On Thu, Nov 11, 2021 at 5:09 PM Natanael Copa <[email protected]> wrote:
> Hi!
>
> I think it would be nice with a 1.33.2 release, with fixes for all the recent
> CVEs.
>
> Those commits should be cherry-picked to 1_33_stable:
>
> 4d4fc5ca5ee4f (man: fix segfault in "man 1") CVE-2021-42373
This is not a security bug. man segfaults "safely" by dereferencing
NULL pointer (as opposed to dereferencing random value), it can't be used to
see any secret information.
> 04f052c56ded5 (unlzma: fix a case where we could read before beginning
> of buffer) CVE-2021-42374
> 53a7a9cd8c15d (ash: parser: Fix VSLENGTH parsing with trailing
> garbage) CVE-2021-42375
> 1b7a9b68d0e9 (hush: fix handling of \^C and "^C") CVE-2021-42376
> 83a4967e5042 (hush: fix handling of "cmd && &") CVE-2021-42377
These can be included.
> We can cherry-pick all 61 commits to be sure to cover the
> CVE-2021-42378 to CVE-2021-42386:
>
> for i in $(git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c \
> | awk '{print $1}' | tac); do git cherry-pick -x $i|| break; done
awk changes are too big for a stable release.
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
