On 10/9/23 19:29, Steve Sakoman wrote:
On Mon, Oct 9, 2023 at 6:27 AM Marek Vasut <[email protected]> wrote:
Pick fix for CVE-2023-4156 from ubuntu 20.04
A heap out-of-bounds read flaw was found in builtin.c in the gawk
package. This issue may lead to a crash and could be used to read
sensitive information.
https://nvd.nist.gov/vuln/detail/CVE-2023-4156
https://packages.ubuntu.com/source/focal/gawk
gawk_5.0.1+dfsg-1ubuntu0.1.debian.tar.xz / 12.9 kB /
12d878acc04cd6328b793455547c870f
Signed-off-by: Marek Vasut <[email protected]>
---
.../gawk/gawk/CVE-2023-4156.patch | 26 +++++++++++++++++++
meta/recipes-extended/gawk/gawk_5.0.1.bb | 1 +
2 files changed, 27 insertions(+)
create mode 100644 meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
diff --git a/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
new file mode 100644
index 0000000000..ecfd974af0
--- /dev/null
+++ b/meta/recipes-extended/gawk/gawk/CVE-2023-4156.patch
@@ -0,0 +1,26 @@
+From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
+From: "Arnold D. Robbins" <[email protected]>
+Date: Wed, 3 Aug 2022 13:00:54 +0300
+Subject: [PATCH] Smal bug fix in builtin.c.
+
+CVE: CVE-2023-4156
Missing Upstream-Status. Note that ubuntu isn't upstream so please
link to upstream gawk commit.
Should be fixed in V2, sorry for the mess.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#188865):
https://lists.openembedded.org/g/openembedded-core/message/188865
Mute This Topic: https://lists.openembedded.org/mt/101856223/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
