diff --git a/backport-CVE-2023-4156.patch b/backport-CVE-2023-4156.patch new file mode 100644 index 0000000000000000000000000000000000000000..b893d2f1c181f7b6f1e6af87a1a9377a1f7327d3 --- /dev/null +++ b/backport-CVE-2023-4156.patch @@ -0,0 +1,30 @@ +From e709eb829448ce040087a3fc5481db6bfcaae212 Mon Sep 17 00:00:00 2001 +From: "Arnold D. Robbins" +Date: Wed, 3 Aug 2022 13:00:54 +0300 +Subject: [PATCH] Smal bug fix in builtin.c. + +Reference:https://git.savannah.gnu.org/gitweb/?p=gawk.git;a=commitdiff;h=e709eb829448ce040087a3fc5481db6bfcaae212 +Conflict:delete changlog +--- + builtin.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/builtin.c b/builtin.c +index d7ba82c..3eee9b9 100644 +--- a/builtin.c ++++ b/builtin.c +@@ -963,7 +963,10 @@ check_pos: + s1++; + n0--; + } +- if (val >= num_args) { ++ // val could be less than zero if someone provides a field width ++ // so large that it causes integer overflow. Mainly fuzzers do this, ++ // but let's try to be good anyway. ++ if (val < 0 || val >= num_args) { + toofew = true; + break; + } +-- +2.27.0 + diff --git a/gawk.spec b/gawk.spec index dc60c89fb8ad71c76ac8c3fc25dfadafe44d8494..071188f9119522ae50221a1791d84ae0922a90ac 100644 --- a/gawk.spec +++ b/gawk.spec @@ -4,7 +4,7 @@ egrep -i "gawk_api_minor.*[0-9]+" | egrep -o "[0-9]") Name: gawk Version: 5.0.1 -Release: 4 +Release: 5 License: GPLv3+ and GPLv2+ and LGPLv2+ and BSD Summary: The GNU version of the AWK text processing utility URL: https://www.gnu.org/software/gawk/ @@ -13,6 +13,7 @@ Source0: https://ftp.gnu.org/gnu/gawk/gawk-%{version}.tar.xz Patch0: gawk-inplace-namespace-part1.patch Patch1: gawk-inplace-namespace-part2.patch Patch2: gawk-inplace-namespace-part3.patch +Patch3: backport-CVE-2023-4156.patch BuildRequires: git gcc automake grep BuildRequires: bison texinfo texinfo-tex ghostscript texlive-ec texlive-cm-super glibc-all-langpacks @@ -107,6 +108,9 @@ install -m 0644 -p doc/gawkinet.{pdf,ps} ${RPM_BUILD_ROOT}%{_docdir}/%{name} %{_datadir}/locale/* %changelog +* Mon Aug 28 2023 yangmingtai - 5.0.1-5 +- fix CVE-2023-4156 + * Fri Sep 2 2022 zoulin - 5.0.1-4 - Type:enhancement - ID:NA