mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-13 17:39:57 +00:00
Code Issues Projects Releases Wiki Activity

dash: fix CVE-2026-31323

Browse Source 
Backport upstream fix for CVE-2026-31323 [1].

[1] https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3

Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
Reviewed-by: Bruno Vernay <bruno.vernay@se.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
Theo Gaige
2026-05-19 15:26:14 +02:00
committed by Anuj Mittal
parent a587f53a0e
commit 7acc744194
2 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-shells/dash/dash/CVE-2026-31323.patch
+43
View File
@@ -0,0 +1,43 @@
From eeebf52119df7a74ee5187268ca3030d4c701f20 Mon Sep 17 00:00:00 2001
From: Muchen Hou <996029583@qq.com>
Date: Mon, 13 Apr 2026 10:28:29 +0800
Subject: [PATCH] arith: Fix CVE-2026-31323 INTMAX_MIN / -1 overflow
Division and remainder currently guard against division by zero, but not
against the signed overflow case INTMAX_MIN / -1. On affected systems
this can trigger SIGFPE during arithmetic expansion.
Add an explicit guard before evaluating division or remainder.
Signed-off-by: Muchen Hou <996029583@qq.com>
Merge the overflow check with the zero division check.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3)
CVE: CVE-2026-31323
Upstream-Status: Backport [https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3]
Signed-off-by: Theo Gaige <tgaige.opensource@witekio.com>
---
src/arith_yacc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/arith_yacc.c b/src/arith_yacc.c
index 1a087c3..b978ef0 100644
--- a/src/arith_yacc.c
+++ b/src/arith_yacc.c
@@ -98,8 +98,8 @@ static intmax_t do_binop(int op, intmax_t a, intmax_t b)
default:
case ARITH_REM:
case ARITH_DIV:
- if (!b)
- yyerror("division by zero");
+ if (!b || (a == INTMAX_MIN && b == -1))
+ yyerror("division error");
return op == ARITH_REM ? a % b : a / b;
case ARITH_MUL:
return a * b;
--
2.43.0
meta-oe/recipes-shells/dash/dash_0.5.12.bb
+4 -1
View File
@@ -7,7 +7,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b5262b4a1a1bff72b48e935531976d2e"
inherit autotools update-alternatives
SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz"
SRC_URI = "http://gondor.apana.org.au/~herbert/${BPN}/files/${BP}.tar.gz \
file://CVE-2026-31323.patch \
"
SRC_URI[sha256sum] = "6a474ac46e8b0b32916c4c60df694c82058d3297d8b385b74508030ca4a8f28a"
CVE_PRODUCT = "dash:dash"