BusyBox provides a single binary that includes versions of a large numberof system commands, including a shell. This can be very useful forrecovering from certain types of system failures, particularly thoseinvolving broken shared libraries.A buffer underflow flaw was found in the way the uncompress utility ofBusyBox expanded certain archive files compressed using Lempel-Zivcompression. If a user were tricked into expanding a specially-craftedarchive file with uncompress, it could cause BusyBox to crash or,potentially, execute arbitrary code with the privileges of the user runningBusyBox. (CVE-2006-1168)The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certainoptions provided in DHCP server replies, such as the client hostname. Amalicious DHCP server could send such an option with a specially-craftedvalue to a DHCP client. If this option's value was saved on the clientsystem, and then later insecurely evaluated by a process that assumes theoption is trusted, it could lead to arbitrary code execution with theprivileges of that process. Note: udhcpc is not used on Red Hat EnterpriseLinux by default, and no DHCP client script is provided with the busyboxpackages. (CVE-2011-2716)This update also fixes the following bugs:All users of busybox are advised to upgrade to these updated packages,which correct these issues.