busybox: CVE-2022-30065 patch

core/busybox/checksums

@@ -1,5 +1,6 @@
 611344ae01258592e84f6d85c917394dec1f21cd03a5075a62c3c012a368d15c
 1939646eddbd250c295aafc125ef19d5f916a143482bbb07764888ecbfa0ba26
+d398d7cf583fea0a2b1eb54bd276faa7492f6eacbe6c20eb9853ea30d0cfe7c6
 09c2f601fec4e5c10664c22f787dafb9424efe219bf826727c356da90dfd60d5
 8d84b1719dca2a751c09072c20cd782a3c47f119a68d35316f89d851daf67b88
 0f54301a73af461e8066bc805b48d991cfed513d08a2f036e015b19f97cb424a

core/busybox/patches/CVE-2022-30065.patch

@@ -0,0 +1,28 @@
+From 3c284dcb726ff6599d3b87fb366fb04411cf5595 Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 17 Jun 2022 09:52:11 +0000
+Subject: [PATCH 1/2] awk: fix use after free (CVE-2022-30065)
+
+fixes https://bugs.busybox.net/show_bug.cgi?id=14781
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ editors/awk.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index 079d0bde5..728ee8685 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -3128,6 +3128,9 @@ static var *evaluate(node *op, var *res)
+ 
+ 		case XC( OC_MOVE ):
+ 			debug_printf_eval("MOVE\n");
++			/* make sure that we never return a temp var */
++			if (L.v == TMPVAR0)
++				L.v = res;
+ 			/* if source is a temporary string, jusk relink it to dest */
+ 			if (R.v == TMPVAR1
+ 			 && !(R.v->type & VF_NUMBER)
+-- 
+2.36.1

core/busybox/sources

@@ -1,5 +1,6 @@
 https://git.busybox.net/busybox/snapshot/busybox-MAJOR_MINOR_PATCH.tar.bz2
 patches/CVE-2022-28391.patch patch
+patches/CVE-2022-30065.patch patch
 patches/adduser-no-setgid.patch patch
 patches/fsck-resolve-uuid.patch patch
 patches/modprobe-kernel-version.patch patch

core/busybox/version

@@ -1 +1 @@
-1.35.0 4
+1.35.0 5