From 410677d0cfffb9010aa4d715b1e40439c45ab46db1e69d02427171719a2499b4 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Wed, 12 Jan 2022 15:40:34 +0000
Subject: [PATCH 1/4] OBS-URL:
 https://build.opensuse.org/package/show/Base:System/busybox?expand=0&rev=95

---
 busybox-1.34.1.tar.bz2     |   3 ---
 busybox-1.34.1.tar.bz2.sig | Bin 121 -> 0 bytes
 busybox-1.35.0.tar.bz2     |   3 +++
 busybox-1.35.0.tar.bz2.sig | Bin 0 -> 121 bytes
 busybox.config             |  16 ++++++++++++++--
 busybox.spec               |   4 ++--
 6 files changed, 19 insertions(+), 7 deletions(-)
 delete mode 100644 busybox-1.34.1.tar.bz2
 delete mode 100644 busybox-1.34.1.tar.bz2.sig
 create mode 100644 busybox-1.35.0.tar.bz2
 create mode 100644 busybox-1.35.0.tar.bz2.sig

diff --git a/busybox-1.34.1.tar.bz2 b/busybox-1.34.1.tar.bz2
deleted file mode 100644
index e12cf2c..0000000
--- a/busybox-1.34.1.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:415fbd89e5344c96acf449d94a6f956dbed62e18e835fc83e064db33a34bd549
-size 2476932
diff --git a/busybox-1.34.1.tar.bz2.sig b/busybox-1.34.1.tar.bz2.sig
deleted file mode 100644
index bef089039e13b0cba5db19f4b5c1fbbf6c351f7a60306329cb8058345f1890f6..0000000000000000000000000000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 121
zcmeAuXJHUzVlWp|WI6fLF~97Y!0iijS@_+z^MtNBIW3x%DKShgT~ekjB~dRYGq1G5
zAw54oJts9cF*8RmIX{<yi&Frm*84fbf=)Ib$sb}<uEeOwY&-Nu;8EoJ6Ym-3mtI=G
W@Q`u4+F^%`j*H=phPOke1_J<m8Zc%6

diff --git a/busybox-1.35.0.tar.bz2 b/busybox-1.35.0.tar.bz2
new file mode 100644
index 0000000..b452285
--- /dev/null
+++ b/busybox-1.35.0.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+size 2480624
diff --git a/busybox-1.35.0.tar.bz2.sig b/busybox-1.35.0.tar.bz2.sig
new file mode 100644
index 0000000000000000000000000000000000000000000000000000000000000000..34cff16a143273c3d4caf1a9422a040ede10f6b0d2b5ee078473d29d4479e993
GIT binary patch
literal 121
zcmeAuXJHUzVlWp|WI6fLF~97Y!0iijS@_+z^MtNBIW3x%De=U-yOJ_xDT#VHnR%rZ
z4(a*%={c#niJ3Wi$@#eqT$}<hwQnyl%(F{7zLHa9cP!^0=W7-__O4V@Pvd5o!<Rfg
Wx8QL9;^RM7y4^qg(^vk3-$elQ$TGD6

literal 0
HcmV?d00001

diff --git a/busybox.config b/busybox.config
index d5d65f1..a918799 100644
--- a/busybox.config
+++ b/busybox.config
@@ -1,7 +1,6 @@
 #
 # Automatically generated make config: don't edit
-# Busybox version: 1.34.1
-# Sat Oct 30 11:02:54 2021
+# Busybox version: 1.35.0
 #
 CONFIG_HAVE_DOT_CONFIG=y
 
@@ -162,6 +161,8 @@ CONFIG_FEATURE_BZIP2_DECOMPRESS=y
 CONFIG_CPIO=y
 CONFIG_FEATURE_CPIO_O=y
 CONFIG_FEATURE_CPIO_P=y
+CONFIG_FEATURE_CPIO_IGNORE_DEVNO=y
+CONFIG_FEATURE_CPIO_RENUMBER_INODES=y
 # CONFIG_DPKG is not set
 # CONFIG_DPKG_DEB is not set
 CONFIG_GZIP=y
@@ -197,6 +198,12 @@ CONFIG_FEATURE_UNZIP_XZ=y
 #
 # Coreutils
 #
+
+#
+# Common options for date and touch
+#
+CONFIG_FEATURE_TIMEZONE=y
+
 CONFIG_BASENAME=y
 CONFIG_CAT=y
 CONFIG_FEATURE_CATN=y
@@ -448,7 +455,11 @@ CONFIG_FEATURE_ALLOW_EXEC=y
 CONFIG_FIND=y
 CONFIG_FEATURE_FIND_PRINT0=y
 CONFIG_FEATURE_FIND_MTIME=y
+CONFIG_FEATURE_FIND_ATIME=y
+CONFIG_FEATURE_FIND_CTIME=y
 CONFIG_FEATURE_FIND_MMIN=y
+CONFIG_FEATURE_FIND_AMIN=y
+CONFIG_FEATURE_FIND_CMIN=y
 CONFIG_FEATURE_FIND_PERM=y
 CONFIG_FEATURE_FIND_TYPE=y
 CONFIG_FEATURE_FIND_EXECUTABLE=y
@@ -472,6 +483,7 @@ CONFIG_FEATURE_FIND_PATH=y
 CONFIG_FEATURE_FIND_REGEX=y
 # CONFIG_FEATURE_FIND_CONTEXT is not set
 CONFIG_FEATURE_FIND_LINKS=y
+CONFIG_FEATURE_FIND_SAMEFILE=y
 CONFIG_GREP=y
 CONFIG_EGREP=y
 CONFIG_FGREP=y
diff --git a/busybox.spec b/busybox.spec
index 2c8be46..3a48828 100644
--- a/busybox.spec
+++ b/busybox.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package busybox
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,7 @@
 
 
 Name:           busybox
-Version:        1.34.1
+Version:        1.35.0
 Release:        0
 Summary:        Minimalist variant of UNIX utilities linked in a single executable
 License:        GPL-2.0-or-later

From 5cd72e80f40ec138309fbe2952e4fa922c790615470f6db378fad22ef6f0b7ed Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Wed, 12 Jan 2022 15:41:26 +0000
Subject: [PATCH 2/4] - Update to 1.35.0   - Adjust busybox.config for new
 features in find, date and cpio

OBS-URL: https://build.opensuse.org/package/show/Base:System/busybox?expand=0&rev=96
---
 busybox.changes | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/busybox.changes b/busybox.changes
index 1d49ccf..972d63c 100644
--- a/busybox.changes
+++ b/busybox.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Wed Jan 12 15:40:40 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to 1.35.0
+  - Adjust busybox.config for new features in find, date and cpio 
+
 -------------------------------------------------------------------
 Sat Oct 30 09:03:16 UTC 2021 - Stephan Kulow <coolo@suse.com>
 

From d97fbe74ba0d9abcf46164325829dad96bccaa1e8cc5f048cd3308f5cb4a158a Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 13 Jan 2022 13:21:50 +0000
Subject: [PATCH 3/4] Accepting request 946141 from
 home:radolin:branches:Base:System

- Update to 1.35.0
  - Adjust busybox.config for new features in find, date and cpio
- Annotate CVEs already fixed in upstream, but not mentioned in .changes

OBS-URL: https://build.opensuse.org/request/show/946141
OBS-URL: https://build.opensuse.org/package/show/Base:System/busybox?expand=0&rev=97
---
 busybox.changes | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/busybox.changes b/busybox.changes
index 972d63c..da4618b 100644
--- a/busybox.changes
+++ b/busybox.changes
@@ -4,6 +4,28 @@ Wed Jan 12 15:40:40 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
 - Update to 1.35.0
   - Adjust busybox.config for new features in find, date and cpio 
 
+-------------------------------------------------------------------
+Thu Jan  6 06:37:24 UTC 2022 - Radoslav Kolev <radoslav.kolev@suse.com>
+
+- Annotate CVEs already fixed in upstream, but not mentioned in .changes:
+  * CVE-2017-16544 (bsc#1069412): Insufficient sanitization of filenames when autocompleting
+  * CVE-2015-9261 (bsc#1102912): huft_build misuses a pointer, causing segfaults
+  * CVE-2016-2147 (bsc#970663): out of bounds write (heap) due to integer underflow in udhcpc
+  * CVE-2016-2148 (bsc#970662): heap-based buffer overflow in OPTION_6RD parsing
+  * CVE-2016-6301 (bsc#991940): NTP server denial of service flaw
+  * CVE-2017-15873 (bsc#1064976): The get_next_block function in archival/libarchive/decompress_bunzip2.c has an Integer Overflow
+  * CVE-2017-15874 (bsc#1064976): archival/libarchive/decompress_unlzma.c has an Integer Underflow
+  * CVE-2019-5747 (bsc#1064976): out of bounds read in udhcp components
+  * CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376,
+    CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380,
+    CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384,
+    CVE-2021-42385, CVE-2021-42386 (bsc#1192869) : v1.34.0 bugfixes
+  - CVE-2021-28831 (bsc#1184522): invalid free or segmentation fault via malformed gzip data
+  - CVE-2018-20679 (bsc#1121426): out of bounds read in udhcp
+  - CVE-2018-1000517 (bsc#1099260):  Heap-based buffer overflow in the retrieve_file_data()
+  - CVE-2011-5325 (bsc#951562): tar directory traversal
+  - CVE-2018-1000500 (bsc#1099263):  wget: Missing SSL certificate validation
+
 -------------------------------------------------------------------
 Sat Oct 30 09:03:16 UTC 2021 - Stephan Kulow <coolo@suse.com>
 

From a52521332163e92e2469a726390ef587efcecf533a9a0eef70c9c1923c7d69c2 Mon Sep 17 00:00:00 2001
From: Radoslav Kolev <radoslav.kolev@suse.com>
Date: Fri, 14 Jan 2022 16:27:43 +0000
Subject: [PATCH 4/4] Accepting request 946463 from
 home:radolin:branches:Base:System

Fix incorrect bugzilla numbers for CVE-2017-15874 and CVE-2019-5747

OBS-URL: https://build.opensuse.org/request/show/946463
OBS-URL: https://build.opensuse.org/package/show/Base:System/busybox?expand=0&rev=98
---
 busybox.changes | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/busybox.changes b/busybox.changes
index da4618b..0580a50 100644
--- a/busybox.changes
+++ b/busybox.changes
@@ -14,8 +14,8 @@ Thu Jan  6 06:37:24 UTC 2022 - Radoslav Kolev <radoslav.kolev@suse.com>
   * CVE-2016-2148 (bsc#970662): heap-based buffer overflow in OPTION_6RD parsing
   * CVE-2016-6301 (bsc#991940): NTP server denial of service flaw
   * CVE-2017-15873 (bsc#1064976): The get_next_block function in archival/libarchive/decompress_bunzip2.c has an Integer Overflow
-  * CVE-2017-15874 (bsc#1064976): archival/libarchive/decompress_unlzma.c has an Integer Underflow
-  * CVE-2019-5747 (bsc#1064976): out of bounds read in udhcp components
+  * CVE-2017-15874 (bsc#1064978): archival/libarchive/decompress_unlzma.c has an Integer Underflow
+  * CVE-2019-5747 (bsc#1121428): out of bounds read in udhcp components
   * CVE-2021-42373, CVE-2021-42374, CVE-2021-42375, CVE-2021-42376,
     CVE-2021-42377, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380,
     CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384,