!134 [sync] PR-130: fix CVE-2023-42363

From: @openeuler-sync-bot Reviewed-by: @xuxuepeng Signed-off-by: @xuxuepeng
2024-07-24 09:21:12 +00:00 · 2024-07-24 09:21:12 +00:00 · 3e90fc6349
commit 3e90fc6349
parent 8911429bd8 89587450aa
2 changed files with 68 additions and 1 deletions
--- a/backport-CVE-2023-42363.patch
+++ b/backport-CVE-2023-42363.patch
@ -0,0 +1,60 @@
+From 695db66d27d4dd9b6ec554e49b34903256dd38ed Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Mon, 22 Jul 2024 11:43:51 +0800
+Subject: [PATCH] fix CVE-2023-42363
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/editors/awk.c?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ editors/awk.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index 6a5846e..c202de3 100644
+--- a/editors/awk.c
+++ b/editors/awk.c
+@@ -2889,19 +2889,14 @@ static var *evaluate(node *op, var *res)
+ 			if ((opinfo & OF_REQUIRED) && !op1)
+ 				syntax_error(EMSG_TOO_FEW_ARGS);
+ 			L.v = evaluate(op1, TMPVAR0);
+-			if (opinfo & OF_STR1) {
+-				L.s = getvar_s(L.v);
+-				debug_printf_eval("L.s:'%s'\n", L.s);
+-			}
+ 			if (opinfo & OF_NUM1) {
+ 				L_d = getvar_i(L.v);
+ 				debug_printf_eval("L_d:%f\n", L_d);
+ 			}
+ 		}
+-		/* NB: Must get string/numeric values of L (done above)
+-		 * _before_ evaluate()'ing R.v: if both L and R are $NNNs,
+-		 * and right one is large, then L.v points to Fields[NNN1],
+-		 * second evaluate() reallocates and moves (!) Fields[],
+		/* NB: if both L and R are $NNNs, and right one is large,
+		 * then at this pint L.v points to Fields[NNN1], second
+		 * evaluate() below reallocates and moves (!) Fields[],
+ 		 * R.v points to Fields[NNN2] but L.v now points to freed mem!
+ 		 * (Seen trying to evaluate "$444 $44444")
+ 		 */
+@@ -2914,6 +2909,16 @@ static var *evaluate(node *op, var *res)
+ 				debug_printf_eval("R.s:'%s'\n", R.s);
+ 			}
+ 		}
+		/* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v
+		 * so we must get the string after "old_Fields_ptr" correction
+		 * above. Testcase: x = (v = "abc", gsub("b", "X", v));
+		 */
+		if (opinfo & OF_RES1) {
+			if (opinfo & OF_STR1) {
+				L.s = getvar_s(L.v);
+				debug_printf_eval("L.s:'%s'\n", L.s);
+			}
+		}
+ 
+ 		debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK));
+ 		switch (XC(opinfo & OPCLSMASK)) {
+-- 
+2.43.0
+
--- a/busybox.spec
+++ b/busybox.spec
@ -4,7 +4,7 @@
 %endif

 %if "%{!?RELEASE:1}"
-%define RELEASE 6
+%define RELEASE 7
 %endif
 Epoch: 1

@ -22,6 +22,7 @@ Source3: busybox-dynamic.config

 Patch6000: backport-CVE-2022-28391.patch
 Patch6001: backport-CVE-2022-48174.patch
+Patch6002: backport-CVE-2023-42363.patch

 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@ -97,6 +98,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz

 %changelog
+* Mon Jul 22 2024 liuxu <liuxu156@huawei.com> - 1:1.36.1-7
+- Type:CVE
+- Id:NA
+- SUG:NA
+- DESC:fix CVE-2023-42363
+
 * Tue Jun 25 2024 liuxu <liuxu156@huawei.com> - 1:1.36.1-6
 - Type:CVE
 - Id:NA