From 4fd5b1ec027bc2d91c5d363a6474b0c5171b2dce Mon Sep 17 00:00:00 2001 From: liuxu Date: Mon, 22 Jul 2024 14:21:02 +0800 Subject: [PATCH] fix CVE-2023-42363 Signed-off-by: liuxu --- backport-CVE-2023-42363.patch | 60 +++++++++++++++++++++++++++++++++++ busybox.spec | 9 +++++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-42363.patch diff --git a/backport-CVE-2023-42363.patch b/backport-CVE-2023-42363.patch new file mode 100644 index 0000000..2bec9fd --- /dev/null +++ b/backport-CVE-2023-42363.patch @@ -0,0 +1,60 @@ +From 695db66d27d4dd9b6ec554e49b34903256dd38ed Mon Sep 17 00:00:00 2001 +From: liuxu +Date: Mon, 22 Jul 2024 11:43:51 +0800 +Subject: [PATCH] fix CVE-2023-42363 + +backport from upstream: +https://git.busybox.net/busybox/commit/editors/awk.c?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa + +Signed-off-by: liuxu +--- + editors/awk.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 6a5846e..c202de3 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2889,19 +2889,14 @@ static var *evaluate(node *op, var *res) + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); +- if (opinfo & OF_STR1) { +- L.s = getvar_s(L.v); +- debug_printf_eval("L.s:'%s'\n", L.s); +- } + if (opinfo & OF_NUM1) { + L_d = getvar_i(L.v); + debug_printf_eval("L_d:%f\n", L_d); + } + } +- /* NB: Must get string/numeric values of L (done above) +- * _before_ evaluate()'ing R.v: if both L and R are $NNNs, +- * and right one is large, then L.v points to Fields[NNN1], +- * second evaluate() reallocates and moves (!) Fields[], ++ /* NB: if both L and R are $NNNs, and right one is large, ++ * then at this pint L.v points to Fields[NNN1], second ++ * evaluate() below reallocates and moves (!) Fields[], + * R.v points to Fields[NNN2] but L.v now points to freed mem! + * (Seen trying to evaluate "$444 $44444") + */ +@@ -2914,6 +2909,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("R.s:'%s'\n", R.s); + } + } ++ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v ++ * so we must get the string after "old_Fields_ptr" correction ++ * above. Testcase: x = (v = "abc", gsub("b", "X", v)); ++ */ ++ if (opinfo & OF_RES1) { ++ if (opinfo & OF_STR1) { ++ L.s = getvar_s(L.v); ++ debug_printf_eval("L.s:'%s'\n", L.s); ++ } ++ } + + debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); + switch (XC(opinfo & OPCLSMASK)) { +-- +2.43.0 + diff --git a/busybox.spec b/busybox.spec index 511f666..2874861 100644 --- a/busybox.spec +++ b/busybox.spec @@ -4,7 +4,7 @@ %endif %if "%{!?RELEASE:1}" -%define RELEASE 21 +%define RELEASE 22 %endif Epoch: 1 @@ -30,6 +30,7 @@ Patch6006: backport-CVE-2022-28391.patch Patch6007: backport-CVE-2022-30065.patch Patch6008: backport-fix-use-after-free-in-bc-module.patch Patch6009: backport-CVE-2022-48174.patch +Patch6010: backport-CVE-2023-42363.patch BuildRoot: %_topdir/BUILDROOT #Dependency @@ -105,6 +106,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1 %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Mon Jul 22 2024 liuxu - 1:1.31.1-21 +- Type:CVE +- Id:NA +- SUG:NA +- DESC:fix CVE-2023-42363 + * Tue Jun 25 2024 liuxu - 1:1.31.1-21 - Type:CVE - Id:NA -- Gitee