On Tue, 5 Aug 2025 at 15:06, yuma <[email protected]> wrote: > > To: [email protected] > From: [email protected] > Subject: [SECURITY] busybox tar: TOCTOU symlink race overwrites arbitrary > root file with --overwrite > > Version : v1.38.0 (git 2025-08-05) > System : Ubuntu 22.04 x86-64 > Kernel : 6.8.0 > Compiler: gcc 11.4.0 >
[...] > ---------------------------------------------------------------------- > Embargo > ---------------------------------------------------------------------- > I am happy to observe a 30-day embargo to coordinate with downstream > distributions. Please let me know if you need more or less time. Just a check for double checking... Q: In security vulnerability disclosure, what this means? A: n the context of security vulnerability disclosure, the term "embargo" refers to an agreed-upon period of time during which details of a discovered vulnerability are kept confidential. This allows affected parties (such as software vendors, maintainers, or downstream distributions) time to prepare and release patches or mitigations before the vulnerability becomes public. The list is public, hence agreed immediately to disclosure or the 30-days confidential period past invaine (or just a template). Anyway, good time to list those systems that are impacted and those that are not affected by this vulnerability. SYSTEMS AT RISK - Routers Firmware: OpenWrt, DD-WRT, LEDE, Tomato, etc. - IoT e smart devices: Internet Streaming HDMI keys, Smart TV, etc. - Network Appliances and Docker Containers, many but not all. - Linux Distro: Buildroot, Yocto Project, Alpine Linux, Tiny Core Linux, Puppy Linux, Damn Small Linux, TinyCore, etc. NOT IMPACTED - Android OS and derivatives like HarmonyOS or Amazon Fire OS: toybox. - Chrome OS not directly, possibly in recovery or maintenance mode. Best regards, R- _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
