Accepting request 1108060 from Base:System
OBS-URL: https://build.opensuse.org/request/show/1108060 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/busybox?expand=0&rev=84
This commit is contained in:
commit
0bab8e70b1
80
ash-fix-segfault-d417193cf.patch
Normal file
80
ash-fix-segfault-d417193cf.patch
Normal file
@ -0,0 +1,80 @@
|
||||
From d417193cf37ca1005830d7e16f5fa7e1d8a44209 Mon Sep 17 00:00:00 2001
|
||||
From: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
Date: Mon, 12 Jun 2023 17:48:47 +0200
|
||||
Subject: [PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
|
||||
|
||||
function old new delta
|
||||
evaluate_string 1011 1053 +42
|
||||
|
||||
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
||||
---
|
||||
shell/math.c | 39 +++++++++++++++++++++++++++++++++++----
|
||||
1 file changed, 35 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/shell/math.c b/shell/math.c
|
||||
index 76d22c9bd..727c29467 100644
|
||||
--- a/shell/math.c
|
||||
+++ b/shell/math.c
|
||||
@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr)
|
||||
# endif
|
||||
#endif
|
||||
|
||||
+//TODO: much better estimation than expr_len/2? Such as:
|
||||
+//static unsigned estimate_nums_and_names(const char *expr)
|
||||
+//{
|
||||
+// unsigned count = 0;
|
||||
+// while (*(expr = skip_whitespace(expr)) != '\0') {
|
||||
+// const char *p;
|
||||
+// if (isdigit(*expr)) {
|
||||
+// while (isdigit(*++expr))
|
||||
+// continue;
|
||||
+// count++;
|
||||
+// continue;
|
||||
+// }
|
||||
+// p = endofname(expr);
|
||||
+// if (p != expr) {
|
||||
+// expr = p;
|
||||
+// count++;
|
||||
+// continue;
|
||||
+// }
|
||||
+// }
|
||||
+// return count;
|
||||
+//}
|
||||
+
|
||||
static arith_t
|
||||
evaluate_string(arith_state_t *math_state, const char *expr)
|
||||
{
|
||||
@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr)
|
||||
const char *errmsg;
|
||||
const char *start_expr = expr = skip_whitespace(expr);
|
||||
unsigned expr_len = strlen(expr) + 2;
|
||||
- /* Stack of integers */
|
||||
- /* The proof that there can be no more than strlen(startbuf)/2+1
|
||||
- * integers in any given correct or incorrect expression
|
||||
- * is left as an exercise to the reader. */
|
||||
+ /* Stack of integers/names */
|
||||
+ /* There can be no more than strlen(startbuf)/2+1
|
||||
+ * integers/names in any given correct or incorrect expression.
|
||||
+ * (modulo "09v09v09v09v09v" case,
|
||||
+ * but we have code to detect that early)
|
||||
+ */
|
||||
var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
|
||||
var_or_num_t *numstackptr = numstack;
|
||||
/* Stack of operator tokens */
|
||||
@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr)
|
||||
numstackptr->var = NULL;
|
||||
errno = 0;
|
||||
numstackptr->val = strto_arith_t(expr, (char**) &expr);
|
||||
+ /* A number can't be followed by another number, or a variable name.
|
||||
+ * We'd catch this later anyway, but this would require numstack[]
|
||||
+ * to be twice as deep to handle strings where _every_ char is
|
||||
+ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v
|
||||
+ */
|
||||
+ if (isalnum(*expr) || *expr == '_')
|
||||
+ goto err;
|
||||
//bb_error_msg("val:%lld", numstackptr->val);
|
||||
if (errno)
|
||||
numstackptr->val = 0; /* bash compat */
|
||||
--
|
||||
2.26.2
|
||||
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue Aug 29 09:55:24 UTC 2023 - Radoslav Kolev <radoslav.kolev@suse.com>
|
||||
|
||||
- Add ash-fix-segfault-d417193cf.patch: fix stack overflow vulnerability
|
||||
in ash (CVE-2022-48174, bsc#1214538)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 2 21:08:22 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
|
@ -42,6 +42,8 @@ Source7: busybox.config.static.warewulf3
|
||||
Patch0: cpio-long-opt.patch
|
||||
Patch1: sendmail-ignore-F-option.patch
|
||||
Patch2: testsuite-gnu-echo.patch
|
||||
# PATCH-FIX-UPSTREAM shell: avoid segfault on ${0::0/0~09J} (CVE-2022-48174) https://git.busybox.net/busybox/commit/?id=d417193cf
|
||||
Patch3: ash-fix-segfault-d417193cf.patch
|
||||
# other patches
|
||||
Patch100: busybox.install.patch
|
||||
Provides: useradd_or_adduser_dep
|
||||
|
Loading…
Reference in New Issue
Block a user