5 changed files with 190 additions and 1 deletions
--- a/SOURCES/procps-ng-3.3.15-cve-2023-4016.patch
+++ b/SOURCES/procps-ng-3.3.15-cve-2023-4016.patch
@ -0,0 +1,60 @@
+diff --git a/ps/parser.c b/ps/parser.c
+index 4263a1f..b33f319 100644
+--- a/ps/parser.c
+++ b/ps/parser.c
+@@ -31,7 +31,7 @@
+ #include <sys/stat.h>
+ #include <sys/types.h>
+ 
+-#include "../proc/alloc.h"
+#include "xalloc.h"
+ 
+ #include "common.h"
+ #include "c.h"
+@@ -184,8 +184,8 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+   const char *err;       /* error code that could or did happen */
+   /*** prepare to operate ***/
+   node = malloc(sizeof(selection_node));
+-  node->u = malloc(strlen(arg)*sizeof(sel_union)); /* waste is insignificant */
+   node->n = 0;
+  node->u = NULL;
+   buf = strdup(arg);
+   /*** sanity check and count items ***/
+   need_item = 1; /* true */
+@@ -199,12 +199,13 @@ static const char *parse_list(const char *arg, const char *(*parse_fn)(char *, s
+       need_item=1;
+       break;
+     default:
+-      if(need_item) items++;
+      if(need_item && items<INT_MAX) items++;
+       need_item=0;
+     }
+   } while (*++walk);
+   if(need_item) goto parse_error;
+   node->n = items;
+  node->u = xcalloc(items, sizeof(sel_union));
+   /*** actually parse the list ***/
+   walk = buf;
+   while(items--){
+@@ -1031,15 +1032,15 @@ static const char *parse_trailing_pids(void){
+   thisarg = ps_argc - 1;   /* we must be at the end now */
+ 
+   pidnode = malloc(sizeof(selection_node));
+-  pidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
+  pidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   pidnode->n = 0;
+ 
+   grpnode = malloc(sizeof(selection_node));
+-  grpnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
+  grpnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   grpnode->n = 0;
+ 
+   sidnode = malloc(sizeof(selection_node));
+-  sidnode->u = malloc(i*sizeof(sel_union)); /* waste is insignificant */
+  sidnode->u = xcalloc(i, sizeof(sel_union)); /* waste is insignificant */
+   sidnode->n = 0;
+ 
+   while(i--){
+-- 
+2.40.1
+
--- a/SOURCES/procps-ng-3.3.15-display-sig-unsafe.patch
+++ b/SOURCES/procps-ng-3.3.15-display-sig-unsafe.patch
@ -0,0 +1,43 @@
+diff -up ./ps/display.c.ori ./ps/display.c
+--- ./ps/display.c.ori	2018-05-18 23:32:21.998979977 +0200
+++ ./ps/display.c	2022-11-24 15:11:26.678314866 +0100
+@@ -44,26 +44,31 @@
+ #define SIGCHLD SIGCLD
+ #endif
+ 
+#define SIG_IS_TERM_OR_HUP(signo) (((signo) == SIGTERM) || (signo) == SIGHUP)
+
+ char *myname;
+ 
+ /* just reports a crash */
+ static void signal_handler(int signo){
+   if(signo==SIGPIPE) _exit(0);  /* "ps | head" will cause this */
+   /* fprintf() is not reentrant, but we _exit() anyway */
+-  fprintf(stderr,
+-    _("Signal %d (%s) caught by %s (%s).\n"),
+-    signo,
+-    signal_number_to_name(signo),
+-    myname,
+-    PACKAGE_VERSION
+-  );
+  if (!SIG_IS_TERM_OR_HUP(signo)) {
+    fprintf(stderr,
+      _("Signal %d (%s) caught by %s (%s).\n"),
+      signo,
+      signal_number_to_name(signo),
+      myname,
+      PACKAGE_VERSION
+    );
+  }
+   switch (signo) {
+     case SIGHUP:
+     case SIGUSR1:
+     case SIGUSR2:
+       exit(EXIT_FAILURE);
+     default:
+-      error_at_line(0, 0, __FILE__, __LINE__, "%s", _("please report this bug"));
+      if (!SIG_IS_TERM_OR_HUP(signo))
+        error_at_line(0, 0, __FILE__, __LINE__, "%s", _("please report this bug"));
+       signal(signo, SIG_DFL);  /* allow core file creation */
+       kill(getpid(), signo);
+       _exit(EXIT_FAILURE);
--- a/SOURCES/procps-ng-3.3.15-ps-out-of-bonds-read.patch
+++ b/SOURCES/procps-ng-3.3.15-ps-out-of-bonds-read.patch
@ -0,0 +1,23 @@
+diff --git a/ps/display.c b/ps/display.c
+index 1927fd6..e7ab351 100644
+--- a/ps/display.c
+++ b/ps/display.c
+@@ -357,7 +357,7 @@ static void simple_spew(void){
+   if (selection_list && selection_list->typecode == SEL_PID_QUICK) {
+     flags |= PROC_PID;
+ 
+-    pidlist = (pid_t*) malloc(selection_list->n * sizeof(pid_t));
+    pidlist = (pid_t*) malloc((selection_list->n + 1) * sizeof(pid_t));
+     if (!pidlist) {
+       fprintf(stderr, _("error: not enough memory\n"));
+       exit(1);
+@@ -366,6 +366,9 @@ static void simple_spew(void){
+     for (i = 0; i < selection_list->n; i++) {
+       pidlist[i] = selection_list->u[selection_list->n-i-1].pid;
+     }
+
+    // delimit the array with nul object (0); RHBZ#2153813
+    pidlist[selection_list->n] = (pid_t)0;
+   }
+ 
+   ptp = openproc(flags, pidlist);
--- a/SOURCES/procps-ng-3.3.15-ps-select.patch
+++ b/SOURCES/procps-ng-3.3.15-ps-select.patch
@ -0,0 +1,39 @@
+From 06995518605fed7a1a29551be0eff01b2f9e89b7 Mon Sep 17 00:00:00 2001
+From: rpm-build <rpm-build>
+Date: Tue, 13 Dec 2022 16:02:50 -0500
+Subject: [PATCH]
+
+---
+ ps/common.h | 2 +-
+ ps/select.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ps/common.h b/ps/common.h
+index 905d320..fc4d3a8 100644
+--- a/ps/common.h
+++ b/ps/common.h
+@@ -189,7 +189,7 @@ typedef union sel_union {
+   uid_t uid;
+   gid_t gid;
+   dev_t tty;
+-  char  cmd[64];  /* this is _not_ \0 terminated */
+  char  cmd[16];  /* this is _not_ \0 terminated */
+ } sel_union;
+ 
+ typedef struct selection_node {
+diff --git a/ps/select.c b/ps/select.c
+index f58ca25..e12982d 100644
+--- a/ps/select.c
+++ b/ps/select.c
+@@ -117,7 +117,7 @@ static int proc_was_listed(proc_t *buf){
+     break; case SEL_SESS: return_if_match(session,pid);
+ 
+     break; case SEL_COMM: i=sn->n; while(i--)
+-    if(!strncmp( buf->cmd, (*(sn->u+i)).cmd, 63 )) return 1;
+    if(!strncmp( buf->cmd, (*(sn->u+i)).cmd, 15 )) return 1;
+ 
+ 
+ 
+-- 
+2.31.1
+
--- a/SPECS/procps-ng.spec
+++ b/SPECS/procps-ng.spec
@ -4,7 +4,7 @@
 Summary: System and process monitoring utilities
 Name: procps-ng
 Version: 3.3.15
-Release: 9%{?dist}
+Release: 14%{?dist}
 License: GPL+ and GPLv2 and GPLv2+ and GPLv3+ and LGPLv2+
 Group: Applications/System
 URL: https://sourceforge.net/projects/procps-ng/
@ -25,6 +25,10 @@ Patch6: procps-ng-3.3.15-uptime-pretty-mod.patch
 Patch7: procps-ng-3.3.15-vmstat-omit-first-report.patch
 Patch8: procps-ng-3.3.15-sysctl-config-dir-order.patch
 Patch9: procps-ng-3.3.15-pgrep-uid-gid-overflow.patch
+Patch10: procps-ng-3.3.15-display-sig-unsafe.patch
+Patch11: procps-ng-3.3.15-ps-select.patch
+Patch12: procps-ng-3.3.15-ps-out-of-bonds-read.patch
+Patch13: procps-ng-3.3.15-cve-2023-4016.patch

 BuildRequires: ncurses-devel
 BuildRequires: libtool
@ -167,6 +171,26 @@ ln -s %{_bindir}/pidof %{buildroot}%{_sbindir}/pidof
 %files i18n -f %{name}.lang

 %changelog
+* Tue Aug 15 2023 Jan Rybar <jrybar@redhat.com> - 3.3.15-14
+- CVE-2023-4016: ps: possible buffer overflow
+- Resolves: rhbz#2228503
+
+* Tue Jan 17 2023 Jan Rybar <jrybar@redhat.com> - 3.3.15-13
+- version bump requested to create -devel subpkg for CRB inclusion
+- Resolves: rhbz#2164781
+
+* Tue Jan 17 2023 Jan Rybar <jrybar@redhat.com> - 3.3.15-12
+- ps: out-of-bonds read in quick mode
+- Resolves: rhbz#2153813
+
+* Tue Dec 13 2022 Kyle Walker <kwalker@redhat.com> - 3.3.15-11
+- ps: revert increase command name length to 64 ____ (catch up)
+- Resolves: rhbz#2144978
+
+* Wed Nov 23 2022 Jan Rybar <jrybar@redhat.com> - 3.3.15-10
+- display.c: backport: async-signal-unsafe handler deadlocks on SIGHUP
+- Resolves: rhbz#2141696
+
 * Wed Aug 17 2022 Jan Rybar <jrybar@redhat.com> - 3.3.15-9
 - pgrep: backport uid/gid overflow fix
 - Resolves: rhbz#1827731