From b9abfb8b671d34f70e16f032dec2357ea7a704dc Mon Sep 17 00:00:00 2001 From: yangmingtai Date: Mon, 28 Aug 2023 14:26:36 +0800 Subject: [PATCH] fix CVE-2023-4156 --- backport-CVE-2023-4156.patch | 30 ++++++++++++++++++++++++++++++ gawk.spec | 6 +++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-4156.patch diff --git a/backport-CVE-2023-4156.patch b/backport-CVE-2023-4156.patch new file mode 100644 index 0000000..b893d2f --- /dev/null +++ b/backport-CVE-2023-4156.patch @@ -0,0 +1,30 @@ +From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001 +From: "Arnold D. Robbins" +Date: Wed, 3 Aug 2022 13:00:54 +0300 +Subject: [PATCH] Smal bug fix in builtin.c. + +Reference:https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212 +Conflict:delete changlog +--- + builtin.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/builtin.c b/builtin.c +index d7ba82c..3eee9b9 100644 +--- a/builtin.c ++++ b/builtin.c +@@ -963,7 +963,10 @@ check_pos: + s1++; + n0--; + } +- if (val >= num_args) { ++ // val could be less than zero if someone provides a field width ++ // so large that it causes integer overflow. Mainly fuzzers do this, ++ // but let's try to be good anyway. ++ if (val < 0 || val >= num_args) { + toofew = true; + break; + } +-- +2.27.0 + diff --git a/gawk.spec b/gawk.spec index 565f819..9256ac1 100644 --- a/gawk.spec +++ b/gawk.spec @@ -4,7 +4,7 @@ egrep -i "gawk_api_minor.*[0-9]+" | egrep -o "[0-9]") Name: gawk Version: 5.1.1 -Release: 3 +Release: 4 License: GPLv3+ and GPLv2+ and LGPLv2+ and BSD Summary: The GNU version of the AWK text processing utility URL: https://www.gnu.org/software/gawk/ @@ -13,6 +13,7 @@ Source0: https://ftp.gnu.org/gnu/gawk/gawk-%{version}.tar.xz Patch1: Disable-racy-test-in-test-iolint.awk.patch Patch2: Restore-removed-test-in-test-iolint.awk.patch Patch3: Reorder-statements-in-iolint-to-try-to-eliminate-a-r.patch +Patch4: backport-CVE-2023-4156.patch BuildRequires: git gcc automake grep BuildRequires: bison texinfo texinfo-tex ghostscript texlive-ec texlive-cm-super glibc-all-langpacks @@ -107,6 +108,9 @@ install -m 0644 -p doc/gawkinet.{pdf,ps} ${RPM_BUILD_ROOT}%{_docdir}/%{name} %{_datadir}/locale/* %changelog +* Mon Aug 28 2023 yangmingtai - 5.1.1-4 +- fix CVE-2023-4156 + * Fri Sep 2 2022 zoulin - 5.1.1-3 - Type:enhancement - ID:NA -- Gitee