did not support the &quot set -o pipefail&quot command. This update adds support for this command. (BZ#782018) * Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. (BZ#809092) * Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such ... Description truncated, for more information please check the Reference URL

busybox on CentOS 6

• http://lists.centos.org/pipermail/centos-announce/2012-July/018712.html

---

Updated on 2015-03-25