From: Theo Gaige <[email protected]>

Backport upstream fix for CVE-2026-31323 [1].

[1] 
https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3

Signed-off-by: Theo Gaige <[email protected]>
Reviewed-by: Bruno Vernay <[email protected]>
---
 .../dash/dash/CVE-2026-31323.patch            | 43 +++++++++++++++++++
 meta-oe/recipes-shells/dash/dash_0.5.12.bb    |  5 ++-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 meta-oe/recipes-shells/dash/dash/CVE-2026-31323.patch

diff --git a/meta-oe/recipes-shells/dash/dash/CVE-2026-31323.patch 
b/meta-oe/recipes-shells/dash/dash/CVE-2026-31323.patch
new file mode 100644
index 0000000000..a5e66dab65
--- /dev/null
+++ b/meta-oe/recipes-shells/dash/dash/CVE-2026-31323.patch
@@ -0,0 +1,43 @@
+From eeebf52119df7a74ee5187268ca3030d4c701f20 Mon Sep 17 00:00:00 2001
+From: Muchen Hou <[email protected]>
+Date: Mon, 13 Apr 2026 10:28:29 +0800
+Subject: [PATCH] arith: Fix CVE-2026-31323 INTMAX_MIN / -1 overflow
+
+Division and remainder currently guard against division by zero, but not
+against the signed overflow case INTMAX_MIN / -1. On affected systems
+this can trigger SIGFPE during arithmetic expansion.
+
+Add an explicit guard before evaluating division or remainder.
+
+Signed-off-by: Muchen Hou <[email protected]>
+
+Merge the overflow check with the zero division check.
+
+Signed-off-by: Herbert Xu <[email protected]>
+(cherry picked from commit 0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3)
+
+CVE: CVE-2026-31323
+Upstream-Status: Backport 
[https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3]
+Signed-off-by: Theo Gaige <[email protected]>
+---
+ src/arith_yacc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/arith_yacc.c b/src/arith_yacc.c
+index 1a087c3..b978ef0 100644
+--- a/src/arith_yacc.c
++++ b/src/arith_yacc.c
+@@ -98,8 +98,8 @@ static intmax_t do_binop(int op, intmax_t a, intmax_t b)
+       default:
+       case ARITH_REM:
+       case ARITH_DIV:
+-              if (!b)
+-                      yyerror("division by zero");
++              if (!b || (a == INTMAX_MIN && b == -1))
++                      yyerror("division error");
+               return op == ARITH_REM ? a % b : a / b;
+       case ARITH_MUL:
+               return a * b;
+-- 
+2.43.0
+
diff --git a/meta-oe/recipes-shells/dash/dash_0.5.12.bb 
b/meta-oe/recipes-shells/dash/dash_0.5.12.bb
index 1bf3625760..1e8f62bb92 100644
--- a/meta-oe/recipes-shells/dash/dash_0.5.12.bb
+++ b/meta-oe/recipes-shells/dash/dash_0.5.12.bb
@@ -7,7 +7,10 @@ LIC_FILES_CHKSUM = 
"file://COPYING;md5=b5262b4a1a1bff72b48e935531976d2e"
 
 inherit autotools update-alternatives
 
-SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz";
+SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz \
+           file://CVE-2026-31323.patch \
+"
+
 SRC_URI[sha256sum] = 
"6a474ac46e8b0b32916c4c60df694c82058d3297d8b385b74508030ca4a8f28a"
 
 CVE_PRODUCT = "dash:dash"
-- 
2.43.0

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#127101): 
https://lists.openembedded.org/g/openembedded-devel/message/127101
Mute This Topic: https://lists.openembedded.org/mt/119390373/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to