From 17a3c7437eb544d53b4186afdc7f059f6f02b7fb Mon Sep 17 00:00:00 2001 From: Jan Rybar Date: Tue, 15 Aug 2023 11:21:58 +0200 Subject: [PATCH] CVE-2023-4016: ps: possible buffer overflow Resolves: rhbz#2228503 --- procps-ng-3.3.15-cve-2023-4016.patch | 60 ++++++++++++++++++++++++++++ procps-ng.spec | 7 +++- 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 procps-ng-3.3.15-cve-2023-4016.patch diff --git a/procps-ng-3.3.15-cve-2023-4016.patch b/procps-ng-3.3.15-cve-2023-4016.patch new file mode 100644 index 0000000..5887368 --- /dev/null +++ b/procps-ng-3.3.15-cve-2023-4016.patch @@ -0,0 +1,60 @@ +diff --git a/ps/parser.c b/ps/parser.c +index 4263a1f..b33f319 100644 +--- a/ps/parser.c ++++ b/ps/parser.c +@@ -31,7 +31,7 @@ + #include + #include + +-#include "../proc/alloc.h" ++#include "xalloc.h" + + #include "common.h" + #include "c.h" +@@ -184,8 +184,8 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + const char *err; /* error code that could or did happen */ + /*** prepare to operate ***/ + node = malloc(sizeof(selection_node)); +- node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */ + node->n = 0; ++ node->u = NULL; + buf = strdup(arg); + /*** sanity check and count items ***/ + need_item = 1; /* true */ +@@ -199,12 +199,13 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s + need_item=1; + break; + default: +- if(need_item) items++; ++ if(need_item && itemsn = items; ++ node->u = xcalloc(items, sizeof(sel_union)); + /*** actually parse the list ***/ + walk = buf; + while(items--){ +@@ -1031,15 +1032,15 @@ static const char *parse_trailing_pids(void){ + thisarg = ps_argc - 1; /* we must be at the end now */ + + pidnode = malloc(sizeof(selection_node)); +- pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + pidnode->n = 0; + + grpnode = malloc(sizeof(selection_node)); +- grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ grpnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + grpnode->n = 0; + + sidnode = malloc(sizeof(selection_node)); +- sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */ ++ sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */ + sidnode->n = 0; + + while(i--){ +-- +2.40.1 + diff --git a/procps-ng.spec b/procps-ng.spec index fc85699..4359956 100644 --- a/procps-ng.spec +++ b/procps-ng.spec @@ -4,7 +4,7 @@ Summary: System and process monitoring utilities Name: procps-ng Version: 3.3.15 -Release: 13%{?dist} +Release: 14%{?dist} License: GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+ Group: Applications/System URL: https://sourceforge.net/projects/procps-ng/ @@ -28,6 +28,7 @@ Patch9: procps-ng-3.3.15-pgrep-uid-gid-overflow.patch Patch10: procps-ng-3.3.15-display-sig-unsafe.patch Patch11: procps-ng-3.3.15-ps-select.patch Patch12: procps-ng-3.3.15-ps-out-of-bonds-read.patch +Patch13: procps-ng-3.3.15-cve-2023-4016.patch BuildRequires: ncurses-devel BuildRequires: libtool @@ -170,6 +171,10 @@ ln -s %{_bindir}/pidof %{buildroot}%{_sbindir}/pidof %files i18n -f %{name}.lang %changelog +* Tue Aug 15 2023 Jan Rybar - 3.3.15-14 +- CVE-2023-4016: ps: possible buffer overflow +- Resolves: rhbz#2228503 + * Tue Jan 17 2023 Jan Rybar - 3.3.15-13 - version bump requested to create -devel subpkg for CRB inclusion - Resolves: rhbz#2164781