fix CVE-2022-48174

Signed-off-by: songbuhuang <544824346@qq.com>

backport-CVE-2022-48174.patch

@@ -0,0 +1,30 @@
+From c0b333aa189c65293b680b942086ace3f3bfc8c1 Mon Sep 17 00:00:00 2001
+From: huangsong <huangsong14@huawei.com>
+Date: Mon, 28 Aug 2023 16:27:43 +0800
+Subject: [PATCH] fix CVE-2022-48174
+
+backport from upstream:
+https://bugs.busybox.net/show_bug.cgi?id=15216
+
+Signed-off-by: huangsong <huangsong14@huawei.com>
+---
+ shell/math.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/shell/math.c b/shell/math.c
+index 76d22c9..83ef85c 100644
+--- a/shell/math.c
++++ b/shell/math.c
+@@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
+ 	/* The proof that there can be no more than strlen(startbuf)/2+1
+ 	 * integers in any given correct or incorrect expression
+ 	 * is left as an exercise to the reader. */
+-	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
++	/* Counterexample: 09J results in three integers. */
++	var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
+ 	var_or_num_t *numstackptr = numstack;
+ 	/* Stack of operator tokens */
+ 	operator *const stack = alloca(expr_len * sizeof(stack[0]));
+-- 
+2.26.2
+

busybox.spec

@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 1
+%define RELEASE 2
 %endif
 Epoch: 1
 
@@ -21,6 +21,7 @@ Source2: busybox-petitboot.config
 Source3: busybox-dynamic.config
 
 Patch6000: backport-CVE-2022-28391.patch
+Patch6001: backport-CVE-2022-48174.patch
 
 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@@ -96,6 +97,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Mon Aug 28 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-2
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2022-48174
+
 * Tue Jul 25 2023 huangsong <huangsong14@huawei.com> - 1:1.36.1-1
 - Type:enhancement
 - Id:NA