From d89f9c93e8b42bd595f98030583595f4113c3a7f Mon Sep 17 00:00:00 2001 From: songbuhuang <544824346@qq.com> Date: Wed, 30 Aug 2023 12:29:47 +0800 Subject: [PATCH] fix CVE-2022-48174 Signed-off-by: songbuhuang <544824346@qq.com> --- backport-CVE-2022-48174.patch | 27 +++++++++++++++++++++++++++ busybox.spec | 9 ++++++++- 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-48174.patch diff --git a/backport-CVE-2022-48174.patch b/backport-CVE-2022-48174.patch new file mode 100644 index 0000000..44de4f3 --- /dev/null +++ b/backport-CVE-2022-48174.patch @@ -0,0 +1,27 @@ +From dc5199deae8ea69613c60f177cdac709acecf5c9 Mon Sep 17 00:00:00 2001 +From: songbuhuang <544824346@qq.com> +Date: Wed, 30 Aug 2023 12:27:33 +0800 +Subject: [PATCH] fix CVE-2022-48174 + +Signed-off-by: songbuhuang <544824346@qq.com> +--- + shell/math.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/shell/math.c b/shell/math.c +index af1ab55..e596dd8 100644 +--- a/shell/math.c ++++ b/shell/math.c +@@ -589,7 +589,8 @@ evaluate_string(arith_state_t *math_state, const char *expr) + /* The proof that there can be no more than strlen(startbuf)/2+1 + * integers in any given correct or incorrect expression + * is left as an exercise to the reader. */ +- var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); ++ /* Counterexample: 09J results in three integers. */ ++ var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0])); + var_or_num_t *numstackptr = numstack; + /* Stack of operator tokens */ + operator *const stack = alloca(expr_len * sizeof(stack[0])); +-- +2.26.2 + diff --git a/busybox.spec b/busybox.spec index 13eb89c..2a0d441 100644 --- a/busybox.spec +++ b/busybox.spec @@ -4,7 +4,7 @@ %endif %if "%{!?RELEASE:1}" -%define RELEASE 17 +%define RELEASE 18 %endif Epoch: 1 @@ -29,6 +29,7 @@ Patch6005: backport-fix-awk-cve.patch Patch6006: backport-CVE-2022-28391.patch Patch6007: backport-CVE-2022-30065.patch Patch6008: backport-fix-use-after-free-in-bc-module.patch +Patch6009: backport-CVE-2022-48174.patch BuildRoot: %_topdir/BUILDROOT #Dependency @@ -104,6 +105,12 @@ install -m 644 docs/busybox.dynamic.1 $RPM_BUILD_ROOT/%{_mandir}/man1/busybox.1 %{_mandir}/man1/busybox.petitboot.1.gz %changelog +* Wed Aug 30 2023 huangsong - 1:1.31.1-18 +- Type:CVE +- Id:NA +- SUG:NA +- DESC:fix CVE-2022-48174 + * Fri Oct 28 2022 jikui - 1:1.31.1-17 - fix use after free in bc module