{"id":2225819,"url":"http://patchwork.ozlabs.org/api/patches/2225819/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/patch/20260421162617.2830354-1-titouan.christophe@mind.be/","project":{"id":27,"url":"http://patchwork.ozlabs.org/api/projects/27/?format=json","name":"Buildroot development","link_name":"buildroot","list_id":"buildroot.buildroot.org","list_email":"buildroot@buildroot.org","web_url":"","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260421162617.2830354-1-titouan.christophe@mind.be>","list_archive_url":null,"date":"2026-04-21T16:26:17","name":"[for,2025.02.x] package/dash: add patch for CVE-2026-31323","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"5437b6be79ec451a4fc6b82cc2a7543a4a85b383","submitter":{"id":90763,"url":"http://patchwork.ozlabs.org/api/people/90763/?format=json","name":"Titouan Christophe","email":"titouan.christophe@mind.be"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/buildroot/patch/20260421162617.2830354-1-titouan.christophe@mind.be/mbox/","series":[{"id":500849,"url":"http://patchwork.ozlabs.org/api/series/500849/?format=json","web_url":"http://patchwork.ozlabs.org/project/buildroot/list/?series=500849","date":"2026-04-21T16:26:17","name":"[for,2025.02.x] package/dash: add patch for CVE-2026-31323","version":1,"mbox":"http://patchwork.ozlabs.org/series/500849/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2225819/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2225819/checks/","tags":{},"related":[],"headers":{"Return-Path":"<buildroot-bounces@buildroot.org>","X-Original-To":["incoming-buildroot@patchwork.ozlabs.org","buildroot@buildroot.org"],"Delivered-To":["patchwork-incoming-buildroot@legolas.ozlabs.org","buildroot@buildroot.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=buildroot.org header.i=@buildroot.org\n header.a=rsa-sha256 header.s=default header.b=kvdxJul8;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=buildroot.org\n (client-ip=140.211.166.137; helo=smtp4.osuosl.org;\n envelope-from=buildroot-bounces@buildroot.org; receiver=patchwork.ozlabs.org)"],"Received":["from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g0SRR0TzBz1yCv\n\tfor <incoming-buildroot@patchwork.ozlabs.org>;\n Wed, 22 Apr 2026 02:26:42 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 8AA434203C;\n\tTue, 21 Apr 2026 16:26:40 +0000 (UTC)","from smtp4.osuosl.org ([127.0.0.1])\n by localhost (smtp4.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id 8HgtRknFQfLe; Tue, 21 Apr 2026 16:26:39 +0000 (UTC)","from lists1.osuosl.org (lists1.osuosl.org [140.211.166.142])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id AE7BB4203E;\n\tTue, 21 Apr 2026 16:26:39 +0000 (UTC)","from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])\n by lists1.osuosl.org (Postfix) with ESMTP id 8FF27259\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 16:26:38 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp1.osuosl.org (Postfix) with ESMTP id 75C0083F82\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 16:26:38 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n by localhost (smtp1.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP\n id Hs77NLWrdwuJ for <buildroot@buildroot.org>;\n Tue, 21 Apr 2026 16:26:37 +0000 (UTC)","from mail-wm1-x334.google.com (mail-wm1-x334.google.com\n [IPv6:2a00:1450:4864:20::334])\n by smtp1.osuosl.org (Postfix) with ESMTPS id 4549383F74\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 16:26:36 +0000 (UTC)","by mail-wm1-x334.google.com with SMTP id\n 5b1f17b1804b1-488a8ca4aadso60582205e9.3\n for <buildroot@buildroot.org>; Tue, 21 Apr 2026 09:26:36 -0700 (PDT)","from dragon.home ([109.136.97.112]) by smtp.gmail.com with ESMTPSA\n id\n 5b1f17b1804b1-488fb75ab25sm119151385e9.11.2026.04.21.09.26.34\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 21 Apr 2026 09:26:34 -0700 (PDT)"],"X-Virus-Scanned":["amavis at osuosl.org","amavis at osuosl.org"],"X-Comment":"SPF check N/A for local connections - client-ip=140.211.166.142;\n helo=lists1.osuosl.org; envelope-from=buildroot-bounces@buildroot.org;\n receiver=<UNKNOWN> ","DKIM-Filter":["OpenDKIM Filter v2.11.0 smtp4.osuosl.org AE7BB4203E","OpenDKIM Filter v2.11.0 smtp1.osuosl.org 4549383F74"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=buildroot.org;\n\ts=default; t=1776788799;\n\tbh=3Sn3A9a/v0g8VvJJmqORnMHgqaV5X6NN9tb17i/z7Ng=;\n\th=To:Cc:Date:Subject:List-Id:List-Unsubscribe:List-Archive:\n\t List-Post:List-Help:List-Subscribe:From:Reply-To:From;\n\tb=kvdxJul8zi3BCLOvNcj4d85UM3Wa4njdpGuABmRAL5j05gau2vVoUBie7/gULr4IW\n\t wE0yncx8C+LNTLbAdfd0eu4Paj9JN/9bDMgHVuBphy30XjV9TBXEcMx2SD94R5+PGs\n\t B0B/Jcpi+H7tKbmNikCUx6qqYNdhKvn0XcyMCURqqWbdqOwDIJCuDOViHk3qjZ6Oby\n\t ygEsvjj+PJvqdCPm30Y/9gMt0KfYP1/wjR8oQt6Mvwyr6P4eKv+e4aNu64qVq9PUrl\n\t 0wXHVEguVEzvg8LJkV2kwC0XBcdddMfDoaP72UGXHmNM63f3BRUYgisNJxMRo/QIY9\n\t C6pO8efVnFLxw==","Received-SPF":"Pass (mailfrom) identity=mailfrom;\n client-ip=2a00:1450:4864:20::334; helo=mail-wm1-x334.google.com;\n envelope-from=titouan.christophe@essensium.com; receiver=<UNKNOWN>","DMARC-Filter":"OpenDMARC Filter v1.4.2 smtp1.osuosl.org 4549383F74","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1776788795; x=1777393595;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date\n :message-id:reply-to;\n bh=RCa9a4sBgAw4KOtvGNUOpgQUi17EEef84SejZsjMEoM=;\n b=A6Yq3ZkaBjFXv8wPYKiTINl4J3Ln2yRjH9ub8ArvVB/gHqmoJr5fphDQFbAq0DGrX2\n ZYfaolaLw6k5JULVj36OIvsPFf1pgDfyuz1MXoepdMMFpc9K0JyKzKYL/Kl+gjUR2plh\n kqbDENOj94bJDr4+aJc7ALK8PpEPk2OnD+5DL0C3YUlPACkoCCegAdv3YytdhWcoYcwb\n yjplY8q3FyBRE+/X9OKX/dZwvF1cuQBNzNKF8wteGlSnS50JC4C0xDuYMKha7ESmFnXl\n DOwPPyjgVeLDMuowvvtWQ9UbtjnnbCZL157ZfkXk9ZVDHxMveWe5RXwIs+MVPQhJLlEP\n bKPQ==","X-Gm-Message-State":"AOJu0YxtOafEIq1m6EqUEvbFUGieQsUIbOrrylMO4U3AxDE0bo5cejVK\n /9c6GRl6IIbXgsTMa8ULdX8p+bc7lf6bNvr2oHRkkqgKVcAbABQ1Y+VCpfozXaBA/IRe4YliidT\n dxXYYV3o=","X-Gm-Gg":"AeBDietmFfjqiOAVJGab5vRr09p+WKeBrekGwGMqYmvwYB+JM8bO9XddR6S35l6y5is\n nnJO0ss3wNaUS9OKg2cLb30O9GmQeyptNAhQp5NNZi71hr0XrK9cuzh37P76JeiVx2q53U7aYel\n XupqpLHrsARfRLcCJKLSMb1H+Pucmwu3cqqI/vOt9KgDNbCJESkAh6qhwX0j3TJnS4s8M3QdCc4\n Op9P+DEx9uMdTiOuMGDkuvS7hWdKWvOwE1tGY54zhq6NS647uDW2TmFOfY7suiNjBuNeKTr6oIa\n mkO5TbOuIvzpDHlBj20DF8HV+xKSyZzK8RRAieBj/G+AzdaUkPP8haQD6dZXjkNf3fRvkm5+4RB\n 6Zy3Gn4WcsECmTkNd/j1ZFCODVJ5E1aZZsFcIM5ap6IH9T0iz8yw50vvU+hdJ++GuD4biCRBeJK\n qLb1fcniWjR2LnkSJLNWrIawx/9qBNBJPhxXj3Pd45HDA=","X-Received":"by 2002:a05:600d:8408:b0:485:46fd:7887 with SMTP id\n 5b1f17b1804b1-488fb74c61fmr208836845e9.13.1776788794655;\n Tue, 21 Apr 2026 09:26:34 -0700 (PDT)","To":"buildroot@buildroot.org","Cc":"Giulio Benetti <giulio.benetti@benettiengineering.com>,\n thomas.perale@mind.be","Date":"Tue, 21 Apr 2026 18:26:17 +0200","Message-ID":"<20260421162617.2830354-1-titouan.christophe@mind.be>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","X-Mailman-Original-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=mind.be; s=google; t=1776788795; x=1777393595; darn=buildroot.org;\n h=content-transfer-encoding:mime-version:message-id:date:subject:cc\n :to:from:from:to:cc:subject:date:message-id:reply-to;\n bh=RCa9a4sBgAw4KOtvGNUOpgQUi17EEef84SejZsjMEoM=;\n b=USGayXzHmQAAJBYz5qPA1p6IlwGP73gVwLG7X2GkTK9zIoBBrFu7lnp1W50JcO1KdA\n qbqOOM9ijRq0STZ+aouw+ql+MpLU8UUUN4DFneInBwQttHgaGmGOxaaAd/10sreYFxHh\n Hnkm5ng69TsrSPlz+YduXobMF8X9RYY9QpJms2p1E2wNh9Ft4x03M2ur7dz1J/esJ5DM\n DfksD1/x4PvO5MWxtjlCrBg8UsIR3aMZQep5AyLpuBCIEEpw2kBKN6G4h38krl0anPIt\n 9krE7AqaW6/2ZmpwsnrPpKe4zaoxV+INxquYTtRr9e/rKic1oaAWq/UDvK/PN8t5hB9R\n YlwQ==","X-Mailman-Original-Authentication-Results":["smtp1.osuosl.org;\n dmarc=pass (p=quarantine dis=none)\n header.from=mind.be","smtp1.osuosl.org;\n dkim=pass (2048-bit key) header.d=mind.be header.i=@mind.be\n header.a=rsa-sha256 header.s=google header.b=USGayXzH"],"Subject":"[Buildroot] [PATCH for 2025.02.x] package/dash: add patch for\n CVE-2026-31323","X-BeenThere":"buildroot@buildroot.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Discussion and development of buildroot <buildroot.buildroot.org>","List-Unsubscribe":"<https://lists.buildroot.org/mailman/options/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=unsubscribe>","List-Archive":"<http://lists.buildroot.org/pipermail/buildroot/>","List-Post":"<mailto:buildroot@buildroot.org>","List-Help":"<mailto:buildroot-request@buildroot.org?subject=help>","List-Subscribe":"<https://lists.buildroot.org/mailman/listinfo/buildroot>,\n <mailto:buildroot-request@buildroot.org?subject=subscribe>","From":"Titouan Christophe via buildroot <buildroot@buildroot.org>","Reply-To":"Titouan Christophe <titouan.christophe@mind.be>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"buildroot-bounces@buildroot.org","Sender":"\"buildroot\" <buildroot-bounces@buildroot.org>"},"content":"The vulnerability description is not disclosed yet.\n\nSigned-off-by: Titouan Christophe <titouan.christophe@mind.be>\n---\n package/dash/0002-fix-CVE-2026-31323.patch | 42 ++++++++++++++++++++++\n package/dash/dash.mk                       |  3 ++\n 2 files changed, 45 insertions(+)\n create mode 100644 package/dash/0002-fix-CVE-2026-31323.patch","diff":"diff --git a/package/dash/0002-fix-CVE-2026-31323.patch b/package/dash/0002-fix-CVE-2026-31323.patch\nnew file mode 100644\nindex 0000000000..5c92119db5\n--- /dev/null\n+++ b/package/dash/0002-fix-CVE-2026-31323.patch\n@@ -0,0 +1,42 @@\n+From 0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3 Mon Sep 17 00:00:00 2001\n+From: Muchen Hou <996029583@qq.com>\n+Date: Mon, 13 Apr 2026 10:28:29 +0800\n+Subject: arith: Fix CVE-2026-31323 INTMAX_MIN / -1 overflow\n+\n+Division and remainder currently guard against division by zero, but not\n+against the signed overflow case INTMAX_MIN / -1. On affected systems\n+this can trigger SIGFPE during arithmetic expansion.\n+\n+Add an explicit guard before evaluating division or remainder.\n+\n+Signed-off-by: Muchen Hou <996029583@qq.com>\n+\n+Merge the overflow check with the zero division check.\n+\n+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>\n+\n+CVE: CVE-2026-31323\n+Upstream: https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?h=601bc50bfc2858ab7a9ec327fe4e33a9c4877759&id=0034bfe185d3d875cebace8cb3ca5c9dabf9e0f3\n+Signed-off-by: Titouan Christophe <titouan.christophe@mind.be>\n+---\n+ src/arith_yacc.c | 4 ++--\n+ 1 file changed, 2 insertions(+), 2 deletions(-)\n+\n+diff --git a/src/arith_yacc.c b/src/arith_yacc.c\n+index 1a087c3..b978ef0 100644\n+--- a/src/arith_yacc.c\n++++ b/src/arith_yacc.c\n+@@ -98,8 +98,8 @@ static intmax_t do_binop(int op, intmax_t a, intmax_t b)\n+ \tdefault:\n+ \tcase ARITH_REM:\n+ \tcase ARITH_DIV:\n+-\t\tif (!b)\n+-\t\t\tyyerror(\"division by zero\");\n++\t\tif (!b || (a == INTMAX_MIN && b == -1))\n++\t\t\tyyerror(\"division error\");\n+ \t\treturn op == ARITH_REM ? a % b : a / b;\n+ \tcase ARITH_MUL:\n+ \t\treturn a * b;\n+-- \n+cgit 1.3-korg\n+\ndiff --git a/package/dash/dash.mk b/package/dash/dash.mk\nindex 0993cb99a6..a5455d8ea9 100644\n--- a/package/dash/dash.mk\n+++ b/package/dash/dash.mk\n@@ -13,6 +13,9 @@ DASH_AUTORECONF = YES\n \n DASH_CPE_ID_VENDOR = dash\n \n+# 0002-fix-CVE-2026-31323.patch\n+DASH_IGNORE_CVES += CVE-2026-31323\n+\n # dash does not build in parallel\n DASH_MAKE = $(MAKE1)\n \n","prefixes":["for","2025.02.x"]}