CVE-2021-28831

Name	CVE-2021-28831
Description	decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2614-1, ELA-395-1
Debian Bugs	985674

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
busybox (PTS)	jessie, jessie (lts)	1:1.22.0-9+deb8u5	fixed
	stretch (security), stretch (lts), stretch	1:1.22.0-19+deb9u2	fixed
	buster	1:1.30.1-4	vulnerable
	bullseye	1:1.30.1-6	vulnerable
	bookworm	1:1.35.0-4	fixed
	sid, trixie	1:1.37.0-4	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
busybox	source	jessie	1:1.22.0-9+deb8u5	ELA-395-1
busybox	source	stretch	1:1.22.0-19+deb9u2	DLA-2614-1
busybox	source	(unstable)	1:1.35.0-1		985674

Notes

[bullseye] - busybox <no-dsa> (Minor issue)
[buster] - busybox <no-dsa> (Minor issue)
https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd