Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: [email protected], [email protected], [email protected] Control: affects -1 + src:busybox User: [email protected] Usertags: pu
Hi, Around a year ago I've uploaded fixes to LTS (bullseye), but some of the fixed CVEs are currently unfixed in newer releases, especially in bookworm and I'd like to close this gap. The security team (in CC) were in the loop when discussing the plan. As busybox produces a udeb, CC'ing debian-boot as well. The plan was close the gap in bookworm and at least fix everything fixed in bullseye. This update was prepared with feedback from Michael Tokarev, one of the maintainer of busybox. The CVE's fixed are: - CVE-2022-48174 - stack overflow (Closes: #1059049) - CVE-2023-42363 - use-after-free (Closes: #1059050) - CVE-2023-42364 - use-after-free (Closes: #1059051) This patch also covers CVE-2023-42365 (Closes: #1059052) The applied patches were taken from upstream, and generally did apply cleanly, so there was no significant backporting effort required. busybox comes with a test suite, the test suite iś happy with the changes. I've used debusine to check for regression in reverse dependencies, and the failing tests were failing before, so no regressions here: Reference: https://debusine.debian.net/debian/developers/work-request/479075/ Update: https://debusine.debian.net/debian/developers/work-request/479182/ [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable and trixie [ Other info ] I've modified the CI configuration as the b2r seems not to correclty work: the extra installer tests fails. It seems that the CI configuration does not honour the RELEASE variable, so it tests against unstable. [example] [example] https://salsa.debian.org/lts-team/packages/busybox/-/jobs/9142075 debdiff attached, package will be uploaded to the o-s-p-u queue after sending this mail. -- tobi
diff -Nru busybox-1.35.0/debian/changelog busybox-1.35.0/debian/changelog --- busybox-1.35.0/debian/changelog 2022-11-06 09:27:04.000000000 +0100 +++ busybox-1.35.0/debian/changelog 2026-03-02 07:59:41.000000000 +0100 @@ -1,4 +1,15 @@ -busybox (1:1.35.0-4) bookworm; urgency=medium +busybox (1:1.35.0-4+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * Import/Backport patches for: + - CVE-2022-48174 - stack overflow (Closes: #1059049) + - CVE-2023-42363 - use-after-free (Closes: #1059050) + - CVE-2023-42364 - use-after-free (Closes: #1059051) + This patch also covers CVE-2023-42365 (Closes: #1059052) + + -- Tobias Frost <[email protected]> Mon, 02 Mar 2026 07:59:41 +0100 + +busybox (1:1.35.0-4) unstable; urgency=medium * static build: disable blkid applet (CONFIG_BLKID, #1023501) diff -Nru busybox-1.35.0/debian/gbp.conf busybox-1.35.0/debian/gbp.conf --- busybox-1.35.0/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ busybox-1.35.0/debian/gbp.conf 2026-03-01 09:37:38.000000000 +0100 @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/bookworm diff -Nru busybox-1.35.0/debian/patches/CVE-2022-48174.patch busybox-1.35.0/debian/patches/CVE-2022-48174.patch --- busybox-1.35.0/debian/patches/CVE-2022-48174.patch 1970-01-01 01:00:00.000000000 +0100 +++ busybox-1.35.0/debian/patches/CVE-2022-48174.patch 2026-03-01 09:37:38.000000000 +0100 @@ -0,0 +1,80 @@ +Description: Patch for CVE-2022-48174 - stack overflow +Origin: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 +Bug: https://bugs.busybox.net/show_bug.cgi?id=15216 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049 + +commit d417193cf37ca1005830d7e16f5fa7e1d8a44209 +Author: Denys Vlasenko <[email protected]> +Date: Mon Jun 12 17:48:47 2023 +0200 + + shell: avoid segfault on ${0::0/0~09J}. Closes 15216 + + function old new delta + evaluate_string 1011 1053 +42 + + Signed-off-by: Denys Vlasenko <[email protected]> + +diff --git a/shell/math.c b/shell/math.c +index 76d22c9bd..727c29467 100644 +--- a/shell/math.c ++++ b/shell/math.c +@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) + # endif + #endif + ++//TODO: much better estimation than expr_len/2? Such as: ++//static unsigned estimate_nums_and_names(const char *expr) ++//{ ++// unsigned count = 0; ++// while (*(expr = skip_whitespace(expr)) != '\0') { ++// const char *p; ++// if (isdigit(*expr)) { ++// while (isdigit(*++expr)) ++// continue; ++// count++; ++// continue; ++// } ++// p = endofname(expr); ++// if (p != expr) { ++// expr = p; ++// count++; ++// continue; ++// } ++// } ++// return count; ++//} ++ + static arith_t + evaluate_string(arith_state_t *math_state, const char *expr) + { +@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) + const char *errmsg; + const char *start_expr = expr = skip_whitespace(expr); + unsigned expr_len = strlen(expr) + 2; +- /* Stack of integers */ +- /* The proof that there can be no more than strlen(startbuf)/2+1 +- * integers in any given correct or incorrect expression +- * is left as an exercise to the reader. */ ++ /* Stack of integers/names */ ++ /* There can be no more than strlen(startbuf)/2+1 ++ * integers/names in any given correct or incorrect expression. ++ * (modulo "09v09v09v09v09v" case, ++ * but we have code to detect that early) ++ */ + var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); + var_or_num_t *numstackptr = numstack; + /* Stack of operator tokens */ +@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) + numstackptr->var = NULL; + errno = 0; + numstackptr->val = strto_arith_t(expr, (char**) &expr); ++ /* A number can't be followed by another number, or a variable name. ++ * We'd catch this later anyway, but this would require numstack[] ++ * to be twice as deep to handle strings where _every_ char is ++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v ++ */ ++ if (isalnum(*expr) || *expr == '_') ++ goto err; + //bb_error_msg("val:%lld", numstackptr->val); + if (errno) + numstackptr->val = 0; /* bash compat */ diff -Nru busybox-1.35.0/debian/patches/CVE-2023-42363.patch busybox-1.35.0/debian/patches/CVE-2023-42363.patch --- busybox-1.35.0/debian/patches/CVE-2023-42363.patch 1970-01-01 01:00:00.000000000 +0100 +++ busybox-1.35.0/debian/patches/CVE-2023-42363.patch 2026-03-01 09:37:38.000000000 +0100 @@ -0,0 +1,63 @@ +Description: CVE-2023-42363 - use-after-free vulnerability +Origin: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa +Bug: https://bugs.busybox.net/show_bug.cgi?id=15865 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059050 + +From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001 +From: Natanael Copa <[email protected]> +Date: Mon, 20 May 2024 17:55:28 +0200 +Subject: awk: fix use after free (CVE-2023-42363) + +function old new delta +evaluate 3377 3385 +8 + +Fixes https://bugs.busybox.net/show_bug.cgi?id=15865 + +Signed-off-by: Natanael Copa <[email protected]> +Signed-off-by: Denys Vlasenko <[email protected]> +--- + editors/awk.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2954,19 +2954,14 @@ + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); +- if (opinfo & OF_STR1) { +- L.s = getvar_s(L.v); +- debug_printf_eval("L.s:'%s'\n", L.s); +- } + if (opinfo & OF_NUM1) { + L_d = getvar_i(L.v); + debug_printf_eval("L_d:%f\n", L_d); + } + } +- /* NB: Must get string/numeric values of L (done above) +- * _before_ evaluate()'ing R.v: if both L and R are $NNNs, +- * and right one is large, then L.v points to Fields[NNN1], +- * second evaluate() reallocates and moves (!) Fields[], ++ /* NB: if both L and R are $NNNs, and right one is large, ++ * then at this pint L.v points to Fields[NNN1], second ++ * evaluate() below reallocates and moves (!) Fields[], + * R.v points to Fields[NNN2] but L.v now points to freed mem! + * (Seen trying to evaluate "$444 $44444") + */ +@@ -2979,6 +2974,16 @@ + debug_printf_eval("R.s:'%s'\n", R.s); + } + } ++ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v ++ * so we must get the string after "old_Fields_ptr" correction ++ * above. Testcase: x = (v = "abc", gsub("b", "X", v)); ++ */ ++ if (opinfo & OF_RES1) { ++ if (opinfo & OF_STR1) { ++ L.s = getvar_s(L.v); ++ debug_printf_eval("L.s:'%s'\n", L.s); ++ } ++ } + + debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); + switch (XC(opinfo & OPCLSMASK)) { diff -Nru busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch --- busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch 1970-01-01 01:00:00.000000000 +0100 +++ busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch 2026-03-01 09:37:38.000000000 +0100 @@ -0,0 +1,188 @@ +Description: Fix for CVE2023-42364 / CVE-2023-42365 - part 1 +Origin: https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 +Bug: https://bugs.busybox.net/show_bug.cgi?id=15868 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059051 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059052 + +From 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <[email protected]> +Date: Tue, 30 May 2023 16:42:18 +0200 +Subject: awk: fix precedence of = relative to == + +Discovered while adding code to disallow assignments to non-lvalues + +function old new delta +parse_expr 936 991 +55 +.rodata 105243 105247 +4 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 59/0) Total: 59 bytes + +Signed-off-by: Denys Vlasenko <[email protected]> +--- + editors/awk.c | 66 ++++++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 45 insertions(+), 21 deletions(-) + +(limited to 'editors/awk.c') + +diff --git a/editors/awk.c b/editors/awk.c +index c49ad6e02..0f062dcdb 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -337,7 +337,9 @@ static void debug_parse_print_tc(uint32_t n) + #undef P + #undef PRIMASK + #undef PRIMASK2 +-#define P(x) (x << 24) ++/* Smaller 'x' means _higher_ operator precedence */ ++#define PRECEDENCE(x) (x << 24) ++#define P(x) PRECEDENCE(x) + #define PRIMASK 0x7F000000 + #define PRIMASK2 0x7E000000 + +@@ -360,7 +362,7 @@ enum { + OC_MOVE = 0x1f00, OC_PGETLINE = 0x2000, OC_REGEXP = 0x2100, + OC_REPLACE = 0x2200, OC_RETURN = 0x2300, OC_SPRINTF = 0x2400, + OC_TERNARY = 0x2500, OC_UNARY = 0x2600, OC_VAR = 0x2700, +- OC_DONE = 0x2800, ++ OC_CONST = 0x2800, OC_DONE = 0x2900, + + ST_IF = 0x3000, ST_DO = 0x3100, ST_FOR = 0x3200, + ST_WHILE = 0x3300 +@@ -440,9 +442,9 @@ static const uint32_t tokeninfo[] ALIGN4 = { + #define TI_PREINC (OC_UNARY|xV|P(9)|'P') + #define TI_PREDEC (OC_UNARY|xV|P(9)|'M') + TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5), +- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-', +- OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&', +- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&', ++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-', ++ OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&', ++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&', + OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*', + OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1, + #define TI_LESS (OC_COMPARE|VV|P(39)|2) +@@ -1301,7 +1303,7 @@ static uint32_t next_token(uint32_t expected) + save_tclass = tc; + save_info = t_info; + tc = TC_BINOPX; +- t_info = OC_CONCAT | SS | P(35); ++ t_info = OC_CONCAT | SS | PRECEDENCE(35); + } + + t_tclass = tc; +@@ -1361,9 +1363,8 @@ static node *parse_expr(uint32_t term_tc) + { + node sn; + node *cn = &sn; +- node *vn, *glptr; ++ node *glptr; + uint32_t tc, expected_tc; +- var *v; + + debug_printf_parse("%s() term_tc(%x):", __func__, term_tc); + debug_parse_print_tc(term_tc); +@@ -1374,11 +1375,12 @@ static node *parse_expr(uint32_t term_tc) + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc; + + while (!((tc = next_token(expected_tc)) & term_tc)) { ++ node *vn; + + if (glptr && (t_info == TI_LESS)) { + /* input redirection (<) attached to glptr node */ + debug_printf_parse("%s: input redir\n", __func__); +- cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37)); ++ cn = glptr->l.n = new_node(OC_CONCAT | SS | PRECEDENCE(37)); + cn->a.n = glptr; + expected_tc = TS_OPERAND | TS_UOPPRE; + glptr = NULL; +@@ -1390,24 +1392,42 @@ static node *parse_expr(uint32_t term_tc) + * previous operators with higher priority */ + vn = cn; + while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2)) +- || ((t_info == vn->info) && t_info == TI_COLON) ++ || (t_info == vn->info && t_info == TI_COLON) + ) { + vn = vn->a.n; + if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN); + } + if (t_info == TI_TERNARY) + //TODO: why? +- t_info += P(6); ++ t_info += PRECEDENCE(6); + cn = vn->a.n->r.n = new_node(t_info); + cn->a.n = vn->a.n; + if (tc & TS_BINOP) { + cn->l.n = vn; +-//FIXME: this is the place to detect and reject assignments to non-lvalues. +-//Currently we allow "assignments" to consts and temporaries, nonsense like this: +-// awk 'BEGIN { "qwe" = 1 }' +-// awk 'BEGIN { 7 *= 7 }' +-// awk 'BEGIN { length("qwe") = 1 }' +-// awk 'BEGIN { (1+1) += 3 }' ++ ++ /* Prevent: ++ * awk 'BEGIN { "qwe" = 1 }' ++ * awk 'BEGIN { 7 *= 7 }' ++ * awk 'BEGIN { length("qwe") = 1 }' ++ * awk 'BEGIN { (1+1) += 3 }' ++ */ ++ /* Assignment? (including *= and friends) */ ++ if (((t_info & OPCLSMASK) == OC_MOVE) ++ || ((t_info & OPCLSMASK) == OC_REPLACE) ++ ) { ++ debug_printf_parse("%s: MOVE/REPLACE vn->info:%08x\n", __func__, vn->info); ++ /* Left side is a (variable or array element) ++ * or function argument ++ * or $FIELD ? ++ */ ++ if ((vn->info & OPCLSMASK) != OC_VAR ++ && (vn->info & OPCLSMASK) != OC_FNARG ++ && (vn->info & OPCLSMASK) != OC_FIELD ++ ) { ++ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */ ++ } ++ } ++ + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP; + if (t_info == TI_PGETLINE) { + /* it's a pipe */ +@@ -1443,6 +1463,8 @@ static node *parse_expr(uint32_t term_tc) + /* one should be very careful with switch on tclass - + * only simple tclasses should be used (TC_xyz, not TS_xyz) */ + switch (tc) { ++ var *v; ++ + case TC_VARIABLE: + case TC_ARRAY: + debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__); +@@ -1463,14 +1485,14 @@ static node *parse_expr(uint32_t term_tc) + case TC_NUMBER: + case TC_STRING: + debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__); +- cn->info = OC_VAR; ++ cn->info = OC_CONST; + v = cn->l.v = xzalloc(sizeof(var)); +- if (tc & TC_NUMBER) ++ if (tc & TC_NUMBER) { + setvar_i(v, t_double); +- else { ++ } else { + setvar_s(v, t_string); +- expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */ + } ++ expected_tc &= ~TC_UOPPOST; /* NUM++, "str"++ not allowed */ + break; + + case TC_REGEXP: +@@ -3124,6 +3146,8 @@ static var *evaluate(node *op, var *res) + + /* -- recursive node type -- */ + ++ case XC( OC_CONST ): ++ debug_printf_eval("CONST "); + case XC( OC_VAR ): + debug_printf_eval("VAR\n"); + L.v = op->l.v; +-- +cgit v1.2.3 + diff -Nru busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch --- busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch 1970-01-01 01:00:00.000000000 +0100 +++ busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch 2026-03-01 09:37:38.000000000 +0100 @@ -0,0 +1,134 @@ +Description: Fix for CVE2023-42364 / CVE-2023-42365 - part 2 (regression fix) +Origin: https://git.busybox.net/busybox/commit/editors/awk.c?id=38335df9e9f45378c3407defd38b5b610578bdda +Bug: https://bugs.busybox.net/show_bug.cgi?id=15871#c6 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059051 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059052 + +From 38335df9e9f45378c3407defd38b5b610578bdda Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko <[email protected]> +Date: Tue, 9 Jul 2024 15:30:46 +0200 +Subject: awk: restore assignment precedence to be lower than ternary ?: + +Something is fishy with constrcts like "3==v=3" in gawk, +they should not work, but do. Ignore those for now. + +Signed-off-by: Denys Vlasenko <[email protected]> +--- + editors/awk.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 54 insertions(+), 11 deletions(-) + +(limited to 'editors/awk.c') + +diff --git a/editors/awk.c b/editors/awk.c +index 8bc214b69..697a44c8c 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -433,36 +433,47 @@ static const char tokenlist[] ALIGN1 = + ; + + static const uint32_t tokeninfo[] ALIGN4 = { +- 0, +- 0, ++ 0, /* ( */ ++ 0, /* ) */ + #define TI_REGEXP OC_REGEXP +- TI_REGEXP, ++ TI_REGEXP, /* / */ ++ /* >> > | */ + xS|'a', xS|'w', xS|'|', ++ /* ++ -- */ + OC_UNARY|xV|P(9)|'p', OC_UNARY|xV|P(9)|'m', + #define TI_PREINC (OC_UNARY|xV|P(9)|'P') + #define TI_PREDEC (OC_UNARY|xV|P(9)|'M') ++ /* ++ -- $ */ + TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5), +- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-', +- OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&', +- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&', ++ /* == = += -= */ ++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-', ++ /* *= /= %= ^= (^ is exponentiation, NOT xor) */ ++ OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&', ++ /* + - **= ** */ ++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&', ++ /* / % ^ * */ + OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*', ++ /* != >= <= > */ + OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1, + #define TI_LESS (OC_COMPARE|VV|P(39)|2) ++ /* < !~ ~ && */ + TI_LESS, OC_MATCH|Sx|P(45)|'!', OC_MATCH|Sx|P(45)|'~', OC_LAND|Vx|P(55), + #define TI_TERNARY (OC_TERNARY|Vx|P(64)|'?') + #define TI_COLON (OC_COLON|xx|P(67)|':') ++ /* || ? : */ + OC_LOR|Vx|P(59), TI_TERNARY, TI_COLON, + #define TI_IN (OC_IN|SV|P(49)) + TI_IN, + #define TI_COMMA (OC_COMMA|SS|P(80)) + TI_COMMA, + #define TI_PGETLINE (OC_PGETLINE|SV|P(37)) +- TI_PGETLINE, ++ TI_PGETLINE, /* | */ ++ /* + - ! */ + OC_UNARY|xV|P(19)|'+', OC_UNARY|xV|P(19)|'-', OC_UNARY|xV|P(19)|'!', + 0, /* ] */ +- 0, +- 0, +- 0, ++ 0, /* { */ ++ 0, /* } */ ++ 0, /* ; */ + 0, /* \n */ + ST_IF, ST_DO, ST_FOR, OC_BREAK, + OC_CONTINUE, OC_DELETE|Rx, OC_PRINT, +@@ -511,6 +522,38 @@ static const uint32_t tokeninfo[] ALIGN4 = { + #undef OC_F + }; + ++/* gawk 5.1.1 manpage says the precedence of comparisons and assignments are as follows: ++ * ...... ++ * < > <= >= == != ++ * ~ !~ ++ * in ++ * && ++ * || ++ * ?: ++ * = += -= *= /= %= ^= ++ * But there are some abnormalities: ++ * awk 'BEGIN { print v=3==3,v }' - ok: ++ * 1 1 ++ * awk 'BEGIN { print 3==v=3,v }' - wrong, (3==v)=3 is not a valid assignment: ++ * 1 3 ++ * This also unexpectedly works: echo "foo" | awk '$1==$1="foo" {print $1}' ++ * More than one comparison op fails to parse: ++ * awk 'BEGIN { print 3==3==3 }' - syntax error (wrong, should work) ++ * awk 'BEGIN { print 3==3!=3 }' - syntax error (wrong, should work) ++ * ++ * The ternary a?b:c works as follows in gawk: "a" can't be assignment ++ * ("= has lower precedence than ?") but inside "b" or "c", assignment ++ * is higher precedence: ++ * awk 'BEGIN { u=v=w=1; print u=0?v=4:w=5; print u,v,w }' ++ * 5 ++ * 5 1 5 ++ * This differs from C and shell's "test" rules for ?: which have implicit () ++ * around "b" in ?:, but not around "c" - they would barf on "w=5" above. ++ * gawk allows nesting of ?: - this works: ++ * u=0?v=4?5:6:w=7?8:9 means u=0?(v=4?5:6):(w=7?8:9) ++ * bbox is buggy here, requires parens: "u=0?(v=4):(w=5)" ++ */ ++ + /* internal variable names and their initial values */ + /* asterisk marks SPECIAL vars; $ is just no-named Field0 */ + enum { +@@ -1409,7 +1452,7 @@ static node *parse_expr(uint32_t term_tc) + vn = vn->a.n; + if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN); + } +- if (t_info == TI_TERNARY) ++ if (t_info == TI_TERNARY) /* "?" operator */ + //TODO: why? + t_info += PRECEDENCE(6); + cn = vn->a.n->r.n = new_node(t_info); +-- +cgit v1.2.3 + diff -Nru busybox-1.35.0/debian/patches/series busybox-1.35.0/debian/patches/series --- busybox-1.35.0/debian/patches/series 2022-11-06 09:27:04.000000000 +0100 +++ busybox-1.35.0/debian/patches/series 2026-03-01 09:37:38.000000000 +0100 @@ -14,3 +14,7 @@ platform-linux.diff fix-non-linux-build.patch use-libresolv-on-non-linux-too.patch +CVE-2022-48174.patch +CVE-2023-42364-part1.patch +CVE-2023-42364-part2.patch +CVE-2023-42363.patch diff -Nru busybox-1.35.0/debian/salsa-ci.yml busybox-1.35.0/debian/salsa-ci.yml --- busybox-1.35.0/debian/salsa-ci.yml 2022-11-06 09:27:04.000000000 +0100 +++ busybox-1.35.0/debian/salsa-ci.yml 2026-03-02 07:59:41.000000000 +0100 @@ -1,27 +1,15 @@ --- +# Oldstable CI +--- include: - - https://salsa.debian.org/installer-team/branch2repo/raw/main/trigger_b2r.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml variables: - # re-enable things that branch2repo defaults to disabling - SALSA_CI_DISABLE_PIUPARTS: 0 - SALSA_CI_DISABLE_AUTOPKGTEST: 0 - SALSA_CI_DISABLE_LINTIAN: 0 - # fileordering seems to mess up the package's tests, causing FTBFS - # so let's just not bother running the tests in the variation build - SALSA_CI_REPROTEST_ARGS: --variations=environment.variables+=DEB_BUILD_OPTIONS=nocheck - -#FIXME: upon first enabling salsa-CI, the blhc test is failing I'm afraid I -# (Philip Hands) don't know if setting hardening flags is a good idea for -# busybox, so I'll leave it as it is for now, and set `allow_failure` -# below. -# -# If/when someone sets the hardening flags successfully, this setting -# should go. On the other hand, if it's inappropriate to set them, then -# this comment can also go and one can disable the test by adding this to -# the variables section above: -# -# SALSA_CI_DISABLE_BLHC: 1 + RELEASE: 'bookworm' +# These didn't work before LTS, not attempting to fix after freeze blhc: allow_failure: true + +lintian: + allow_failure: true
signature.asc
Description: PGP signature
