[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: Backporting security fixes for 1_31_stable, 1_32_stable and 1_33_stable
From: Denys Vlasenko <vda.linux () googlemail ! com>
Date: 2021-11-18 17:49:46
Message-ID: CAK1hOcP01pDmVDEMB+pRYtZXF9r3pnm5iz1E+Kt3HrM12DqTJg () mail ! gmail ! com
[Download RAW message or body]
On Thu, Nov 11, 2021 at 11:50 AM Natanael Copa <ncopa@alpinelinux.org> wrote:
> The list of awk fixes is a bit more complicated. I have no clue which
> of the following commits fixes which CVE:
>
> $ git log --format=oneline 1_33_0..1_34_0 -- editors/awk.c
> dabbeeb79356eef78528acd55e1f143ae80372f7 awk: whitespace and debugging tweaks
> d3480dd58211d9d8c06ec7ef00089262603003ff awk: disallow break/continue outside of \
> loops d62627487a44d9175b05d49846aeef83fed97019 awk: tighten parsing - disallow \
> extra semicolons ab755e3717cefc06fd28ce8db56f0402412afaa3 awk: in parsing, remove \
> superfluous NEWLINE check; optimize builtin arg evaluation \
> 8d269ef85984f6476e7fdbec2c5a70f3b5c48a72 awk: fix printf "%-10c", 0 \
> caa93ecdd3a9b998a69dcbfafdddbc9c58887ec3 awk: fix corner case in awk_printf \
> 39aabfe8f033c9c62acf676b660dc979714d26a7 awk: unbreak "cmd" | getline \
> 4ef8841b21e27e7c7f58d3c9901c833b4fa5a862 awk: unbreak "printf('%c') can output NUL" \
> testcase 3d57a8490738d9febaa4496eba791e4fbfc91826 awk: undo TI_PRINT, it introduced \
> a bug (print with any redirect acting as printf) \
> 49c3ce64f092fd5434fc67056f312bd32f82bae3 awk: rollback_token() + chain_group() == \
> chain_until_rbrace() e2e3802987266c98df0efdf40ad5da4b07df0113 awk: fix printf \
> buffer overflow 08ca313d7edb99687068b93b5d2435b59f3db23a awk: simplify tests for \
> operation class cb042b05828c4c89320bc9c7454c04c2761bbb9a awk: restore strdup \
> elision optimization in assignment 90404ed2f62a872ffd9a555660b7ce17fae372d8 awk: \
> match(): code shrink 0e3ef4efb061366bfa4b9609fe3a03f3a1e40f0e awk: rand(): 64-bit \
> constants should be ULL 2211fa70ccad29fc7bccd34c13141850ebb199da awk: do not use a \
> copy of g_progname for node->l.new_progname \
> e1e7ad6b6005b2265667040fc9d7f69b73b0d5b0 awk: support %F %a %A in printf \
> 1f765709ed9c9595647853ac2cd7905f218c3044 awk: open-code TS_OPTERM, no logic changes \
> 2b65e73db3254a7228802886546152c72217017d awk: tighten rules in action parsing \
> 717200eb43c9420773c0f8b751aadabba3052027 awk: rename GRPSTART/END to L/RBRACE, no \
> code changes b705bf55395bf338f9b9888d87e418f67d4f1a29 awk: move match() code \
> out-of-line 646429e05e2f62250da80aa8d98111f3a9818e9a awk: use smaller regmatch_t \
> arrays, they had 2 elements for no apparent reason \
> a5d7b0f4f4e9728c3eb7a06d38227d9f3351e677 awk: fix detection of VAR=VAL arguments \
> 4d902ea9def573cd15271177abbfa50fbf30c84f awk: fix beavior of "exit" without \
> parameter 8bb03da906e1f8f750123214b15a19d7d4e166c1 awk: rand() could return 1.0, \
> fix this - should be in [0,1) 37ae8cdc6e428e68ad76f6b446881ecff305ebd3 awk: \
> beautify builtins table, no code changes 47d9133896f0de6b17393309193051e4bd52015e \
> awk: enforce simple builtins' argument number \
> 786ca197ad1305607efaccb067c19931d9e765b1 awk: make builtin definitions more \
> understandable, no code changes 640212ae0ea8a1b47cd73a080d77b25b9f3ccd40 awk: do \
> not special-case "delete" ef5463cf16f88c0992b2073a30ab6081c86fdf23 awk: shuffle \
> globals for smaller offsets 966cafcc77d8cda5d1a95bc73080e9a9b9010a45 awk: use \
> "static" tmpvars in main and exit 1193c68fa718ff16c47aba23f8532bf1568f294e awk: \
> when parsing length(), simplify eating of LPAREN \
> 40573556f2a67b11319785e0479b7087d02c060e awk: shuffle functions to reduce forward \
> declarations, no code changes 8b4c429025c233640bd5c5838552f34683a06fc0 awk: use \
> static tmpvars instead of nvalloc(1)ed ones \
> 1573487e2100892d06e3628828690692313a48d5 awk: rename temp variables, no code \
> changes d7354df169603807fe2ac4f8a0f9f72c9703184f awk: evaluate all, even \
> superfluous function args ca9278ee5855a91a5521960d3743809f47ed27b8 awk: rewrite \
> "print" logic a bit to make it clearer d1507101695f6bad35a61c4770b7d3913597ac16 \
> awk: allow empty fuinctions with no arguments, disallow function redefinitions \
> 86fc2872b33224cfa5442700c2a8abd020cbf900 awk: replace incorrect use of union in \
> undefined function check (no code changes) 6cf6f1eaee1f6be2b936c2ff0e5852c00740edb4 \
> awk: remove custom pool allocator for temporary awk variables \
> 3aff3b9cb81c1f574aaafaf3981e755c6639e2bc awk: assorted optimizations \
> b3c91a127f8baecee0265ba92898ae1e718bdb31 awk: free unused parsing structures after \
> parse is done 21fbee2e87ddf7b47bb501b6529b63ac2b3af0bd awk: document which hashes \
> are used at what state (parse/execute) 6872c193a935df47facf717c15a32f93b43c6bcf \
> awk: fix parsing of expressions such as "v (a)" \
> 686287b5da98508dd03fb295745c82d00440131e awk: deindent a block, no code changes \
> 216d3d8ad9b7d0346cf439ccaca18d0a263e7608 awk: code shrink \
> 4f27503a1ecab8dfe373a349df3d8fe3c22e2160 awk: get rid of "move name one char back" \
> trick in next_token() f414fb4411e65662b44f038ed3175789172edc20 awk: when parsing \
> TC_FUNCTION token, eat its opening '(' cb6061a4e9860bf3d529109b34103ce3bde6d735 \
> awk: g_buf[] does not need a separate allocation \
> 926420795b4191e045d4a316bfed19f84275a185 awk: simplify parsing of function \
> declaration 9782cb7774f00a3e777e3d764ccce15055a29977 awk: rename TC_SEQSTART/END to \
> L/RPAREN, no code changes a493441ca52adca7df3976c668f2e7c48d1b67a1 awk: deindent \
> code block, no code changes adcd9a6f349f3f2715a586b45fb27350b37cf1e5 awk: use \
> TS_foo for combined token classes. No code changes \
> 832cb4fcb98d2845bd3f9d244593fc1b5f362ca0 awk: make ltclass ("last token class") \
> local to next_token() af0172369eb024fff3c8c2cd2c8765a7fde5a9f5 awk: remove \
> redundant check 78645d8371e69ce82841b66aa5ef69c02055f5bc awk: move locals deeper \
> into scopes where they are used, no logic changes \
> 8c5da0323bf2da02c40c587c5694b22e3ec623fb awk: more efficient -f FILE, document what \
> "some trick in next_token" is ac4786ba002620eb4c046c847e69d6a12ea0e322 qwk: make \
> code clearer, no actual code changes fd217c1cbf7a702ad632bb21f7757433de1755b7 awk: \
> after preinc/dec, only allow variable, field ref, array ref, or another preinc/dec \
> a885ce1af05c4eaa5ebcf883cb3da3433ca1c48b awk: fix use-after-free in "$BIGNUM1 \
> $BIGGERNUM2" concat op
Use-after-free was fixed in the above commit.
> e8fe9f96356a6b19ec907ea30cffc829c539a7ff awk: allow printf('%c') to output NUL, \
> closes 13486
>
>
> CVE-2021-42378: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the getvar_i function
>
> awk 1.16-1.33.1
>
> CVE-2021-42379: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the next_input_file
> function
>
> awk 1.18-1.33.1
>
> CVE-2021-42380: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the clrvar function
>
> awk 1.28-1.33.1
>
> CVE-2021-42381: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the hash_init function
>
> awk 1.21-1.33.1
>
> CVE-2021-42382: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the getvar_s function
>
> awk 1.26-1.33.1
>
> CVE-2021-42383: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the evaluate function
>
> awk 1.33.1
>
> NOTE: I think this is a bit peculiar. It is claimed that
> 1.33.0 is not affected (compare with CVE-2021-42377),
> which means that 1.33.1 would introduce this problem.
> However. There are no changes in awk between 1.33.0 and
> 1.33.1.
>
> CVE-2021-42384: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the handle_special
> function
>
> awk 1.18-1.33.1
>
> CVE-2021-42385: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the evaluate function
>
> awk 1.16-1.33.1
>
> CVE-2021-42386: A use-after-free in awk leads to denial of
> service and possibly code execution when processing a
> crafted awk pattern in the nvalloc function
>
> awk 1.16-1.33.1
A bug they IIRC did not mention was that printf could overflow the buffer.
This is fixed now.
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic