> On 24 Nov 2021, at 14:31, Denys Vlasenko <[email protected]> wrote:
>
> On Thu, Nov 11, 2021 at 5:09 PM Natanael Copa <[email protected]> wrote:
>> Hi!
>>
>> I think it would be nice with a 1.33.2 release, with fixes for all the
>> recent CVEs.
>>
>> Those commits should be cherry-picked to 1_33_stable:
>>
>> 4d4fc5ca5ee4f (man: fix segfault in "man 1") CVE-2021-42373
>
> This is not a security bug. man segfaults "safely" by dereferencing
> NULL pointer (as opposed to dereferencing random value), it can't be used to
> see any secret information.
It got a CVE, regardless if it is a real security bug or not.
The problem I am trying to solve is to turn all those security scanners to
green. They don’t really care if its a real security threat or not. They just
want green. And its much easier to just patch the bug than to put up a fight
against a handful of scripted security scanners.
>
>> 04f052c56ded5 (unlzma: fix a case where we could read before beginning
>> of buffer) CVE-2021-42374
>> 53a7a9cd8c15d (ash: parser: Fix VSLENGTH parsing with trailing
>> garbage) CVE-2021-42375
>> 1b7a9b68d0e9 (hush: fix handling of \^C and "^C") CVE-2021-42376
>> 83a4967e5042 (hush: fix handling of "cmd && &") CVE-2021-42377
>
> These can be included.
>
>> We can cherry-pick all 61 commits to be sure to cover the
>> CVE-2021-42378 to CVE-2021-42386:
>>
>> for i in $(git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c \
>> | awk '{print $1}' | tac); do git cherry-pick -x $i|| break; done
>
> awk changes are too big for a stable release.
Since it is not really possible to confirm that all the listed CVEs are
actually fixed without including everything up to the 1.34 release, added a
patch for that for Alpine Linux. This is still better for downstream
distros/vendors than upgrade to a new major busybox version.
For busybox 1.33:
https://git.alpinelinux.org/aports/tree/main/busybox/awk-fixes.patch?h=3.14-stable
<https://git.alpinelinux.org/aports/tree/main/busybox/awk-fixes.patch?h=3.14-stable>
I also backported the patches for busybox 1.32:
https://git.alpinelinux.org/aports/tree/main/busybox/awk-fixes.patch?h=3.13-stable
<https://git.alpinelinux.org/aports/tree/main/busybox/awk-fixes.patch?h=3.13-stable>
And for busybox 1.31:
https://git.alpinelinux.org/aports/tree/main/busybox/awk-fixes.patch?h=3.12-stable
<https://git.alpinelinux.org/aports/tree/main/busybox/awk-fixes.patch?h=3.12-stable>
Those should help silence the security scanners.
Thanks!_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
