CVE-2017-16544 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	No
Type	Arbitrary code execution
Description	In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-514	mkinitcpio-busybox	1.27.2-1	1.28.1-1	High	Fixed	FS#56391
AVG-512	busybox	1.27.2-1	1.28.1-1	High	Fixed	FS#56391

Date	Advisory	Group	Package	Severity	Type
01 Mar 2018	ASA-201803-2	AVG-514	mkinitcpio-busybox	High	arbitrary code execution
01 Mar 2018	ASA-201803-1	AVG-512	busybox	High	arbitrary code execution

References
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8 https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/