!32 [sync] PR-30: fix CVE-2023-4156

From: @openeuler-sync-bot Reviewed-by: @openeuler-basic Signed-off-by: @openeuler-basic
2023-08-29 01:35:03 +00:00 · 2023-08-29 01:35:03 +00:00 · 78486464ae
commit 78486464ae
parent f0f165b310 99608b821e
2 changed files with 35 additions and 1 deletions
--- a/backport-CVE-2023-4156.patch
+++ b/backport-CVE-2023-4156.patch
@ -0,0 +1,30 @@
+From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001
+From: "Arnold D. Robbins" <arnold@skeeve.com>
+Date: Wed, 3 Aug 2022 13:00:54 +0300
+Subject: [PATCH] Smal bug fix in builtin.c.
+
+Reference:https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212
+Conflict:delete changlog
+---
+ builtin.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/builtin.c b/builtin.c
+index d7ba82c..3eee9b9 100644
+--- a/builtin.c
+++ b/builtin.c
+@@ -963,7 +963,10 @@ check_pos:
+ 					s1++;
+ 					n0--;
+ 				}
+-				if (val >= num_args) {
+				// val could be less than zero if someone provides a field width
+				// so large that it causes integer overflow. Mainly fuzzers do this,
+				// but let's try to be good anyway.
+				if (val < 0 || val >= num_args) {
+ 					toofew = true;
+ 					break;
+ 				}
+-- 
+2.27.0
+
--- a/gawk.spec
+++ b/gawk.spec
@ -4,7 +4,7 @@
 			 egrep -i "gawk_api_minor.*[0-9]+" | egrep -o "[0-9]")
 Name:		gawk
 Version:	5.0.1
-Release:	4
+Release:	5
 License:	GPLv3+ and GPLv2+ and LGPLv2+ and BSD
 Summary:	The GNU version of the AWK text processing utility
 URL:		https://www.gnu.org/software/gawk/
@ -13,6 +13,7 @@ Source0:	https://ftp.gnu.org/gnu/gawk/gawk-%{version}.tar.xz
 Patch0:         gawk-inplace-namespace-part1.patch
 Patch1:         gawk-inplace-namespace-part2.patch
 Patch2:         gawk-inplace-namespace-part3.patch
+Patch3:         backport-CVE-2023-4156.patch

 BuildRequires:	git gcc automake grep
 BuildRequires:	bison texinfo texinfo-tex ghostscript texlive-ec texlive-cm-super glibc-all-langpacks
@ -107,6 +108,9 @@ install -m 0644 -p doc/gawkinet.{pdf,ps} ${RPM_BUILD_ROOT}%{_docdir}/%{name}
 %{_datadir}/locale/*

 %changelog
+* Mon Aug 28 2023 yangmingtai <yangmingtai@huawei.com> - 5.0.1-5
+- fix CVE-2023-4156
+
 * Fri Sep 2 2022 zoulin <zoulin13@h-partners.com> - 5.0.1-4
 - Type:enhancement
 - ID:NA