Version in base suite: 1.35.0-4 Base version: busybox_1.35.0-4 Target version: busybox_1.35.0-4+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/b/busybox/busybox_1.35.0-4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/b/busybox/busybox_1.35.0-4+deb12u1.dsc changelog | 11 ++ gbp.conf | 3 patches/CVE-2022-48174.patch | 80 +++++++++++++++ patches/CVE-2023-42363.patch | 63 ++++++++++++ patches/CVE-2023-42364-part1.patch | 188 +++++++++++++++++++++++++++++++++++++ patches/CVE-2023-42364-part2.patch | 134 ++++++++++++++++++++++++++ patches/series | 4 salsa-ci.yml | 28 +---- 8 files changed, 491 insertions(+), 20 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjdj5j8xs/busybox_1.35.0-4.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpjdj5j8xs/busybox_1.35.0-4+deb12u1.dsc: no acceptable signature found diff -Nru busybox-1.35.0/debian/changelog busybox-1.35.0/debian/changelog --- busybox-1.35.0/debian/changelog 2022-11-06 08:27:04.000000000 +0000 +++ busybox-1.35.0/debian/changelog 2026-03-02 06:59:41.000000000 +0000 @@ -1,3 +1,14 @@ +busybox (1:1.35.0-4+deb12u1) bookworm; urgency=high + + * Non-maintainer upload by the LTS Team. + * Import/Backport patches for: + - CVE-2022-48174 - stack overflow (Closes: #1059049) + - CVE-2023-42363 - use-after-free (Closes: #1059050) + - CVE-2023-42364 - use-after-free (Closes: #1059051) + This patch also covers CVE-2023-42365 (Closes: #1059052) + + -- Tobias Frost Mon, 02 Mar 2026 07:59:41 +0100 + busybox (1:1.35.0-4) unstable; urgency=medium * static build: disable blkid applet (CONFIG_BLKID, #1023501) diff -Nru busybox-1.35.0/debian/gbp.conf busybox-1.35.0/debian/gbp.conf --- busybox-1.35.0/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ busybox-1.35.0/debian/gbp.conf 2026-03-01 08:37:38.000000000 +0000 @@ -0,0 +1,3 @@ +[DEFAULT] +pristine-tar = True +debian-branch = debian/bookworm diff -Nru busybox-1.35.0/debian/patches/CVE-2022-48174.patch busybox-1.35.0/debian/patches/CVE-2022-48174.patch --- busybox-1.35.0/debian/patches/CVE-2022-48174.patch 1970-01-01 00:00:00.000000000 +0000 +++ busybox-1.35.0/debian/patches/CVE-2022-48174.patch 2026-03-01 08:37:38.000000000 +0000 @@ -0,0 +1,80 @@ +Description: Patch for CVE-2022-48174 - stack overflow +Origin: https://git.busybox.net/busybox/commit/?id=d417193cf37ca1005830d7e16f5fa7e1d8a44209 +Bug: https://bugs.busybox.net/show_bug.cgi?id=15216 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059049 + +commit d417193cf37ca1005830d7e16f5fa7e1d8a44209 +Author: Denys Vlasenko +Date: Mon Jun 12 17:48:47 2023 +0200 + + shell: avoid segfault on ${0::0/0~09J}. Closes 15216 + + function old new delta + evaluate_string 1011 1053 +42 + + Signed-off-by: Denys Vlasenko + +diff --git a/shell/math.c b/shell/math.c +index 76d22c9bd..727c29467 100644 +--- a/shell/math.c ++++ b/shell/math.c +@@ -577,6 +577,28 @@ static arith_t strto_arith_t(const char *nptr, char **endptr) + # endif + #endif + ++//TODO: much better estimation than expr_len/2? Such as: ++//static unsigned estimate_nums_and_names(const char *expr) ++//{ ++// unsigned count = 0; ++// while (*(expr = skip_whitespace(expr)) != '\0') { ++// const char *p; ++// if (isdigit(*expr)) { ++// while (isdigit(*++expr)) ++// continue; ++// count++; ++// continue; ++// } ++// p = endofname(expr); ++// if (p != expr) { ++// expr = p; ++// count++; ++// continue; ++// } ++// } ++// return count; ++//} ++ + static arith_t + evaluate_string(arith_state_t *math_state, const char *expr) + { +@@ -584,10 +606,12 @@ evaluate_string(arith_state_t *math_state, const char *expr) + const char *errmsg; + const char *start_expr = expr = skip_whitespace(expr); + unsigned expr_len = strlen(expr) + 2; +- /* Stack of integers */ +- /* The proof that there can be no more than strlen(startbuf)/2+1 +- * integers in any given correct or incorrect expression +- * is left as an exercise to the reader. */ ++ /* Stack of integers/names */ ++ /* There can be no more than strlen(startbuf)/2+1 ++ * integers/names in any given correct or incorrect expression. ++ * (modulo "09v09v09v09v09v" case, ++ * but we have code to detect that early) ++ */ + var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0])); + var_or_num_t *numstackptr = numstack; + /* Stack of operator tokens */ +@@ -652,6 +676,13 @@ evaluate_string(arith_state_t *math_state, const char *expr) + numstackptr->var = NULL; + errno = 0; + numstackptr->val = strto_arith_t(expr, (char**) &expr); ++ /* A number can't be followed by another number, or a variable name. ++ * We'd catch this later anyway, but this would require numstack[] ++ * to be twice as deep to handle strings where _every_ char is ++ * a new number or name. Example: 09v09v09v09v09v09v09v09v09v ++ */ ++ if (isalnum(*expr) || *expr == '_') ++ goto err; + //bb_error_msg("val:%lld", numstackptr->val); + if (errno) + numstackptr->val = 0; /* bash compat */ diff -Nru busybox-1.35.0/debian/patches/CVE-2023-42363.patch busybox-1.35.0/debian/patches/CVE-2023-42363.patch --- busybox-1.35.0/debian/patches/CVE-2023-42363.patch 1970-01-01 00:00:00.000000000 +0000 +++ busybox-1.35.0/debian/patches/CVE-2023-42363.patch 2026-03-01 08:37:38.000000000 +0000 @@ -0,0 +1,63 @@ +Description: CVE-2023-42363 - use-after-free vulnerability +Origin: https://git.busybox.net/busybox/commit/?id=fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa +Bug: https://bugs.busybox.net/show_bug.cgi?id=15865 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059050 + +From fb08d43d44d1fea1f741fafb9aa7e1958a5f69aa Mon Sep 17 00:00:00 2001 +From: Natanael Copa +Date: Mon, 20 May 2024 17:55:28 +0200 +Subject: awk: fix use after free (CVE-2023-42363) + +function old new delta +evaluate 3377 3385 +8 + +Fixes https://bugs.busybox.net/show_bug.cgi?id=15865 + +Signed-off-by: Natanael Copa +Signed-off-by: Denys Vlasenko +--- + editors/awk.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -2954,19 +2954,14 @@ + if ((opinfo & OF_REQUIRED) && !op1) + syntax_error(EMSG_TOO_FEW_ARGS); + L.v = evaluate(op1, TMPVAR0); +- if (opinfo & OF_STR1) { +- L.s = getvar_s(L.v); +- debug_printf_eval("L.s:'%s'\n", L.s); +- } + if (opinfo & OF_NUM1) { + L_d = getvar_i(L.v); + debug_printf_eval("L_d:%f\n", L_d); + } + } +- /* NB: Must get string/numeric values of L (done above) +- * _before_ evaluate()'ing R.v: if both L and R are $NNNs, +- * and right one is large, then L.v points to Fields[NNN1], +- * second evaluate() reallocates and moves (!) Fields[], ++ /* NB: if both L and R are $NNNs, and right one is large, ++ * then at this pint L.v points to Fields[NNN1], second ++ * evaluate() below reallocates and moves (!) Fields[], + * R.v points to Fields[NNN2] but L.v now points to freed mem! + * (Seen trying to evaluate "$444 $44444") + */ +@@ -2979,6 +2974,16 @@ + debug_printf_eval("R.s:'%s'\n", R.s); + } + } ++ /* Get L.s _after_ R.v is evaluated: it may have realloc'd L.v ++ * so we must get the string after "old_Fields_ptr" correction ++ * above. Testcase: x = (v = "abc", gsub("b", "X", v)); ++ */ ++ if (opinfo & OF_RES1) { ++ if (opinfo & OF_STR1) { ++ L.s = getvar_s(L.v); ++ debug_printf_eval("L.s:'%s'\n", L.s); ++ } ++ } + + debug_printf_eval("switch(0x%x)\n", XC(opinfo & OPCLSMASK)); + switch (XC(opinfo & OPCLSMASK)) { diff -Nru busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch --- busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch 1970-01-01 00:00:00.000000000 +0000 +++ busybox-1.35.0/debian/patches/CVE-2023-42364-part1.patch 2026-03-01 08:37:38.000000000 +0000 @@ -0,0 +1,188 @@ +Description: Fix for CVE2023-42364 / CVE-2023-42365 - part 1 +Origin: https://git.busybox.net/busybox/commit/editors/awk.c?id=0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 +Bug: https://bugs.busybox.net/show_bug.cgi?id=15868 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059051 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059052 + +From 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4 Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 30 May 2023 16:42:18 +0200 +Subject: awk: fix precedence of = relative to == + +Discovered while adding code to disallow assignments to non-lvalues + +function old new delta +parse_expr 936 991 +55 +.rodata 105243 105247 +4 +------------------------------------------------------------------------------ +(add/remove: 0/0 grow/shrink: 2/0 up/down: 59/0) Total: 59 bytes + +Signed-off-by: Denys Vlasenko +--- + editors/awk.c | 66 ++++++++++++++++++++++++++++++++++++++++------------------- + 1 file changed, 45 insertions(+), 21 deletions(-) + +(limited to 'editors/awk.c') + +diff --git a/editors/awk.c b/editors/awk.c +index c49ad6e02..0f062dcdb 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -337,7 +337,9 @@ static void debug_parse_print_tc(uint32_t n) + #undef P + #undef PRIMASK + #undef PRIMASK2 +-#define P(x) (x << 24) ++/* Smaller 'x' means _higher_ operator precedence */ ++#define PRECEDENCE(x) (x << 24) ++#define P(x) PRECEDENCE(x) + #define PRIMASK 0x7F000000 + #define PRIMASK2 0x7E000000 + +@@ -360,7 +362,7 @@ enum { + OC_MOVE = 0x1f00, OC_PGETLINE = 0x2000, OC_REGEXP = 0x2100, + OC_REPLACE = 0x2200, OC_RETURN = 0x2300, OC_SPRINTF = 0x2400, + OC_TERNARY = 0x2500, OC_UNARY = 0x2600, OC_VAR = 0x2700, +- OC_DONE = 0x2800, ++ OC_CONST = 0x2800, OC_DONE = 0x2900, + + ST_IF = 0x3000, ST_DO = 0x3100, ST_FOR = 0x3200, + ST_WHILE = 0x3300 +@@ -440,9 +442,9 @@ static const uint32_t tokeninfo[] ALIGN4 = { + #define TI_PREINC (OC_UNARY|xV|P(9)|'P') + #define TI_PREDEC (OC_UNARY|xV|P(9)|'M') + TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5), +- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-', +- OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&', +- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&', ++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-', ++ OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&', ++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&', + OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*', + OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1, + #define TI_LESS (OC_COMPARE|VV|P(39)|2) +@@ -1301,7 +1303,7 @@ static uint32_t next_token(uint32_t expected) + save_tclass = tc; + save_info = t_info; + tc = TC_BINOPX; +- t_info = OC_CONCAT | SS | P(35); ++ t_info = OC_CONCAT | SS | PRECEDENCE(35); + } + + t_tclass = tc; +@@ -1361,9 +1363,8 @@ static node *parse_expr(uint32_t term_tc) + { + node sn; + node *cn = &sn; +- node *vn, *glptr; ++ node *glptr; + uint32_t tc, expected_tc; +- var *v; + + debug_printf_parse("%s() term_tc(%x):", __func__, term_tc); + debug_parse_print_tc(term_tc); +@@ -1374,11 +1375,12 @@ static node *parse_expr(uint32_t term_tc) + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP | term_tc; + + while (!((tc = next_token(expected_tc)) & term_tc)) { ++ node *vn; + + if (glptr && (t_info == TI_LESS)) { + /* input redirection (<) attached to glptr node */ + debug_printf_parse("%s: input redir\n", __func__); +- cn = glptr->l.n = new_node(OC_CONCAT | SS | P(37)); ++ cn = glptr->l.n = new_node(OC_CONCAT | SS | PRECEDENCE(37)); + cn->a.n = glptr; + expected_tc = TS_OPERAND | TS_UOPPRE; + glptr = NULL; +@@ -1390,24 +1392,42 @@ static node *parse_expr(uint32_t term_tc) + * previous operators with higher priority */ + vn = cn; + while (((t_info & PRIMASK) > (vn->a.n->info & PRIMASK2)) +- || ((t_info == vn->info) && t_info == TI_COLON) ++ || (t_info == vn->info && t_info == TI_COLON) + ) { + vn = vn->a.n; + if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN); + } + if (t_info == TI_TERNARY) + //TODO: why? +- t_info += P(6); ++ t_info += PRECEDENCE(6); + cn = vn->a.n->r.n = new_node(t_info); + cn->a.n = vn->a.n; + if (tc & TS_BINOP) { + cn->l.n = vn; +-//FIXME: this is the place to detect and reject assignments to non-lvalues. +-//Currently we allow "assignments" to consts and temporaries, nonsense like this: +-// awk 'BEGIN { "qwe" = 1 }' +-// awk 'BEGIN { 7 *= 7 }' +-// awk 'BEGIN { length("qwe") = 1 }' +-// awk 'BEGIN { (1+1) += 3 }' ++ ++ /* Prevent: ++ * awk 'BEGIN { "qwe" = 1 }' ++ * awk 'BEGIN { 7 *= 7 }' ++ * awk 'BEGIN { length("qwe") = 1 }' ++ * awk 'BEGIN { (1+1) += 3 }' ++ */ ++ /* Assignment? (including *= and friends) */ ++ if (((t_info & OPCLSMASK) == OC_MOVE) ++ || ((t_info & OPCLSMASK) == OC_REPLACE) ++ ) { ++ debug_printf_parse("%s: MOVE/REPLACE vn->info:%08x\n", __func__, vn->info); ++ /* Left side is a (variable or array element) ++ * or function argument ++ * or $FIELD ? ++ */ ++ if ((vn->info & OPCLSMASK) != OC_VAR ++ && (vn->info & OPCLSMASK) != OC_FNARG ++ && (vn->info & OPCLSMASK) != OC_FIELD ++ ) { ++ syntax_error(EMSG_UNEXP_TOKEN); /* no. bad */ ++ } ++ } ++ + expected_tc = TS_OPERAND | TS_UOPPRE | TC_REGEXP; + if (t_info == TI_PGETLINE) { + /* it's a pipe */ +@@ -1443,6 +1463,8 @@ static node *parse_expr(uint32_t term_tc) + /* one should be very careful with switch on tclass - + * only simple tclasses should be used (TC_xyz, not TS_xyz) */ + switch (tc) { ++ var *v; ++ + case TC_VARIABLE: + case TC_ARRAY: + debug_printf_parse("%s: TC_VARIABLE | TC_ARRAY\n", __func__); +@@ -1463,14 +1485,14 @@ static node *parse_expr(uint32_t term_tc) + case TC_NUMBER: + case TC_STRING: + debug_printf_parse("%s: TC_NUMBER | TC_STRING\n", __func__); +- cn->info = OC_VAR; ++ cn->info = OC_CONST; + v = cn->l.v = xzalloc(sizeof(var)); +- if (tc & TC_NUMBER) ++ if (tc & TC_NUMBER) { + setvar_i(v, t_double); +- else { ++ } else { + setvar_s(v, t_string); +- expected_tc &= ~TC_UOPPOST; /* "str"++ is not allowed */ + } ++ expected_tc &= ~TC_UOPPOST; /* NUM++, "str"++ not allowed */ + break; + + case TC_REGEXP: +@@ -3124,6 +3146,8 @@ static var *evaluate(node *op, var *res) + + /* -- recursive node type -- */ + ++ case XC( OC_CONST ): ++ debug_printf_eval("CONST "); + case XC( OC_VAR ): + debug_printf_eval("VAR\n"); + L.v = op->l.v; +-- +cgit v1.2.3 + diff -Nru busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch --- busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch 1970-01-01 00:00:00.000000000 +0000 +++ busybox-1.35.0/debian/patches/CVE-2023-42364-part2.patch 2026-03-01 08:37:38.000000000 +0000 @@ -0,0 +1,134 @@ +Description: Fix for CVE2023-42364 / CVE-2023-42365 - part 2 (regression fix) +Origin: https://git.busybox.net/busybox/commit/editors/awk.c?id=38335df9e9f45378c3407defd38b5b610578bdda +Bug: https://bugs.busybox.net/show_bug.cgi?id=15871#c6 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059051 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059052 + +From 38335df9e9f45378c3407defd38b5b610578bdda Mon Sep 17 00:00:00 2001 +From: Denys Vlasenko +Date: Tue, 9 Jul 2024 15:30:46 +0200 +Subject: awk: restore assignment precedence to be lower than ternary ?: + +Something is fishy with constrcts like "3==v=3" in gawk, +they should not work, but do. Ignore those for now. + +Signed-off-by: Denys Vlasenko +--- + editors/awk.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 54 insertions(+), 11 deletions(-) + +(limited to 'editors/awk.c') + +diff --git a/editors/awk.c b/editors/awk.c +index 8bc214b69..697a44c8c 100644 +--- a/editors/awk.c ++++ b/editors/awk.c +@@ -433,36 +433,47 @@ static const char tokenlist[] ALIGN1 = + ; + + static const uint32_t tokeninfo[] ALIGN4 = { +- 0, +- 0, ++ 0, /* ( */ ++ 0, /* ) */ + #define TI_REGEXP OC_REGEXP +- TI_REGEXP, ++ TI_REGEXP, /* / */ ++ /* >> > | */ + xS|'a', xS|'w', xS|'|', ++ /* ++ -- */ + OC_UNARY|xV|P(9)|'p', OC_UNARY|xV|P(9)|'m', + #define TI_PREINC (OC_UNARY|xV|P(9)|'P') + #define TI_PREDEC (OC_UNARY|xV|P(9)|'M') ++ /* ++ -- $ */ + TI_PREINC, TI_PREDEC, OC_FIELD|xV|P(5), +- OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(38), OC_REPLACE|NV|P(38)|'+', OC_REPLACE|NV|P(38)|'-', +- OC_REPLACE|NV|P(38)|'*', OC_REPLACE|NV|P(38)|'/', OC_REPLACE|NV|P(38)|'%', OC_REPLACE|NV|P(38)|'&', +- OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(38)|'&', OC_BINARY|NV|P(15)|'&', ++ /* == = += -= */ ++ OC_COMPARE|VV|P(39)|5, OC_MOVE|VV|P(74), OC_REPLACE|NV|P(74)|'+', OC_REPLACE|NV|P(74)|'-', ++ /* *= /= %= ^= (^ is exponentiation, NOT xor) */ ++ OC_REPLACE|NV|P(74)|'*', OC_REPLACE|NV|P(74)|'/', OC_REPLACE|NV|P(74)|'%', OC_REPLACE|NV|P(74)|'&', ++ /* + - **= ** */ ++ OC_BINARY|NV|P(29)|'+', OC_BINARY|NV|P(29)|'-', OC_REPLACE|NV|P(74)|'&', OC_BINARY|NV|P(15)|'&', ++ /* / % ^ * */ + OC_BINARY|NV|P(25)|'/', OC_BINARY|NV|P(25)|'%', OC_BINARY|NV|P(15)|'&', OC_BINARY|NV|P(25)|'*', ++ /* != >= <= > */ + OC_COMPARE|VV|P(39)|4, OC_COMPARE|VV|P(39)|3, OC_COMPARE|VV|P(39)|0, OC_COMPARE|VV|P(39)|1, + #define TI_LESS (OC_COMPARE|VV|P(39)|2) ++ /* < !~ ~ && */ + TI_LESS, OC_MATCH|Sx|P(45)|'!', OC_MATCH|Sx|P(45)|'~', OC_LAND|Vx|P(55), + #define TI_TERNARY (OC_TERNARY|Vx|P(64)|'?') + #define TI_COLON (OC_COLON|xx|P(67)|':') ++ /* || ? : */ + OC_LOR|Vx|P(59), TI_TERNARY, TI_COLON, + #define TI_IN (OC_IN|SV|P(49)) + TI_IN, + #define TI_COMMA (OC_COMMA|SS|P(80)) + TI_COMMA, + #define TI_PGETLINE (OC_PGETLINE|SV|P(37)) +- TI_PGETLINE, ++ TI_PGETLINE, /* | */ ++ /* + - ! */ + OC_UNARY|xV|P(19)|'+', OC_UNARY|xV|P(19)|'-', OC_UNARY|xV|P(19)|'!', + 0, /* ] */ +- 0, +- 0, +- 0, ++ 0, /* { */ ++ 0, /* } */ ++ 0, /* ; */ + 0, /* \n */ + ST_IF, ST_DO, ST_FOR, OC_BREAK, + OC_CONTINUE, OC_DELETE|Rx, OC_PRINT, +@@ -511,6 +522,38 @@ static const uint32_t tokeninfo[] ALIGN4 = { + #undef OC_F + }; + ++/* gawk 5.1.1 manpage says the precedence of comparisons and assignments are as follows: ++ * ...... ++ * < > <= >= == != ++ * ~ !~ ++ * in ++ * && ++ * || ++ * ?: ++ * = += -= *= /= %= ^= ++ * But there are some abnormalities: ++ * awk 'BEGIN { print v=3==3,v }' - ok: ++ * 1 1 ++ * awk 'BEGIN { print 3==v=3,v }' - wrong, (3==v)=3 is not a valid assignment: ++ * 1 3 ++ * This also unexpectedly works: echo "foo" | awk '$1==$1="foo" {print $1}' ++ * More than one comparison op fails to parse: ++ * awk 'BEGIN { print 3==3==3 }' - syntax error (wrong, should work) ++ * awk 'BEGIN { print 3==3!=3 }' - syntax error (wrong, should work) ++ * ++ * The ternary a?b:c works as follows in gawk: "a" can't be assignment ++ * ("= has lower precedence than ?") but inside "b" or "c", assignment ++ * is higher precedence: ++ * awk 'BEGIN { u=v=w=1; print u=0?v=4:w=5; print u,v,w }' ++ * 5 ++ * 5 1 5 ++ * This differs from C and shell's "test" rules for ?: which have implicit () ++ * around "b" in ?:, but not around "c" - they would barf on "w=5" above. ++ * gawk allows nesting of ?: - this works: ++ * u=0?v=4?5:6:w=7?8:9 means u=0?(v=4?5:6):(w=7?8:9) ++ * bbox is buggy here, requires parens: "u=0?(v=4):(w=5)" ++ */ ++ + /* internal variable names and their initial values */ + /* asterisk marks SPECIAL vars; $ is just no-named Field0 */ + enum { +@@ -1409,7 +1452,7 @@ static node *parse_expr(uint32_t term_tc) + vn = vn->a.n; + if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN); + } +- if (t_info == TI_TERNARY) ++ if (t_info == TI_TERNARY) /* "?" operator */ + //TODO: why? + t_info += PRECEDENCE(6); + cn = vn->a.n->r.n = new_node(t_info); +-- +cgit v1.2.3 + diff -Nru busybox-1.35.0/debian/patches/series busybox-1.35.0/debian/patches/series --- busybox-1.35.0/debian/patches/series 2022-11-04 16:59:00.000000000 +0000 +++ busybox-1.35.0/debian/patches/series 2026-03-01 08:37:38.000000000 +0000 @@ -14,3 +14,7 @@ platform-linux.diff fix-non-linux-build.patch use-libresolv-on-non-linux-too.patch +CVE-2022-48174.patch +CVE-2023-42364-part1.patch +CVE-2023-42364-part2.patch +CVE-2023-42363.patch diff -Nru busybox-1.35.0/debian/salsa-ci.yml busybox-1.35.0/debian/salsa-ci.yml --- busybox-1.35.0/debian/salsa-ci.yml 2022-11-04 16:59:00.000000000 +0000 +++ busybox-1.35.0/debian/salsa-ci.yml 2026-03-02 06:59:41.000000000 +0000 @@ -1,27 +1,15 @@ --- +# Oldstable CI +--- include: - - https://salsa.debian.org/installer-team/branch2repo/raw/main/trigger_b2r.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml variables: - # re-enable things that branch2repo defaults to disabling - SALSA_CI_DISABLE_PIUPARTS: 0 - SALSA_CI_DISABLE_AUTOPKGTEST: 0 - SALSA_CI_DISABLE_LINTIAN: 0 - # fileordering seems to mess up the package's tests, causing FTBFS - # so let's just not bother running the tests in the variation build - SALSA_CI_REPROTEST_ARGS: --variations=environment.variables+=DEB_BUILD_OPTIONS=nocheck - -#FIXME: upon first enabling salsa-CI, the blhc test is failing I'm afraid I -# (Philip Hands) don't know if setting hardening flags is a good idea for -# busybox, so I'll leave it as it is for now, and set `allow_failure` -# below. -# -# If/when someone sets the hardening flags successfully, this setting -# should go. On the other hand, if it's inappropriate to set them, then -# this comment can also go and one can disable the test by adding this to -# the variables section above: -# -# SALSA_CI_DISABLE_BLHC: 1 + RELEASE: 'bookworm' +# These didn't work before LTS, not attempting to fix after freeze blhc: allow_failure: true + +lintian: + allow_failure: true