Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assessment of whether CVE-2021-28831 applies to graphite-exporter #154

Closed
tmousaw-ptc opened this issue Apr 13, 2021 · 1 comment
Closed

Assessment of whether CVE-2021-28831 applies to graphite-exporter #154

tmousaw-ptc opened this issue Apr 13, 2021 · 1 comment

Comments

@tmousaw-ptc
Copy link

tmousaw-ptc commented Apr 13, 2021
edited
Loading

CVE-2021-28831 has been raised by Prisma Cloud when using the graphite-exporter v.0.9.0 docker image. I am curious whether graphite-exporter is vulnerable to this CVE.

From the CVE:

On certain corrupt gzip files, huft_build will set the error bit on the result pointer. If afterwards abort_unzip is called huft_free might run into a segmentation fault or an invalid pointer to free(p).

So, the question is whether graphite exporter could be exposed to this particular vulnerability or whether it does not use this functionality. If it does use this functionality, a new release of the BusyBox docker image will need to be requested that includes this commit and then a new release of the graphite-exporter will also need to be built.
@tmousaw-ptc
Copy link
Author

Closing this issue as the fix has now been integrated into BusyBox 1.33.1 and is available in the latest BusyBox docker image.

@hariyada hariyada mentioned this issue May 4, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tmousaw-ptc