main/busybox: backport patch for CVE-2023-42366

dd27c665 · Sören Tempel · fc350ce2 · dd27c665 · dd27c665
Commit dd27c665 authored 10 months ago by Sören Tempel
--- a/main/busybox/0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
+++ b/main/busybox/0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
+From 5cf8b332429a1dd9afef3337bae92aeddaeff993 Mon Sep 17 00:00:00 2001
+From: Valery Ushakov <uwe@stderr.spb.ru>
+Date: Wed, 24 Jan 2024 22:24:41 +0300
+Subject: [PATCH] awk.c: fix CVE-2023-42366 (bug #15874)
+Make sure we don't read past the end of the string in next_token()
+when backslash is the last character in an (invalid) regexp.
+https://bugs.busybox.net/show_bug.cgi?id=15874
+---
+ editors/awk.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+diff --git a/editors/awk.c b/editors/awk.c
+index 728ee8685..be48df7c7 100644
+--- a/editors/awk.c
+++ b/editors/awk.c
+@@ -1165,9 +1165,11 @@ static uint32_t next_token(uint32_t expected)
+ 					s[-1] = bb_process_escape_sequence((const char **)&pp);
+ 					if (*p == '\\')
+ 						*s++ = '\\';
+-					if (pp == p)
+					if (pp == p) {
+						if (*p == '\0')
+							syntax_error(EMSG_UNEXP_EOS);
+ 						*s++ = *p++;
+-					else
+					} else
+ 						p = pp;
+ 				}
+ 			}
+-- 
+2.34.1
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -5,7 +5,7 @@
 # Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
 pkgname=busybox
 pkgver=1.35.0
-pkgrel=17
+pkgrel=18
 pkgdesc="Size optimized toolbox of many common UNIX utilities"
 url="https://busybox.net/"
 arch="all"
@@ -44,6 +44,7 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
 	0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch
 	0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch
 	0017-ash-Fix-use-after-free-on-idx-variable.patch
+	0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
 	0001-ash-add-built-in-BB_ASH_VERSION-variable.patch
@@ -68,6 +69,8 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
 	"
 # secfixes:
+#   1.35.0-r18:
+#     - CVE-2023-42366
 #   1.35.0-r15:
 #     - CVE-2022-30065
 #   1.35.0-r7:
@@ -306,6 +309,7 @@ ecbe5c890d966f09280c7eb534109f785c68e292765f17ed7ff62fcc61d20f61443c4155add0a1eb
 0040800382a6e3adcc6a8094b821488c7e297fc80304afba23a4fca43b7b26ac699378dfbd930ebbf9985336b3e431301f7ca93e2d041a071902a48740d263ef  0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch
 4c95dc4bf6aff9018bfb52b400f6d8375a1d22493b44ea516cb12dba6556f12797a3cba55768d2e59ff57c0f3247ec1ff95edb8f17561f3d37ec18d83ca47eb0  0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch
 ccdf098fb15eaa316708181469a1193d6eec7067131e7b7645e0219bf03cfd07f4f79e8f62c1e560f6146dcc38186a29bdee08aaa39f290e11d020b8f07d2f65  0017-ash-Fix-use-after-free-on-idx-variable.patch
+bff815bf9c8cd0856dde87eb90e2fe56f105dccb426e4f5da9425e30d449d7ee7ccc3b3324aee5136b276678e7be12afbcc368c7ca92d2c1bdcf22ed92ea1f4f  0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
 6d100fe44da2b97c2cbdda253d0504b487212d195144d9315cddbe8c51d18fae3745701923b170b40e35f54b592f94f02cadbffd9cb716661c12a7f1da022763  0001-ash-add-built-in-BB_ASH_VERSION-variable.patch
 e33dbc27d77c4636f4852d5d5216ef60a9a4343484e4559e391c13c813bf65c782b889914eff2e1f038d74cf02cb0d23824ebbb1044b5f8c86260d5a1bbc4e4d  0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch
 b4b8195390da70c96503e66e18420b8aea5754f64300082632fcaccd4ebe86cb771d6d4b912f5162e0538e6f756a9377689ad9a138f683cd729c3f54770304bf  0001-avoid-redefined-warnings-when-building-with-utmps.patch