Assessment of whether CVE-2021-28831 applies to graphite-exporter

[tmousaw-ptc]

CVE-2021-28831 has been raised by Prisma Cloud when using the graphite-exporter v.0.9.0 docker image. I am curious whether graphite-exporter is vulnerable to this CVE.

From the CVE:

On certain corrupt gzip files, huft_build will set the error bit on the result pointer. If afterwards abort_unzip is called huft_free might run into a segmentation fault or an invalid pointer to free(p).

So, the question is whether graphite exporter could be exposed to this particular vulnerability or whether it does not use this functionality. If it does use this functionality, a new release of the BusyBox docker image will need to be requested that includes this commit and then a new release of the graphite-exporter will also need to be built.

[tmousaw-ptc]

Closing this issue as the fix has now been integrated into BusyBox 1.33.1 and is available in the latest BusyBox docker image.