Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package busybox for openSUSE:Factory checked
in at 2023-08-31 13:42:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/busybox (Old)
and /work/SRC/openSUSE:Factory/.busybox.new.1766 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "busybox"
Thu Aug 31 13:42:27 2023 rev:84 rq:1108060 version:1.36.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/busybox/busybox.changes 2023-06-07
23:06:58.487187540 +0200
+++ /work/SRC/openSUSE:Factory/.busybox.new.1766/busybox.changes
2023-08-31 13:43:01.246438987 +0200
@@ -1,0 +2,6 @@
+Tue Aug 29 09:55:24 UTC 2023 - Radoslav Kolev <radoslav.ko...@suse.com>
+
+- Add ash-fix-segfault-d417193cf.patch: fix stack overflow vulnerability
+ in ash (CVE-2022-48174, bsc#1214538)
+
+-------------------------------------------------------------------
New:
----
ash-fix-segfault-d417193cf.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ busybox.spec ++++++
--- /var/tmp/diff_new_pack.FfWFUN/_old 2023-08-31 13:43:03.106505470 +0200
+++ /var/tmp/diff_new_pack.FfWFUN/_new 2023-08-31 13:43:03.114505757 +0200
@@ -42,6 +42,8 @@
Patch0: cpio-long-opt.patch
Patch1: sendmail-ignore-F-option.patch
Patch2: testsuite-gnu-echo.patch
+# PATCH-FIX-UPSTREAM shell: avoid segfault on ${0::0/0~09J} (CVE-2022-48174)
https://git.busybox.net/busybox/commit/?id=d417193cf
+Patch3: ash-fix-segfault-d417193cf.patch
# other patches
Patch100: busybox.install.patch
Provides: useradd_or_adduser_dep
++++++ ash-fix-segfault-d417193cf.patch ++++++
>From d417193cf37ca1005830d7e16f5fa7e1d8a44209 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.li...@googlemail.com>
Date: Mon, 12 Jun 2023 17:48:47 +0200
Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
function old new delta
evaluate_string 1011 1053 +42
Signed-off-by: Denys Vlasenko <vda.li...@googlemail.com>
---
shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
1 file changed, 35 insertions(+), 4 deletions(-)
diff --git a/shell/math.c b/shell/math.c
index 76d22c9bd..727c29467 100644
--- a/shell/math.c
+++ b/shell/math.c
@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char
**endptr)
# endif
#endif
+//TODO: much better estimation than expr_len/2? Such as:
+//static unsigned estimate_nums_and_names(const char *expr)
+//{
+// unsigned count = 0;
+// while (*(expr = skip_whitespace(expr)) != '\0') {
+// const char *p;
+// if (isdigit(*expr)) {
+// while (isdigit(*++expr))
+// continue;
+// count++;
+// continue;
+// }
+// p = endofname(expr);
+// if (p != expr) {
+// expr = p;
+// count++;
+// continue;
+// }
+// }
+// return count;
+//}
+
static arith_t
evaluate_string(arith_state_t *math_state, const char *expr)
{
@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char
*expr)
const char *errmsg;
const char *start_expr = expr = skip_whitespace(expr);
unsigned expr_len = strlen(expr) + 2;
- /* Stack of integers */
- /* The proof that there can be no more than strlen(startbuf)/2+1
- * integers in any given correct or incorrect expression
- * is left as an exercise to the reader. */
+ /* Stack of integers/names */
+ /* There can be no more than strlen(startbuf)/2+1
+ * integers/names in any given correct or incorrect expression.
+ * (modulo "09v09v09v09v09v" case,
+ * but we have code to detect that early)
+ */
var_or_num_t *const numstack = alloca((expr_len / 2) *
sizeof(numstack[0]));
var_or_num_t *numstackptr = numstack;
/* Stack of operator tokens */
@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char
*expr)
numstackptr->var = NULL;
errno = 0;
numstackptr->val = strto_arith_t(expr, (char**) &expr);
+ /* A number can't be followed by another number, or a
variable name.
+ * We'd catch this later anyway, but this would require
numstack[]
+ * to be twice as deep to handle strings where _every_
char is
+ * a new number or name. Example:
09v09v09v09v09v09v09v09v09v
+ */
+ if (isalnum(*expr) || *expr == '_')
+ goto err;
//bb_error_msg("val:%lld", numstackptr->val);
if (errno)
numstackptr->val = 0; /* bash compat */
--
2.26.2
