DEBIAN-CVE-2017-16544

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2017-16544
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2017-16544.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2017-16544
Upstream
Published
2017-11-20T15:29:00Z
Modified
2025-09-25T22:40:46Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

References

Affected packages

Debian:11 / busybox

Package

Name
busybox
Purl
pkg:deb/debian/busybox?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.27.2-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / busybox

Package

Name
busybox
Purl
pkg:deb/debian/busybox?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.27.2-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / busybox

Package

Name
busybox
Purl
pkg:deb/debian/busybox?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.27.2-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / busybox

Package

Name
busybox
Purl
pkg:deb/debian/busybox?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.27.2-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}