From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 05 Dec 2022 11:39:39 +0100
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1p28ss-00BYBp-Gx
	for lore@lore.pengutronix.de; Mon, 05 Dec 2022 11:39:39 +0100
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1p28ss-0003U1-Ab; Mon, 05 Dec 2022 11:39:38 +0100
Received: from mail-he1eur01on2059.outbound.protection.outlook.com
 ([40.107.13.59] helo=EUR01-HE1-obe.outbound.protection.outlook.com)
 by metis.ext.pengutronix.de with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <christian.melki@t2data.com>) id 1p28sQ-0003Ts-TS
 for ptxdist@pengutronix.de; Mon, 05 Dec 2022 11:39:13 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=EXiylhnTav57djmDkZKkeAMRH+sISYtPMHtl6CaHvA7v0FvQf6Og3MkFRfDAeXtneObHtFAUN7N1EZ194vlgvYj/41bBSgWgWweqEylDVcb7knl0AQgmsnZPJuYnhWR5npBA5uE8boMvzPtjaVP/RwFfaecxv8OU3rLbm/8B2B4QA9gSsXokegZrYVZfDb/BIQ7p2LBWg6eHaQBKOHhNhZ9pmvU8MQncaStG8Y97rwkUDiIaU3z4VTvD1TWwPe+AzwwOm3Fq03OOHcw/+aBI15s/mNlzNY+zyzHqoddGUjcLGBR8zD0xEjeuFrYlVOGHqnPceQaCpkN2wLWXXMppfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=0UTrR9S0N9Q89RV4hg+uqKwyKUp8h2/H+ImDuGk9KEw=;
 b=EqHzwjgBPxGTL7iHlx7ZPGGkMCR+1mmBXDaUCIjTmfNY5rf56sCMctKQKQy0GXd5JHaIOVrCnLwrHIp5wULxYvJxbD7UTg0wRaVMtbTInN/AIMXVcJ1lI7Z7ZAWMemT3OrMGH7pNbvI56uPld2TcuOXN92qocw0QS0xTUgG0mKEiaGdYf/Wxhqr2L4O6gr64IuRboWlPxvP0QGS6htCEfN58o1NS3dsQlDXErx7umq0Yr842I8E0xXphpADl/qwt7pdptwgI8rD/ZFCKz7m1lW5QOuW3s/vaGpleoTvVj9zUbr3vV5j/duR1mOCNr3fQaVZYbAY8np8AUWmCcG0/XQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=t2data.com; dmarc=pass action=none header.from=t2data.com;
 dkim=pass header.d=t2data.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=t2datacom.onmicrosoft.com; s=selector1-t2datacom-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=0UTrR9S0N9Q89RV4hg+uqKwyKUp8h2/H+ImDuGk9KEw=;
 b=OeEmr/ujVo6FzH+mg/wKNg6XsXe8fvVFP32aBWLfsB21c8FWLSQ4u0ZOOvnEHnj8tJpF9tUcpHnwB+K6fk77x5GqTIpkKNBV7jDfhZ/kfA2CMkyU4M4RMljpczrIcUjE1WUJgxvF+gG8DbS3i7o6uGm5gbYWTROnnVzz6cdG1iU=
Authentication-Results: dkim=none (message not signed)
 header.d=none;dmarc=none action=none header.from=t2data.com;
Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM (2603:10a6:10:334::22)
 by PRAP251MB0637.EURP251.PROD.OUTLOOK.COM (2603:10a6:102:299::7) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5880.13; Mon, 5 Dec
 2022 10:39:07 +0000
Received: from DB9P251MB0618.EURP251.PROD.OUTLOOK.COM
 ([fe80::2f48:1302:d0e7:6a3d]) by DB9P251MB0618.EURP251.PROD.OUTLOOK.COM
 ([fe80::2f48:1302:d0e7:6a3d%4]) with mapi id 15.20.5880.014; Mon, 5 Dec 2022
 10:39:07 +0000
From: Christian Melki <christian.melki@t2data.com>
To: ptxdist@pengutronix.de
Date: Mon,  5 Dec 2022 11:39:00 +0100
Message-Id: <20221205103900.2531096-1-christian.melki@t2data.com>
X-Mailer: git-send-email 2.34.1
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-ClientProxiedBy: GV3P280CA0069.SWEP280.PROD.OUTLOOK.COM
 (2603:10a6:150:a::30) To DB9P251MB0618.EURP251.PROD.OUTLOOK.COM
 (2603:10a6:10:334::22)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB9P251MB0618:EE_|PRAP251MB0637:EE_
X-MS-Office365-Filtering-Correlation-Id: e4e9b7e9-4b86-4615-cd22-08dad6acefe1
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: V7FksiEbDqmkNEGALyoMgYM6fACX+B9JLDWMJtfmeYwXEZSy1LUDMgpGCG6jK7+IpggMinUqZPYOxd3r3eOkY5aPeyPE9J3UoVqnLVbijllBHW0WS1X1r81v9Ph7FLBJarspWIL3H5VCkGW8R4cTZPaFCZ6+29CAQ+aWNGewxInnq51JRJVq6+2c55625ip4G3Z78R0zeiAhighW7ZYe8fB4MokSfH0steqJY57x2Y1X8QJifCNxqtpuYUU3M8Ryn9kFJVjacEOxBUrjDD1PpAzaMMtiCHP9XqVpIKKKa5cDv8vtuMqEzjDUNNg2yVvuHEq3zfPXqR7zapvLH/kTeBSbM9S0fSU2pya9mLjv9/1ytKM0tbP2PADyDUshoze8hjeaUwdFfgfo4XSsaCDf/CSJhjuWtXWQ5eWXklNgzf5m4JDJnTwYRiWOp2siAAACv4W2lwiaeNR9BwzdwkqHKJCUciX3fG2XburTUsc3ZMcT4bg9AHTIxK5UNghRfLzm9xQ4tmSG0yngIMwP/YWQXLfRkwn7RiMbaxvsrHkjts71uc5utz0Y6oVklDeeHJd6b81+/Bbjs6bjaNixtPq0A6lorwoZ2lncHyZ7RRYRHIOlKP0d9b2rMTrX5dt/04RWi2mphr0e4P0/D7sOKCaeCD5QPNd1P+uY11uPz95RsVphtr1rHpYvq4RTGrumN8Pq0BqXAbVLvbbQPJ5YOBQU4LzAqbZ8wvv8Ul4OO32YWnQ=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:DB9P251MB0618.EURP251.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
 SFS:(13230022)(396003)(366004)(39830400003)(136003)(376002)(346002)(451199015)(6506007)(2906002)(52116002)(44832011)(83380400001)(2616005)(316002)(66476007)(66556008)(8676002)(8936002)(66946007)(36756003)(86362001)(5660300002)(41300700001)(186003)(1076003)(6512007)(6916009)(478600001)(38100700002)(38350700002)(6486002)(6666004)(966005)(26005);
 DIR:OUT; SFP:1101; 
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?JBc9IkYNAy4ke0QGpaCtP1z0sHtvbmWj4GxXUrX3o9JkpN2PflNje/vHppXp?=
 =?us-ascii?Q?dFzVvu8quYeC9e05mAkWO5gy0ybozZ8spD3RSZ6HF7lnJL+w+RCjJDeVHS6z?=
 =?us-ascii?Q?NCpP801gud2znmlZ1rrBviD4cRxbElqUSk0QclNRcxkViNhrbbGQyHJmEVR1?=
 =?us-ascii?Q?G5D1KPlN9vWr63qijdN0XVxW92WOGrPm8Qj0b2igyZvAYr3ECXSzcleoSACY?=
 =?us-ascii?Q?+sNHHWoNOY5xX+NbXI2FSrQkPTGHKah4LOhe2fLDTyusvUPdvesGSKLFrMli?=
 =?us-ascii?Q?ooBi21NYj6erW8i4Dc3W94QvqcupLvoq/IWaBmbp77JR2DuzMisuDqgVl3I0?=
 =?us-ascii?Q?WFOOonJTFFEOs+Nf9ItqS2vyVv2Bo2QrTpjJy2dc4/0zsRW1Q66AE/FWskWW?=
 =?us-ascii?Q?Xf2f6qGF7OGKPfD8BrZp96RvV48Yf8lFm8JkIc1WDSr693LylJkBUdKt6aDo?=
 =?us-ascii?Q?/UhyHkSJG1FniuTXyUBUTxWDuohxjeipxHgquIjRcXY6i6nBgEoTi5qMoEP4?=
 =?us-ascii?Q?GPJ2/kg97zIWBEVxoRJuMaOJmegOTEfkJe+BPpZ4bowXMajXhjThAcaAyg9Y?=
 =?us-ascii?Q?J0NuaWbvgTUsqqdgAvVyFKPpwHz+br2C3tzPnLIFETIa62bWQZVUUhLCbjZ7?=
 =?us-ascii?Q?rb9bbcDDW1+uH1WsOmvp4n/4TDy18DAcOk7rvZf/ECo/gx+2offIbufvC3zE?=
 =?us-ascii?Q?+DuzATmRa95PhgCbckDEia56v3GACLultUVOuCN37M2fcikcF/7mprCFvdxT?=
 =?us-ascii?Q?Xc/0YFxImo29Ro5Q3aMLP7cCg6xOUvhqiqIaZqaJAnCfm9uVr62lwZZdP+3X?=
 =?us-ascii?Q?/S5mo9d8sx8G/B0EKp3VVn895M4l1dfuGA8Q1jMoBeSI5EolblGoyr/gw+d3?=
 =?us-ascii?Q?qQoBPPHbK4nXkByDqoLuQMIOE+e8i1ee1lhDBUXHm0xSDgJEAvq5yBvNjFcb?=
 =?us-ascii?Q?/h4L22CMkVE1ixrp/QXqstXUHWL5flTgI/9norqbbOe3D63hIgYnh0yNPbCd?=
 =?us-ascii?Q?Qt9pqG6PbyH2S3/UA4tYQNWvqxMBB9+PHR/Ffk0r999xGCsWjayLsVSGwBel?=
 =?us-ascii?Q?vCNO5+jO/UNqJ17blnNFQNjNAr2ChW+gJAW3j4rpR002TfFLc8xrADtrg7Oj?=
 =?us-ascii?Q?IDkD4QewiNNCzJIbRTROYnZA4p/WhB/bcwsLVhZs+HpWi1wC+vdmIJd3vjuq?=
 =?us-ascii?Q?6NPD+yuhHQOHBCtVzNcfRAefXVYv3hAZZWjwoAIKrJzUu5jKBsZPWNtZoeuN?=
 =?us-ascii?Q?3DPZ5u6H9CnhlfkFOWoSOhuxa4q4u1m3hqFIQm/pjR4X/Eujl8OWzY1hX/W5?=
 =?us-ascii?Q?zMKuz9Ima95gWLduLBz20z/DyRp8SBzTk1QXMqmx0L0bfnuTzBYWxnQDabNP?=
 =?us-ascii?Q?8DKgzAdO1w9S+MpUXJV+BBvpsi0AVCSvZSMh4VaXwy07rbps7vq7KWUbG4KJ?=
 =?us-ascii?Q?8UmMMLxaVUIVsgh2Ar2Bg3g/TnIMX2f+qlxOct7xW0dSSCN0OY+heYOowT9Z?=
 =?us-ascii?Q?1tYtgliyPPeqBuZljI8vUt2ZaiSY5qhbZVMN8UzDuv2QE/InbaSAYlWaZiyP?=
 =?us-ascii?Q?0+AYGAJqbcYjLXTk/LJJ9tUHl/6HgRchFr6TnOeUBK4rOaKN/TMoXf9IAjWT?=
 =?us-ascii?Q?Hg=3D=3D?=
X-OriginatorOrg: t2data.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e4e9b7e9-4b86-4615-cd22-08dad6acefe1
X-MS-Exchange-CrossTenant-AuthSource: DB9P251MB0618.EURP251.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Dec 2022 10:39:07.4555 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 27928da5-aacd-4ba1-9566-c748a6863e6c
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: s4qUjKlWT49nupYeDkqxkaFVk/dka0lLKULcPkJ8Fe+rdG0zVHB8FcaVwF6J8fmf/QlWjPoRub/5wscVj7YjPOC4f4e1rNtrViLoc0WIUvw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PRAP251MB0637
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 metis.ext.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.0 required=4.0 tests=AWL,BAYES_00,DKIM_SIGNED,
 DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS
 autolearn=ham autolearn_force=no version=3.4.2
Subject: [ptxdist] [PATCH] busybox: Plug CVE-2022-30065.
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false

A use after free fix.

* Add upstream patch but remove the testcase that didn't apply.
Testcase isn't relevant for plugging the CVE.
* Place patch in the ptx tag as it is part modified.

Signed-off-by: Christian Melki <christian.melki@t2data.com>
---
 ...wk-fix-use-after-free-CVE-2022-30065.patch | 29 +++++++++++++++++++
 patches/busybox-1.35.0/series                 |  3 +-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 patches/busybox-1.35.0/0203-awk-fix-use-after-free-CVE-2022-30065.patch

diff --git a/patches/busybox-1.35.0/0203-awk-fix-use-after-free-CVE-2022-30065.patch b/patches/busybox-1.35.0/0203-awk-fix-use-after-free-CVE-2022-30065.patch
new file mode 100644
index 000000000..aff9faabc
--- /dev/null
+++ b/patches/busybox-1.35.0/0203-awk-fix-use-after-free-CVE-2022-30065.patch
@@ -0,0 +1,29 @@
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 17 Jun 2022 17:45:34 +0200
+Subject: [PATCH] awk: fix use after free (CVE-2022-30065)
+
+fixes https://bugs.busybox.net/show_bug.cgi?id=14781
+
+function                                             old     new   delta
+evaluate                                            3343    3357     +14
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
+---
+ editors/awk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index f6314ac7201a..654cbac33331 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -3114,6 +3114,9 @@ static var *evaluate(node *op, var *res)
+ 
+ 		case XC( OC_MOVE ):
+ 			debug_printf_eval("MOVE\n");
++			/* make sure that we never return a temp var */
++			if (L.v == TMPVAR0)
++				L.v = res;
+ 			/* if source is a temporary string, jusk relink it to dest */
+ 			if (R.v == TMPVAR1
+ 			 && !(R.v->type & VF_NUMBER)
diff --git a/patches/busybox-1.35.0/series b/patches/busybox-1.35.0/series
index ee5360887..3e1a02a16 100644
--- a/patches/busybox-1.35.0/series
+++ b/patches/busybox-1.35.0/series
@@ -6,4 +6,5 @@
 0200-reactivate-check-for-tty.patch
 0201-build-system-only-pass-real-libs-to-SELINUX_LIBS.patch
 0202-scripts-trylink-honour-SKIP_STRIP-and-don-t-strip-if.patch
-# 9c0cc4baa8090165b429198c9a10e02c  - git-ptx-patches magic
+0203-awk-fix-use-after-free-CVE-2022-30065.patch
+# e8b4a3103390b1bd27c9ce24d1e435d7  - git-ptx-patches magic
-- 
2.34.1