busybox: fix use after free in bc module

Signed-off-by: jackey_1024 <jikui2@huawei.com>

backport-fix-use-after-free-in-bc-module.patch

@@ -0,0 +1,29 @@
+From 907e1b3a22a8092461176af45468c5b1b9bf6cc0 Mon Sep 17 00:00:00 2001
+From: jackey_1024 <jikui2@huawei.com>
+Date: Fri, 28 Oct 2022 09:45:08 +0800
+Subject: [PATCH] busybox: fix use after free in bc module
+
+backport from upstream:
+https://git.busybox.net/busybox/commit/?id=41d5f800a14769704082f7faeabb8435285499be
+
+Signed-off-by: jackey_1024 <jikui2@huawei.com>
+---
+ miscutils/bc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/miscutils/bc.c b/miscutils/bc.c
+index f9b08b0..4363585 100644
+--- a/miscutils/bc.c
++++ b/miscutils/bc.c
+@@ -2892,6 +2892,8 @@ static char peek_inbuf(void)
+ 	) {
+ 		xc_read_line(&G.input_buffer, G.prs.lex_input_fp);
+ 		G.prs.lex_inbuf = G.input_buffer.v;
++		// lex_next_at may point to now-freed data, update it:
++		G.prs.lex_next_at = G.prs.lex_inbuf;
+ 		if (G.input_buffer.len <= 1) // on EOF, len is 1 (NUL byte)
+ 			G.prs.lex_input_fp = NULL;
+ 	}
+-- 
+2.25.1
+

busybox.spec

@@ -4,7 +4,7 @@
 %endif
 
 %if "%{!?RELEASE:1}"
-%define RELEASE 17
+%define RELEASE 18
 %endif
 Epoch: 1
 
@@ -22,6 +22,7 @@ Source3: busybox-dynamic.config
 
 Patch6000: backport-CVE-2022-28391.patch
 Patch6001: backport-CVE-2022-30065.patch
+Patch6002: backport-fix-use-after-free-in-bc-module.patch
 
 BuildRoot:      %_topdir/BUILDROOT
 #Dependency
@@ -97,6 +98,9 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1
 %{_mandir}/man1/busybox.petitboot.1.gz
 
 %changelog
+* Fri Oct 28 2022 jikui <jikui2@huawei.com> - 1:1.34.1-18
+- fix use after free in bc module
+
 * Fri Aug 19 2022 jikui <jikui2@huawei.com> - 1:1.34.1-17
 - Type:CVE
 - Id:NA