Klaus Zimmermann's Corner

Collection of new vulnerabilities found in BusyBox

So it has just been made public that 14 new vulnerabilities involving BusyBox, the "swiss-army knife" of Linux utilities compiled tightly in a single binary, have been found.

This headline may sound pretty scary at first, especially due to the way BusyBox is used in embedded systems that most likely see little to no maintenance work after they're installed, but the impact to me is much lower than it sounds. Granted, BusyBox does make the core of both Alpine Linux and Puppy Linux, so here's me hoping a fix comes soon for them, but otherwise, I'm not worried. Perhaps it's a nice time to check the router firmware for updates, and such, but as I don't depend on it for my internet-facing servers, I take it as an acceptable risk.

Also, I can't help but remember some of the stuff that I read on the Alpine IRC channel about BusyBox being a quite complicated black box kind of thing despite its apparent small size. Something about only the original developers were able to fix it because they were the only ones who spent enough time to understand the spaghetti of code that it had become. Maybe it's finally coming back to bite them? :S