On Thu, Nov 11, 2021 at 11:50 AM Natanael Copa <[email protected]> wrote:
> The list of awk fixes is a bit more complicated. I have no clue which
> of the following commits fixes which CVE:
>
> $ git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c
> dabbeeb79356eef78528acd55e1f143ae80372f7 awk: whitespace and debugging tweaks
> d3480dd58211d9d8c06ec7ef00089262603003ff awk: disallow break/continue outside
> of loops
> d62627487a44d9175b05d49846aeef83fed97019 awk: tighten parsing - disallow
> extra semicolons
> ab755e3717cefc06fd28ce8db56f0402412afaa3 awk: in parsing, remove superfluous
> NEWLINE check; optimize builtin arg evaluation
> 8d269ef85984f6476e7fdbec2c5a70f3b5c48a72 awk: fix printf "%-10c", 0
> caa93ecdd3a9b998a69dcbfafdddbc9c58887ec3 awk: fix corner case in awk_printf
> 39aabfe8f033c9c62acf676b660dc979714d26a7 awk: unbreak "cmd" | getline
> 4ef8841b21e27e7c7f58d3c9901c833b4fa5a862 awk: unbreak "printf('%c') can
> output NUL" testcase
> 3d57a8490738d9febaa4496eba791e4fbfc91826 awk: undo TI_PRINT, it introduced a
> bug (print with any redirect acting as printf)
> 49c3ce64f092fd5434fc67056f312bd32f82bae3 awk: rollback_token() +
> chain_group() == chain_until_rbrace()
> e2e3802987266c98df0efdf40ad5da4b07df0113 awk: fix printf buffer overflow
> 08ca313d7edb99687068b93b5d2435b59f3db23a awk: simplify tests for operation
> class
> cb042b05828c4c89320bc9c7454c04c2761bbb9a awk: restore strdup elision
> optimization in assignment
> 90404ed2f62a872ffd9a555660b7ce17fae372d8 awk: match(): code shrink
> 0e3ef4efb061366bfa4b9609fe3a03f3a1e40f0e awk: rand(): 64-bit constants should
> be ULL
> 2211fa70ccad29fc7bccd34c13141850ebb199da awk: do not use a copy of g_progname
> for node->l.new_progname
> e1e7ad6b6005b2265667040fc9d7f69b73b0d5b0 awk: support %F %a %A in printf
> 1f765709ed9c9595647853ac2cd7905f218c3044 awk: open-code TS_OPTERM, no logic
> changes
> 2b65e73db3254a7228802886546152c72217017d awk: tighten rules in action parsing
> 717200eb43c9420773c0f8b751aadabba3052027 awk: rename GRPSTART/END to
> L/RBRACE, no code changes
> b705bf55395bf338f9b9888d87e418f67d4f1a29 awk: move match() code out-of-line
> 646429e05e2f62250da80aa8d98111f3a9818e9a awk: use smaller regmatch_t arrays,
> they had 2 elements for no apparent reason
> a5d7b0f4f4e9728c3eb7a06d38227d9f3351e677 awk: fix detection of VAR=VAL
> arguments
> 4d902ea9def573cd15271177abbfa50fbf30c84f awk: fix beavior of "exit" without
> parameter
> 8bb03da906e1f8f750123214b15a19d7d4e166c1 awk: rand() could return 1.0, fix
> this - should be in [0,1)
> 37ae8cdc6e428e68ad76f6b446881ecff305ebd3 awk: beautify builtins table, no
> code changes
> 47d9133896f0de6b17393309193051e4bd52015e awk: enforce simple builtins'
> argument number
> 786ca197ad1305607efaccb067c19931d9e765b1 awk: make builtin definitions more
> understandable, no code changes
> 640212ae0ea8a1b47cd73a080d77b25b9f3ccd40 awk: do not special-case "delete"
> ef5463cf16f88c0992b2073a30ab6081c86fdf23 awk: shuffle globals for smaller
> offsets
> 966cafcc77d8cda5d1a95bc73080e9a9b9010a45 awk: use "static" tmpvars in main
> and exit
> 1193c68fa718ff16c47aba23f8532bf1568f294e awk: when parsing length(), simplify
> eating of LPAREN
> 40573556f2a67b11319785e0479b7087d02c060e awk: shuffle functions to reduce
> forward declarations, no code changes
> 8b4c429025c233640bd5c5838552f34683a06fc0 awk: use static tmpvars instead of
> nvalloc(1)ed ones
> 1573487e2100892d06e3628828690692313a48d5 awk: rename temp variables, no code
> changes
> d7354df169603807fe2ac4f8a0f9f72c9703184f awk: evaluate all, even superfluous
> function args
> ca9278ee5855a91a5521960d3743809f47ed27b8 awk: rewrite "print" logic a bit to
> make it clearer
> d1507101695f6bad35a61c4770b7d3913597ac16 awk: allow empty fuinctions with no
> arguments, disallow function redefinitions
> 86fc2872b33224cfa5442700c2a8abd020cbf900 awk: replace incorrect use of union
> in undefined function check (no code changes)
> 6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4 awk: remove custom pool allocator
> for temporary awk variables
> 3aff3b9cb81c1f574aaafaf3981e755c6639e2bc awk: assorted optimizations
> b3c91a127f8baecee0265ba92898ae1e718bdb31 awk: free unused parsing structures
> after parse is done
> 21fbee2e87ddf7b47bb501b6529b63ac2b3af0bd awk: document which hashes are used
> at what state (parse/execute)
> 6872c193a935df47facf717c15a32f93b43c6bcf awk: fix parsing of expressions such
> as "v (a)"
> 686287b5da98508dd03fb295745c82d00440131e awk: deindent a block, no code
> changes
> 216d3d8ad9b7d0346cf439ccaca18d0a263e7608 awk: code shrink
> 4f27503a1ecab8dfe373a349df3d8fe3c22e2160 awk: get rid of "move name one char
> back" trick in next_token()
> f414fb4411e65662b44f038ed3175789172edc20 awk: when parsing TC_FUNCTION token,
> eat its opening '('
> cb6061a4e9860bf3d529109b34103ce3bde6d735 awk: g_buf[] does not need a
> separate allocation
> 926420795b4191e045d4a316bfed19f84275a185 awk: simplify parsing of function
> declaration
> 9782cb7774f00a3e777e3d764ccce15055a29977 awk: rename TC_SEQSTART/END to
> L/RPAREN, no code changes
> a493441ca52adca7df3976c668f2e7c48d1b67a1 awk: deindent code block, no code
> changes
> adcd9a6f349f3f2715a586b45fb27350b37cf1e5 awk: use TS_foo for combined token
> classes. No code changes
> 832cb4fcb98d2845bd3f9d244593fc1b5f362ca0 awk: make ltclass ("last token
> class") local to next_token()
> af0172369eb024fff3c8c2cd2c8765a7fde5a9f5 awk: remove redundant check
> 78645d8371e69ce82841b66aa5ef69c02055f5bc awk: move locals deeper into scopes
> where they are used, no logic changes
> 8c5da0323bf2da02c40c587c5694b22e3ec623fb awk: more efficient -f FILE,
> document what "some trick in next_token" is
> ac4786ba002620eb4c046c847e69d6a12ea0e322 qwk: make code clearer, no actual
> code changes
> fd217c1cbf7a702ad632bb21f7757433de1755b7 awk: after preinc/dec, only allow
> variable, field ref, array ref, or another preinc/dec
> a885ce1af05c4eaa5ebcf883cb3da3433ca1c48b awk: fix use-after-free in "$BIGNUM1
> $BIGGERNUM2" concat op
Use-after-free was fixed in the above commit.
> e8fe9f96356a6b19ec907ea30cffc829c539a7ff awk: allow printf('%c') to output
> NUL, closes 13486
>
>
>
> CVE-2021-42378: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the getvar_i function
>
> awk 1.16-1.33.1
>
> CVE-2021-42379: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the next_input_file
> function
>
> awk 1.18-1.33.1
>
> CVE-2021-42380: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the clrvar function
>
> awk 1.28-1.33.1
>
> CVE-2021-42381: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the hash_init function
>
> awk 1.21-1.33.1
>
> CVE-2021-42382: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the getvar_s function
>
> awk 1.26-1.33.1
>
> CVE-2021-42383: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the evaluate function
>
> awk 1.33.1
>
> NOTE: I think this is a bit peculiar. It is claimed that
> 1.33.0 is not affected (compare with CVE-2021-42377),
> which means that 1.33.1 would introduce this problem.
> However. There are no changes in awk between 1.33.0 and
> 1.33.1.
>
> CVE-2021-42384: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the handle_special
> function
>
> awk 1.18-1.33.1
>
> CVE-2021-42385: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the evaluate function
>
> awk 1.16-1.33.1
>
> CVE-2021-42386: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the nvalloc function
>
> awk 1.16-1.33.1
A bug they IIRC did not mention was that printf could overflow the buffer.
This is fixed now.
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
