Assigning per similar reports.

Punting to mnissler@, jorgelo@

mnissler@, jorgelo@: Should userspace security bugs be added to a hotlist / assigned to security sherriff in the future? What's the usual process?

We do have a Chrome OS security rotation so while Tom very generously triaged this for us, he didn't have to. In the future, feel free to remove yourself from the owner field. The sheriff will get to the bug.

I don't even think we use busybox wget.

yunlian@/jclinton@: is busybox just something we use in our lab/test infra or is it used somehow on consumer devices?

Not used in lab/test infra per say and not really my area but: I do happen to know that Busybox is used extensively in the recovery flow and the factory flows. So, yes, it's used on consumer devices, all the time.

Indeed:

$ equery-kevin d busybox
 * These packages depend on busybox:
chromeos-base/factory-deps-1-r7 (sys-apps/busybox) <====
virtual/editor-0 (sys-apps/busybox)
virtual/logger-0 (sys-apps/busybox[syslog])

while it is used on recovery, we don't do any networking things there by design.  it isn't installed on the rootfs at all, although we do provide it on dev images.  that leaves factory, and those are a bit limited in what they actually fetch.

so yes, we should upgrade to fix, but i don't think it's a big deal.  plus we push everyone to only use `curl` in verified code.

Downgrading the severity since it doesn't affect most users directly. Assigning to yunlian@

yunlian: Uh oh! This issue still open and hasn't been updated in the last 14 days. This is a serious vulnerability, and we want to ensure that there's progress. Could you please leave an update with the current status and any potential blockers?

If you're not the right owner for this issue, could you please remove yourself as soon as possible or help us find the right one?

If the issue is fixed or you can't reproduce it, please close the bug. If you've started working on a fix, please set the status to Started.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/portage-stable/+/112a816d832d82a1ebaa9b31babe92e31741b031

commit 112a816d832d82a1ebaa9b31babe92e31741b031
Author: Yunlian Jiang <yunlian@google.com>
Date: Sun Sep 16 11:04:33 2018

busybox: upgrade to upstream 1.29.3

This pulls Gentoo upstream busybox 1.29.3 to get some security
fixes.

BUG= chromium:879543 
TEST=create a recover image for samus and it works.

Change-Id: I674e7b99f4bb4330deb0e39b9f3155ef8e76acf3
Reviewed-on: https://chromium-review.googlesource.com/1226085
Commit-Ready: Yunlian Jiang <yunlian@chromium.org>
Tested-by: Yunlian Jiang <yunlian@chromium.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>

[delete] https://crrev.com/26d294a1be387513099e75d1fd55d60feddeaa97/sys-apps/busybox/files/busybox-1.27.2-clang.patch
[rename] https://crrev.com/112a816d832d82a1ebaa9b31babe92e31741b031/sys-apps/busybox/busybox-1.29.3.ebuild
[modify] https://crrev.com/112a816d832d82a1ebaa9b31babe92e31741b031/sys-apps/busybox/Manifest

The patch is included in busybox 1.29.3

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot