Hi!
I think it would be nice with a 1.33.2 release, with fixes for all the recent
CVEs.
Those commits should be cherry-picked to 1_33_stable:
4d4fc5ca5ee4f (man: fix segfault in "man 1") CVE-2021-42373
04f052c56ded5 (unlzma: fix a case where we could read before beginning
of buffer) CVE-2021-42374
53a7a9cd8c15d (ash: parser: Fix VSLENGTH parsing with trailing
garbage) CVE-2021-42375
1b7a9b68d0e9 (hush: fix handling of \^C and "^C") CVE-2021-42376
83a4967e5042 (hush: fix handling of "cmd && &") CVE-2021-42377
We can cherry-pick all 61 commits to be sure to cover the
CVE-2021-42378 to CVE-2021-42386:
for i in $(git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c \
| awk '{print $1}' | tac); do git cherry-pick -x $i|| break; done
In other words, run:
git checkout 1_33_stable
git cherry-pick -x 4d4fc5ca5ee4f 04f052c56ded5 53a7a9cd8c15d 1b7a9b68d0e9
83a4967e5042
for i in $(git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c \
| awk '{print $1}' | tac); do git cherry-pick -x $i|| break; done
git tag 1_33_2
and push that.
Hopefully there will be no regressions in awk, but at least it will be
less risky than upgrade the entire busybox to 1.34.
Thanks!
-nc
PS. would be great if we also could get similar 1.32.2 and 1.31.1
releases.
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
