From: Hitendra Prajapati <[email protected]> Upstream-Status: Backport from https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa
Signed-off-by: Hitendra Prajapati <[email protected]> Signed-off-by: Steve Sakoman <[email protected]> --- .../busybox/busybox/CVE-2023-42363.patch | 67 +++++++++++++++++++ meta/recipes-core/busybox/busybox_1.35.0.bb | 1 + 2 files changed, 68 insertions(+) create mode 100644 meta/recipes-core/busybox/busybox/CVE-2023-42363.patch diff --git a/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch new file mode 100644 index 0000000000..b401a6e3e5 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/CVE-2023-42363.patch @@ -0,0 +1,67 @@ +From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001 +From: Natanael Copa <[email protected]> +Date: Mon, 20 May 2024 17:55:28 +0200 +Subject: awk: fix use after free (CVE-2023-42363) + +function old new delta +evaluate 3377 3385 +8 + +Fixes https://bugs.busybox.net/show_bug.cgi?id=15865 + +Signed-off-by: Natanael Copa <[email protected]> +Signed-off-by: Denys Vlasenko <[email protected]> + +Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa] +CVE: CVE-2023-42363 +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + editors/awk.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/editors/awk.c b/editors/awk.c +index 654cbac..4fbc11d 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2889,19 +2889,14 @@ static var *evaluate(node *op, var *res) + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); +- if (opinfo & OF_STR1) { +- L.s = getvar_s(L.v); +- debug_printf_eval("L.s:'%s'\n", L.s); +- } + if (opinfo & OF_NUM1) { + L_d = getvar_i(L.v); + debug_printf_eval("L_d:%f\n", L_d); + } + } +- /* NB: Must get string/numeric values of L (done above) +- * _before_ evaluate()'ing R.v: if both L and R are $NNNs, +- * and right one is large, then L.v points to Fields[NNN1], +- * second evaluate() reallocates and moves (!) Fields[], ++ /* NB: if both L and R are $NNNs, and right one is large, ++ * then at this pint L.v points to Fields[NNN1], second ++ * evaluate() below reallocates and moves (!) Fields[], + * R.v points to Fields[NNN2] but L.v now points to freed mem! + * (Seen trying to evaluate "$444 $44444") + */ +@@ -2914,6 +2909,16 @@ static var *evaluate(node *op, var *res) + debug_printf_eval("R.s:'%s'\n", R.s); + } + } ++ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v ++ * so we must get the string after "old_Fields_ptr" correction ++ * above. Testcase: x = (v = "abc", gsub("b", "X", v)); ++ */ ++ if (opinfo & OF_RES1) { ++ if (opinfo & OF_STR1) { ++ L.s = getvar_s(L.v); ++ debug_printf_eval("L.s:'%s'\n", L.s); ++ } ++ } + + debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); + switch (XC(opinfo & OPCLSMASK)) { +-- +2.25.1 + diff --git a/meta/recipes-core/busybox/busybox_1.35.0.bb b/meta/recipes-core/busybox/busybox_1.35.0.bb index 07a5137d2a..842562c4c4 100644 --- a/meta/recipes-core/busybox/busybox_1.35.0.bb +++ b/meta/recipes-core/busybox/busybox_1.35.0.bb @@ -52,6 +52,7 @@ SRC_URI = "https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ file://CVE-2022-30065.patch \ file://0001-devmem-add-128-bit-width.patch \ file://CVE-2022-48174.patch \ + file://CVE-2023-42363.patch \ " SRC_URI:append:libc-musl = " file://musl.cfg " -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202278): https://lists.openembedded.org/g/openembedded-core/message/202278 Mute This Topic: https://lists.openembedded.org/mt/107451386/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
