From ef422566c9cced278ad4afd86d8dc46078d9fd15 Mon Sep 17 00:00:00 2001
From: yangjinlin01 <yangjinlin01@inspur.com>
Date: Mon, 7 Jul 2025 11:20:36 +0800
Subject: [PATCH] [CVE] FIX CVE-2025-5278

to #21551
Commit fix cve-2025-5278
Project: TC2024080204
Signed-off-by: yangjinlin01 <yangjinlin01@inspur.com>
---
 0002-fix-CVE-2025-5278.patch | 106 +++++++++++++++++++++++++++++++++++
 coreutils.spec               |   6 +-
 2 files changed, 111 insertions(+), 1 deletion(-)
 create mode 100644 0002-fix-CVE-2025-5278.patch

diff --git a/0002-fix-CVE-2025-5278.patch b/0002-fix-CVE-2025-5278.patch
new file mode 100644
index 0000000..ddeec7c
--- /dev/null
+++ b/0002-fix-CVE-2025-5278.patch
@@ -0,0 +1,106 @@
+From 8c9602e3a145e9596dc1a63c6ed67865814b6633 Mon Sep 17 00:00:00 2001
+From: Pádraig Brady <P@draigBrady.com>
+Date: Tue, 20 May 2025 16:03:44 +0100
+Subject: sort: fix buffer under-read (CWE-127)
+
+* src/sort.c (begfield): Check pointer adjustment
+to avoid Out-of-range pointer offset (CWE-823).
+(limfield): Likewise.
+* tests/sort/sort-field-limit.sh: Add a new test,
+which triggers with ASAN or Valgrind.
+* tests/local.mk: Reference the new test.
+* NEWS: Mention bug fix introduced in v7.2 (2009).
+Fixes https://bugs.gnu.org/78507
+---
+ src/sort.c                     | 12 ++++++++++--
+ tests/local.mk                 |  1 +
+ tests/sort/sort-field-limit.sh | 35 +++++++++++++++++++++++++++++++++++
+ 4 files changed, 46 insertions(+), 2 deletions(-)
+ create mode 100755 tests/sort/sort-field-limit.sh
+
+diff --git a/src/sort.c b/src/sort.c
+index b10183b6f..7af1a2512 100644
+--- a/src/sort.c
++++ b/src/sort.c
+@@ -1644,7 +1644,11 @@ begfield (struct line const *line, struct keyfield const *key)
+       ++ptr;
+ 
+   /* Advance PTR by SCHAR (if possible), but no further than LIM.  */
+-  ptr = MIN (lim, ptr + schar);
++  size_t remaining_bytes = lim - ptr;
++  if (schar < remaining_bytes)
++    ptr += schar;
++  else
++    ptr = lim;
+ 
+   return ptr;
+ }
+@@ -1746,7 +1750,11 @@ limfield (struct line const *line, struct keyfield const *key)
+           ++ptr;
+ 
+       /* Advance PTR by ECHAR (if possible), but no further than LIM.  */
+-      ptr = MIN (lim, ptr + echar);
++      size_t remaining_bytes = lim - ptr;
++      if (echar < remaining_bytes)
++        ptr += echar;
++      else
++        ptr = lim;
+     }
+ 
+   return ptr;
+diff --git a/tests/local.mk b/tests/local.mk
+index 4da6756ac..642d225fa 100644
+--- a/tests/local.mk
++++ b/tests/local.mk
+@@ -388,6 +388,7 @@ all_tests =					\
+   tests/sort/sort-debug-keys.sh			\
+   tests/sort/sort-debug-warn.sh			\
+   tests/sort/sort-discrim.sh			\
++  tests/sort/sort-field-limit.sh		\
+   tests/sort/sort-files0-from.pl		\
+   tests/sort/sort-float.sh			\
+   tests/sort/sort-h-thousands-sep.sh		\
+diff --git a/tests/sort/sort-field-limit.sh b/tests/sort/sort-field-limit.sh
+new file mode 100755
+index 000000000..52d8e1d17
+--- /dev/null
++++ b/tests/sort/sort-field-limit.sh
+@@ -0,0 +1,35 @@
++#!/bin/sh
++# From 7.2-9.7, this would trigger an out of bounds mem read
++
++# Copyright (C) 2025 Free Software Foundation, Inc.
++
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <https://www.gnu.org/licenses/>.
++
++. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
++print_ver_ sort
++getlimits_
++
++# This issue triggers with valgrind or ASAN
++valgrind --error-exitcode=1 sort --version 2>/dev/null &&
++  VALGRIND='valgrind --error-exitcode=1'
++
++{ printf '%s\n' aa bb; } > in || framework_failure_
++
++_POSIX2_VERSION=200809 $VALGRIND sort +0.${SIZE_MAX}R in > out || fail=1
++compare in out || fail=1
++
++_POSIX2_VERSION=200809 $VALGRIND sort +1 -1.${SIZE_MAX}R in > out || fail=1
++compare in out || fail=1
++
++Exit $fail
+-- 
+cgit v1.2.3
+
diff --git a/coreutils.spec b/coreutils.spec
index a1fabcb..cd847d2 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,4 +1,4 @@
-%define anolis_release 4
+%define anolis_release 5
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 9.4
@@ -52,6 +52,7 @@ Obsoletes: %{name} < 8.24
 # backport patch from upstream
 
 Patch001:	0001-fix-uname-processortype-error-for-loongarch64.patch
+Patch002:       0002-fix-CVE-2025-5278.patch
 
 %description
 These are the GNU core utilities.  This package is the combination of
@@ -230,6 +231,9 @@ rm -f $RPM_BUILD_ROOT%{_infodir}/dir
 %doc NEWS README THANKS TODO
 
 %changelog
+* Mon Jul 7 2025 yangjinlin01 <yangjinlin01@inspur.com> - 9.4-5
+- fix CVE-2025-5278
+
 * Fri Jan 19 2024 Chang Gao <gc-taifu@linux.alibaba.com> - 9.4-4
 - Rebuild because of the builder time offset incorrect 
 
-- 
Gitee