From a81593c6946e074fc9abc79e385e7b7567448d28 Mon Sep 17 00:00:00 2001 From: yanglongkang Date: Mon, 8 Dec 2025 14:53:57 +0800 Subject: [PATCH] backport upstream patches --- ...base32-and-base64-inputs-when-decodi.patch | 224 ++++++++++++++++++ ...stripping-of-chars-in-some-encodings.patch | 43 ++++ ...-chcon-fix-memory-leak-in-error-path.patch | 31 +++ ...-numfmt-fix-buffer-over-read-CWE-126.patch | 72 ++++++ ...ex-fix-parse_bracket_exp-double-free.patch | 38 +++ ...rate-with-large-integer-start-values.patch | 71 ++++++ ...x-heap-buffer-overflow-with-tabs-NUM.patch | 90 +++++++ coreutils.spec | 12 +- 8 files changed, 580 insertions(+), 1 deletion(-) create mode 100644 backport-basenc-auto-pad-base32-and-base64-inputs-when-decodi.patch create mode 100644 backport-basenc-fix-stripping-of-chars-in-some-encodings.patch create mode 100644 backport-chcon-fix-memory-leak-in-error-path.patch create mode 100644 backport-numfmt-fix-buffer-over-read-CWE-126.patch create mode 100644 backport-regex-fix-parse_bracket_exp-double-free.patch create mode 100644 backport-seq-be-more-accurate-with-large-integer-start-values.patch create mode 100644 backport-unexpand-fix-heap-buffer-overflow-with-tabs-NUM.patch diff --git a/backport-basenc-auto-pad-base32-and-base64-inputs-when-decodi.patch b/backport-basenc-auto-pad-base32-and-base64-inputs-when-decodi.patch new file mode 100644 index 0000000..4ef7f62 --- /dev/null +++ b/backport-basenc-auto-pad-base32-and-base64-inputs-when-decodi.patch @@ -0,0 +1,224 @@ +From 378dc38f48a0cbfde3f8002d5491cc96675c904f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Thu, 5 Oct 2023 17:00:51 +0100 +Subject: [PATCH] basenc: auto pad base32 and base64 inputs when decoding + +Padding of encoded data is useful in cases where +base64 encoded data is concatenated / streamed. +I.e. where there are padding chars _within_ the stream. +In other cases padding is optional and can be inferred. +Note we continue to treat partial padding as invalid, +as that would be indicative of truncation. + +* src/basenc.c (do_decode): Auto pad the end of the input. +* NEWS: Mention the change in behavior. +* tests/misc/base64.pl: Adjust to not fail for missing padding. +Addresses https://bugs.gnu.org/66265 +--- + src/basenc.c | 62 +++++++++++++++++++++++++++++++++++++++++--- + tests/misc/base64.pl | 6 ++--- + 2 files changed, 60 insertions(+), 8 deletions(-) + +diff --git a/src/basenc.c b/src/basenc.c +index ce259c482..12021e900 100644 +--- a/src/basenc.c ++++ b/src/basenc.c +@@ -23,6 +23,7 @@ + #include + + #include "system.h" ++#include "assure.h" + #include "c-ctype.h" + #include "fadvise.h" + #include "quote.h" +@@ -172,10 +173,37 @@ from any other non-alphabet bytes in the encoded stream.\n"), + exit (status); + } + ++#if BASE_TYPE != 64 ++static int ++base32_required_padding (int len) ++{ ++ int partial = len % 8; ++ return partial ? 8 - partial : 0; ++} ++#endif ++ ++#if BASE_TYPE != 32 ++static int ++base64_required_padding (int len) ++{ ++ int partial = len % 4; ++ return partial ? 4 - partial : 0; ++} ++#endif ++ ++#if BASE_TYPE == 42 ++static int ++no_required_padding (int len) ++{ ++ return 0; ++} ++#endif ++ + #define ENC_BLOCKSIZE (1024 * 3 * 10) + + #if BASE_TYPE == 32 + # define BASE_LENGTH BASE32_LENGTH ++# define REQUIRED_PADDING base32_required_padding + /* Note that increasing this may decrease performance if --ignore-garbage + is used, because of the memmove operation below. */ + # define DEC_BLOCKSIZE (1024 * 5) +@@ -191,6 +219,7 @@ static_assert (DEC_BLOCKSIZE % 40 == 0); /* Complete encoded blocks are used. */ + # define isbase isbase32 + #elif BASE_TYPE == 64 + # define BASE_LENGTH BASE64_LENGTH ++# define REQUIRED_PADDING base64_required_padding + /* Note that increasing this may decrease performance if --ignore-garbage + is used, because of the memmove operation below. */ + # define DEC_BLOCKSIZE (1024 * 3) +@@ -208,6 +237,7 @@ static_assert (DEC_BLOCKSIZE % 12 == 0); /* Complete encoded blocks are used. */ + + + # define BASE_LENGTH base_length ++# define REQUIRED_PADDING required_padding + + /* Note that increasing this may decrease performance if --ignore-garbage + is used, because of the memmove operation below. */ +@@ -216,6 +246,7 @@ static_assert (DEC_BLOCKSIZE % 40 == 0); /* complete encoded blocks for base32*/ + static_assert (DEC_BLOCKSIZE % 12 == 0); /* complete encoded blocks for base64*/ + + static int (*base_length) (int i); ++static int (*required_padding) (int i); + static bool (*isbase) (char ch); + static void (*base_encode) (char const *restrict in, idx_t inlen, + char *restrict out, idx_t outlen); +@@ -486,7 +517,6 @@ base32hex_decode_ctx_wrapper (struct base_decode_context *ctx, + return b; + } + +- + static bool + isbase16 (char ch) + { +@@ -1011,6 +1041,7 @@ do_decode (FILE *in, char const *infile, FILE *out, bool ignore_garbage) + idx_t sum; + struct base_decode_context ctx; + ++ char padbuf[8] = "========"; + inbuf = xmalloc (BASE_LENGTH (DEC_BLOCKSIZE)); + outbuf = xmalloc (DEC_BLOCKSIZE); + +@@ -1053,10 +1084,25 @@ do_decode (FILE *in, char const *infile, FILE *out, bool ignore_garbage) + telling it to flush what is in CTX. */ + for (int k = 0; k < 1 + !!feof (in); k++) + { +- if (k == 1 && ctx.i == 0) +- break; ++ if (k == 1) ++ { ++ if (ctx.i == 0) ++ break; ++ ++ /* auto pad input (at eof). */ ++ idx_t auto_padding = REQUIRED_PADDING (ctx.i); ++ if (auto_padding && (sum == 0 || inbuf[sum - 1] != '=')) ++ { ++ affirm (auto_padding <= sizeof (padbuf)); ++ IF_LINT (free (inbuf)); ++ sum = auto_padding; ++ inbuf = padbuf; ++ } ++ else ++ sum = 0; /* process ctx buffer only */ ++ } + idx_t n = DEC_BLOCKSIZE; +- ok = base_decode_ctx (&ctx, inbuf, (k == 0 ? sum : 0), outbuf, &n); ++ ok = base_decode_ctx (&ctx, inbuf, sum, outbuf, &n); + + if (fwrite (outbuf, 1, n, out) < n) + write_error (); +@@ -1145,6 +1191,7 @@ main (int argc, char **argv) + { + case BASE64_OPTION: + base_length = base64_length_wrapper; ++ required_padding = base64_required_padding; + isbase = isbase64; + base_encode = base64_encode; + base_decode_ctx_init = base64_decode_ctx_init_wrapper; +@@ -1153,6 +1200,7 @@ main (int argc, char **argv) + + case BASE64URL_OPTION: + base_length = base64_length_wrapper; ++ required_padding = base64_required_padding; + isbase = isbase64url; + base_encode = base64url_encode; + base_decode_ctx_init = base64url_decode_ctx_init_wrapper; +@@ -1161,6 +1209,7 @@ main (int argc, char **argv) + + case BASE32_OPTION: + base_length = base32_length_wrapper; ++ required_padding = base32_required_padding; + isbase = isbase32; + base_encode = base32_encode; + base_decode_ctx_init = base32_decode_ctx_init_wrapper; +@@ -1169,6 +1218,7 @@ main (int argc, char **argv) + + case BASE32HEX_OPTION: + base_length = base32_length_wrapper; ++ required_padding = base32_required_padding; + isbase = isbase32hex; + base_encode = base32hex_encode; + base_decode_ctx_init = base32hex_decode_ctx_init_wrapper; +@@ -1177,6 +1227,7 @@ main (int argc, char **argv) + + case BASE16_OPTION: + base_length = base16_length; ++ required_padding = no_required_padding; + isbase = isbase16; + base_encode = base16_encode; + base_decode_ctx_init = base16_decode_ctx_init; +@@ -1185,6 +1236,7 @@ main (int argc, char **argv) + + case BASE2MSBF_OPTION: + base_length = base2_length; ++ required_padding = no_required_padding; + isbase = isbase2; + base_encode = base2msbf_encode; + base_decode_ctx_init = base2_decode_ctx_init; +@@ -1193,6 +1245,7 @@ main (int argc, char **argv) + + case BASE2LSBF_OPTION: + base_length = base2_length; ++ required_padding = no_required_padding; + isbase = isbase2; + base_encode = base2lsbf_encode; + base_decode_ctx_init = base2_decode_ctx_init; +@@ -1201,6 +1254,7 @@ main (int argc, char **argv) + + case Z85_OPTION: + base_length = z85_length; ++ required_padding = no_required_padding; + isbase = isz85; + base_encode = z85_encode; + base_decode_ctx_init = z85_decode_ctx_init; +diff --git a/tests/misc/base64.pl b/tests/misc/base64.pl +index 63e6c6b44..40c6c3d07 100755 +--- a/tests/misc/base64.pl ++++ b/tests/misc/base64.pl +@@ -124,10 +124,8 @@ sub gen_tests($) + push @Tests, ( + ['baddecode', '--decode', {IN=>'a'}, {OUT=>""}, + {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}], +- ['baddecode2', '--decode', {IN=>'ab'}, {OUT=>"i"}, +- {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}], +- ['baddecode3', '--decode', {IN=>'Zzz'}, {OUT=>"g<"}, +- {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}], ++ ['paddecode2', '--decode', {IN=>'ab'}, {OUT=>"i"}], ++ ['paddecode3', '--decode', {IN=>'Zzz'}, {OUT=>"g<"}], + ['baddecode4', '--decode', {IN=>'Zz='}, {OUT=>"g"}, + {ERR_SUBST => 's/.*: invalid input//'}, {ERR => "\n"}, {EXIT => 1}], + ['baddecode5', '--decode', {IN=>'Z==='}, {OUT=>""}, +-- +2.43.0 + diff --git a/backport-basenc-fix-stripping-of-chars-in-some-encodings.patch b/backport-basenc-fix-stripping-of-chars-in-some-encodings.patch new file mode 100644 index 0000000..db55cc8 --- /dev/null +++ b/backport-basenc-fix-stripping-of-chars-in-some-encodings.patch @@ -0,0 +1,43 @@ +From c480428e3767cac53dcafa29b03ce31e0da1efc9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Thu, 7 Aug 2025 20:39:24 +0100 +Subject: [PATCH] basenc: fix stripping of '=' chars in some encodings + +* src/basenc.c (do_decode): With -i ensure we strip '=' chars +if there is no padding for the chosen encoding. +* tests/basenc/basenc.pl: Add a test case. +* NEWS: Mention the bug fix. +--- + src/basenc.c | 3 ++- + tests/misc/basenc.pl | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/basenc.c b/src/basenc.c +index c445e6f41..4993c0025 100644 +--- a/src/basenc.c ++++ b/src/basenc.c +@@ -1159,7 +1159,8 @@ do_decode (FILE *in, char const *infile, FILE *out, bool ignore_garbage) + { + for (idx_t i = 0; n > 0 && i < n;) + { +- if (isbase (inbuf[sum + i]) || inbuf[sum + i] == '=') ++ if (isbase (inbuf[sum + i]) ++ || (REQUIRED_PADDING (1) && inbuf[sum + i] == '=')) + i++; + else + memmove (inbuf + sum + i, inbuf + sum + i + 1, --n - i); +diff --git a/tests/misc/basenc.pl b/tests/misc/basenc.pl +index c598d29e5..94f6c2b32 100755 +--- a/tests/misc/basenc.pl ++++ b/tests/misc/basenc.pl +@@ -168,6 +168,7 @@ my @Tests = + ['b2m_2', '--base2m -d', {IN=>'11000001'}, {OUT=>"\xC1"}], + ['b2m_3', '--base2m -d', {IN=>"110\n00001"}, {OUT=>"\xC1"}], + ['b2m_4', '--base2m -di', {IN=>"110x00001"}, {OUT=>"\xC1"}], ++ ['b2m_4p', '--base2m -di', {IN=>"=11000001="}, {OUT=>"\xC1"}], + ['b2m_5', '--base2m -d', {IN=>"110x00001"}, {EXIT=>1}, + {ERR=>"$prog: invalid input\n"}], + ['b2m_6', '--base2m -d', {IN=>"11000001x"}, {OUT=>"\xC1"}, {EXIT=>1}, +-- +2.43.0 + diff --git a/backport-chcon-fix-memory-leak-in-error-path.patch b/backport-chcon-fix-memory-leak-in-error-path.patch new file mode 100644 index 0000000..3f90d1b --- /dev/null +++ b/backport-chcon-fix-memory-leak-in-error-path.patch @@ -0,0 +1,31 @@ +From cc38da00ef98f270e263dfe3188b2035f9b27c8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Sat, 8 Nov 2025 10:32:14 +0000 +Subject: [PATCH] chcon: fix memory leak in error path + +* src/chcon.c (change_file_context): If compute_context_from_mask fails, +free the previously allocated file_context. +Fixes https://bugs.gnu.org/79780 +--- + src/chcon.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/chcon.c b/src/chcon.c +index f118820cc..5f13c7d75 100644 +--- a/src/chcon.c ++++ b/src/chcon.c +@@ -168,7 +168,10 @@ change_file_context (int fd, char const *file) + } + + if (compute_context_from_mask (file_context, &context)) +- return 1; ++ { ++ freecon (file_context); ++ return 1; ++ } + + context_string = context_str (context); + } +-- +2.43.0 + diff --git a/backport-numfmt-fix-buffer-over-read-CWE-126.patch b/backport-numfmt-fix-buffer-over-read-CWE-126.patch new file mode 100644 index 0000000..9981b39 --- /dev/null +++ b/backport-numfmt-fix-buffer-over-read-CWE-126.patch @@ -0,0 +1,72 @@ +From b880b02c44e9e3e8467a6247b9592ffb9c71ee44 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Sat, 11 Oct 2025 12:19:34 +0100 +Subject: [PATCH] numfmt: fix buffer over-read (CWE-126) + +* src/numfmt.c (simple_strtod_human): Check for NULL after pointer +adjustment to avoid Out-of-range pointer offset (CWE-823). +* NEWS: Mention the fix. +--- + src/numfmt.c | 11 ++++++++--- + tests/misc/numfmt.pl | 1 + + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/numfmt.c b/src/numfmt.c +index 4f72facb9..0cc12689e 100644 +--- a/src/numfmt.c ++++ b/src/numfmt.c +@@ -641,7 +641,7 @@ simple_strtod_human (char const *input_str, + devmsg (" parsed numeric value: %Lf\n" + " input precision = %d\n", *value, (int)*precision); + +- if (**endptr != '\0') ++ while (**endptr) + { + /* process suffix. */ + +@@ -649,6 +649,9 @@ simple_strtod_human (char const *input_str, + while (isblank (to_uchar (**endptr))) + (*endptr)++; + ++ if (**endptr == '\0') ++ break; /* Treat as no suffix. */ ++ + if (!valid_suffix (**endptr)) + return SSE_INVALID_SUFFIX; + +@@ -661,9 +664,9 @@ simple_strtod_human (char const *input_str, + if (allowed_scaling == scale_auto && **endptr == 'i') + { + /* auto-scaling enabled, and the first suffix character +- is followed by an 'i' (e.g. Ki, Mi, Gi). */ ++ is followed by an 'i' (e.g. Ki, Mi, Gi). */ + scale_base = 1024; +- (*endptr)++; /* skip second ('i') suffix character. */ ++ (*endptr)++; /* skip 'i' in suffix. */ + devmsg (" Auto-scaling, found 'i', switching to base %d\n", + scale_base); + } +@@ -676,6 +679,8 @@ simple_strtod_human (char const *input_str, + } + + *precision = 0; /* Reset, to select precision based on scale. */ ++ ++ break; + } + + long double multiplier = powerld (scale_base, power); +diff --git a/tests/misc/numfmt.pl b/tests/misc/numfmt.pl +index 051db785c..4dd9718c9 100755 +--- a/tests/misc/numfmt.pl ++++ b/tests/misc/numfmt.pl +@@ -163,6 +163,7 @@ my @Tests = + # space(s) between number and suffix. Note only field 1 is used + # by default so specify the NUL delimiter to consider the whole "line". + ['suf-19', "-d '' --from=si '4.0 K'", {OUT => "4000"}], ++ ['suf-21', "-d '' --from=si '4 '", {OUT => "4"}], + + ## GROUPING + +-- +2.43.0 + diff --git a/backport-regex-fix-parse_bracket_exp-double-free.patch b/backport-regex-fix-parse_bracket_exp-double-free.patch new file mode 100644 index 0000000..7eda161 --- /dev/null +++ b/backport-regex-fix-parse_bracket_exp-double-free.patch @@ -0,0 +1,38 @@ +From 15f56173578d0b2169794e40097dd9e04ae83f6f Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Thu, 26 Jun 2025 10:54:14 -0700 +Subject: [PATCH] regex: fix parse_bracket_exp double-free + +Problem reported by Anastasia Belova in: +https://sourceware.org/pipermail/libc-alpha/2025-June/168231.html +* lib/regcomp.c (parse_bracket_exp): Avoid double-free +when storage allocation fails in create_token_tree. +--- + lib/regcomp.c | 4 +++- + 1 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/regcomp.c b/lib/regcomp.c +index 41157e5c3a..878b65baf0 100644 +--- a/lib/regcomp.c ++++ b/lib/regcomp.c +@@ -3280,6 +3280,7 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, + else + { + free_charset (mbcset); ++ mbcset = NULL; + /* Build a tree for simple bracket. */ + br_token.type = SIMPLE_BRACKET; + br_token.opr.sbcset = sbcset; +@@ -3293,7 +3294,8 @@ parse_bracket_exp (re_string_t *regexp, re_dfa_t *dfa, re_token_t *token, + *err = REG_ESPACE; + parse_bracket_exp_free_return: + re_free (sbcset); +- free_charset (mbcset); ++ if (__glibc_likely (mbcset != NULL)) ++ free_charset (mbcset); + return NULL; + } + +-- +2.43.0 + diff --git a/backport-seq-be-more-accurate-with-large-integer-start-values.patch b/backport-seq-be-more-accurate-with-large-integer-start-values.patch new file mode 100644 index 0000000..19fdaec --- /dev/null +++ b/backport-seq-be-more-accurate-with-large-integer-start-values.patch @@ -0,0 +1,71 @@ +From 701416709dcd5f0d6853ffe86086529afbd310b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Tue, 2 Sep 2025 16:35:52 +0100 +Subject: [PATCH] seq: be more accurate with large integer start values + +* src/seq.c (main): Avoid possibly innacurate conversion +to long double, for all digit start values. +* tests/seq/seq-long-double.sh: Add a test case. +* NEWS: Mention the improvement. +Fixes https://bugs.gnu.org/79369 +--- + src/seq.c | 8 ++++++-- + tests/seq/seq-long-double.sh | 9 ++++++++- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/seq.c b/src/seq.c +index ea9b7d8a4..59de49798 100644 +--- a/src/seq.c ++++ b/src/seq.c +@@ -628,6 +628,8 @@ main (int argc, char **argv) + usage (EXIT_FAILURE); + } + ++ char const *user_start = n_args == 1 ? "1" : argv[optind]; ++ + /* If the following hold: + - no format string, [FIXME: relax this, eventually] + - integer start (or no start) +@@ -648,7 +650,7 @@ main (int argc, char **argv) + && all_digits_p (argv[optind + 2]))) + && !equal_width && !format_str && strlen (separator) == 1) + { +- char const *s1 = n_args == 1 ? "1" : argv[optind]; ++ char const *s1 = user_start; + char const *s2 = argv[optind + (n_args - 1)]; + seq_fast (s1, s2, step.value); + +@@ -683,7 +685,9 @@ main (int argc, char **argv) + { + char *s1; + char *s2; +- if (asprintf (&s1, "%0.Lf", first.value) < 0) ++ if (all_digits_p (user_start)) ++ s1 = xstrdup (user_start); ++ else if (asprintf (&s1, "%0.Lf", first.value) < 0) + xalloc_die (); + if (! isfinite (last.value)) + s2 = xstrdup ("inf"); /* Ensure "inf" is used. */ +diff --git a/tests/seq/seq-long-double.sh b/tests/seq/seq-long-double.sh +index 86f82d88b..eaf812d3b 100755 +--- a/tests/seq/seq-long-double.sh ++++ b/tests/seq/seq-long-double.sh +@@ -40,7 +40,14 @@ a=$INTMAX_MAX + b=$INTMAX_OFLOW + + seq $a $b > out || fail=1 +-printf "$a\n$b\n" > exp || fail=1 ++printf "$a\n$b\n" > exp || framework_failure_ ++compare exp out || fail=1 ++ ++# Test case fixed in v9.8 ++# I.e. All digit start, with non digits end ++a=18446744073709551617 ++seq $a inf | head -n1 > out || fail=1 ++printf "$a\n" > exp || framework_failure_ + compare exp out || fail=1 + + Exit $fail +-- +2.43.0 + diff --git a/backport-unexpand-fix-heap-buffer-overflow-with-tabs-NUM.patch b/backport-unexpand-fix-heap-buffer-overflow-with-tabs-NUM.patch new file mode 100644 index 0000000..dfbfb18 --- /dev/null +++ b/backport-unexpand-fix-heap-buffer-overflow-with-tabs-NUM.patch @@ -0,0 +1,90 @@ +From 75e3888bd3e6787f066f23b3c606d0e8f49fa5cc Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?P=C3=A1draig=20Brady?= +Date: Thu, 2 Oct 2025 12:24:20 +0100 +Subject: [PATCH] unexpand: fix heap buffer overflow with --tabs=[+/]NUM + +This avoids CWE-122: Heap-based Buffer Overflow +where we could write blank characters beyond +the allocated heap buffer. + +* src/expand-common.c (set_max_column_width): Refactor function from ... +(add_tab_stop): ... here. +(set_extend_size): Call new function. +(set_increment_size): Likewise. +* NEWS: Mention the bug fix. +Fixes https://bugs.gnu.org/79555 +--- + src/expand-common.c | 21 ++++++++++++++----- + tests/misc/unexpand.pl | 4 ++++ + 2 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/src/expand-common.c b/src/expand-common.c +index ca2ad4d67..14dd804f9 100644 +--- a/src/expand-common.c ++++ b/src/expand-common.c +@@ -69,6 +69,16 @@ static bool have_read_stdin = false; + int exit_status = EXIT_SUCCESS; + + ++static void ++set_max_column_width (uintmax_t width) ++{ ++ if (max_column_width < width) ++ { ++ if (SIZE_MAX < width) ++ error (EXIT_FAILURE, 0, _("tabs are too far apart")); ++ max_column_width = width; ++ } ++} + + /* Add tab stop TABVAL to the end of 'tab_list'. */ + extern void +@@ -81,12 +91,7 @@ add_tab_stop (uintmax_t tabval) + tab_list = X2NREALLOC (tab_list, &n_tabs_allocated); + tab_list[first_free_tab++] = tabval; + +- if (max_column_width < column_width) +- { +- if (SIZE_MAX < column_width) +- error (EXIT_FAILURE, 0, _("tabs are too far apart")); +- max_column_width = column_width; +- } ++ set_max_column_width (column_width); + } + + static bool +@@ -103,6 +108,8 @@ set_extend_size (uintmax_t tabval) + } + extend_size = tabval; + ++ set_max_column_width (extend_size); ++ + return ok; + } + +@@ -120,6 +127,8 @@ set_increment_size (uintmax_t tabval) + } + increment_size = tabval; + ++ set_max_column_width (increment_size); ++ + return ok; + } + +diff --git a/tests/misc/unexpand.pl b/tests/misc/unexpand.pl +index 27d9c17b6..bb7469cae 100755 +--- a/tests/misc/unexpand.pl ++++ b/tests/misc/unexpand.pl +@@ -84,6 +84,10 @@ my @Tests = + ['blanks-12', '-t', '3,4', {IN=> "01 4\n"}, {OUT=> "01\t\t4\n"}], + ['blanks-13', '-t', '3,4', {IN=> "0 4\n"}, {OUT=> "0\t\t4\n"}], + ++ # These would overflow a heap buffer from v8.28 - v9.8 inclusive ++ ['blanks-ext1', '-t', '3,+6', {IN=> "\t "}, {OUT=> "\t\t"}], ++ ['blanks-ext2', '-t', '3,/9', {IN=> "\t "}, {OUT=> "\t\t"}], ++ + # POSIX says spaces should only follow tabs. Also a single + # trailing space is not converted to a tab, when before + # a field starting with non blanks +-- +2.43.0 diff --git a/coreutils.spec b/coreutils.spec index bcba597..cf7ddd6 100644 --- a/coreutils.spec +++ b/coreutils.spec @@ -1,6 +1,6 @@ Name: coreutils Version: 9.4 -Release: 20 +Release: 21 License: GPLv3+ Summary: A set of basic GNU tools commonly used in shell scripts Url: https://www.gnu.org/software/coreutils/ @@ -107,6 +107,13 @@ Patch92: backport-ls-update-comment.patch Patch93: backport-ls-fix-crash-with-context.patch Patch94: backport-ls-fix-crash-on-systems-with-SELinux-but-without-xat.patch Patch95: backport-ls-fix-crash-of-ls-Z-.-on-OpenBSD-s-dev-wd0a-disk.patch +Patch96: backport-basenc-auto-pad-base32-and-base64-inputs-when-decodi.patch +Patch97: backport-basenc-fix-stripping-of-chars-in-some-encodings.patch +Patch98: backport-chcon-fix-memory-leak-in-error-path.patch +Patch99: backport-numfmt-fix-buffer-over-read-CWE-126.patch +Patch100: backport-regex-fix-parse_bracket_exp-double-free.patch +Patch101: backport-seq-be-more-accurate-with-large-integer-start-values.patch +Patch102: backport-unexpand-fix-heap-buffer-overflow-with-tabs-NUM.patch Patch9001: coreutils-9.0-sw.patch Patch9002: 0001-add-chinese-translation.patch @@ -264,6 +271,9 @@ fi %{_mandir}/man*/* %changelog +* Mon Dec 08 2025 yanglongkang - 9.4-21 +- sync patches from community + * Tue Sep 02 2025 zhangshaoning - 9.4-20 - add chinese translation -- Gitee