Hi David, Archive of the ticket is here: http://web.archive.org/web/20241009201026/https://bugs.busybox.net/show_bug.cgi?id=15922
I guess it hasn't been fixed. I'm able to repro this in net-tools netstat, so it isn't confined to busybox. My repro without a C compiler: (ln -sf /usr/bin/nc /tmp/nc`printf '\033[1mfoo\033[0m'`; /tmp/nc* -lup 31337 &); netstat -aup If the netstat output displays "foo" in boldface, the CVE exists. If "foo" is in normal print, it's been fixed. Workaround is don't use the -p option to netstat if you don't trust other local users. -- Adam On Tue, Nov 04, 2025 at 05:35:09PM +0000, David Partain wrote: > Hi, > > I'm investigating CVE-2024-58251, which is apparently connected to > https://bugs.busybox.net/show_bug.cgi?id=15922 > > Unfortunately, I've never been able to access the bug site (I always get that > there's an error in my SQL 🙂), so I'm hoping y'all might be able to help. > > I have not yet been able to find any evidence of there being a fix available. > For example, I cloned from https://git.busybox.net/busybox/ but see nothing > in the log that is related to this CVE. I see other CVEs referenced, but not > that one. > > So my question is whether there is a fix for this CVE. I'd be grateful for > any feedback. > > Thank you in advance. > > David > > > > _______________________________________________ > busybox mailing list > [email protected] > https://lists.busybox.net/mailman/listinfo/busybox _______________________________________________ busybox mailing list [email protected] https://lists.busybox.net/mailman/listinfo/busybox
