From 04b11112f0ce26bc10857c764141cb61622f42d3 Mon Sep 17 00:00:00 2001
From: Funda Wang <fundawang@yeah.net>
Date: Mon, 12 May 2025 13:38:13 +0800
Subject: [PATCH] fix CVE-2021-33454, CVE-2021-33464, CVE-2023-29579

(cherry picked from commit 7aec1c83b4bfa6438582630d51dfd9ceaa9059b2)
---
 CVE-2021-33454.patch | 22 ++++++++++++++++++++++
 CVE-2021-33464.patch | 20 ++++++++++++++++++++
 CVE-2023-29579.patch | 22 ++++++++++++++++++++++
 yasm.spec            | 19 +++++++++++++------
 4 files changed, 77 insertions(+), 6 deletions(-)
 create mode 100644 CVE-2021-33454.patch
 create mode 100644 CVE-2021-33464.patch
 create mode 100644 CVE-2023-29579.patch

diff --git a/CVE-2021-33454.patch b/CVE-2021-33454.patch
new file mode 100644
index 0000000..3ef4d25
--- /dev/null
+++ b/CVE-2021-33454.patch
@@ -0,0 +1,22 @@
+From 9defefae9fbcb6958cddbfa778c1ea8605da8b8b Mon Sep 17 00:00:00 2001
+From: dataisland <dataisland@outlook.com>
+Date: Fri, 22 Sep 2023 00:21:20 -0500
+Subject: [PATCH] Fix null-pointer-dereference in yasm_expr_get_intnum (#244)
+
+---
+ libyasm/expr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libyasm/expr.c b/libyasm/expr.c
+index 5b0c418b..09ae1121 100644
+--- a/libyasm/expr.c
++++ b/libyasm/expr.c
+@@ -1264,7 +1264,7 @@ yasm_expr_get_intnum(yasm_expr **ep, int calc_bc_dist)
+ {
+     *ep = yasm_expr_simplify(*ep, calc_bc_dist);
+ 
+-    if ((*ep)->op == YASM_EXPR_IDENT && (*ep)->terms[0].type == YASM_EXPR_INT)
++    if (*ep && (*ep)->op == YASM_EXPR_IDENT && (*ep)->terms[0].type == YASM_EXPR_INT)
+         return (*ep)->terms[0].data.intn;
+     else
+         return (yasm_intnum *)NULL;
diff --git a/CVE-2021-33464.patch b/CVE-2021-33464.patch
new file mode 100644
index 0000000..e4e86e6
--- /dev/null
+++ b/CVE-2021-33464.patch
@@ -0,0 +1,20 @@
+Description: Handle file descriptors with nonexisting env names better.
+ Avoid writing past allocated memory.
+ This fixes CVE-2021-33464.
+Author: Petter Reinholdtsen <pere@debian.org>
+Bug: https://github.com/yasm/yasm/issues/164
+Bug-Debian: https://bugs.debian.org/1016353
+Forwarded: https://github.com/yasm/yasm/issues/164
+Last-Update: 2025-04-30
+---
+--- yasm-1.3.0.orig/modules/preprocs/nasm/nasm-pp.c
++++ yasm-1.3.0/modules/preprocs/nasm/nasm-pp.c
+@@ -1815,7 +1815,7 @@ inc_fopen(char *file, char **newname)
+             error(ERR_WARNING, "environment variable `%s' does not exist",
+                   p1+1);
+             *p2 = '%';
+-            p1 = p2+1;
++            pb = p1 = p2+1;
+             continue;
+         }
+         /* need to expand */
diff --git a/CVE-2023-29579.patch b/CVE-2023-29579.patch
new file mode 100644
index 0000000..10b1073
--- /dev/null
+++ b/CVE-2023-29579.patch
@@ -0,0 +1,22 @@
+Description: Make sure CPU feature parsing use large enough string buffer.
+ Fixes CVE-2023-29579.
+Author: Petter Reinholdtsen <pere@debian.org>
+Bug: https://github.com/yasm/yasm/issues/214
+Bug-Debian: https://bugs.debian.org/1035951
+Forwarded:  https://github.com/yasm/yasm/issues/214
+Last-Update: 2025-04-30
+---
+--- yasm-1.3.0.orig/modules/arch/x86/x86arch.c
++++ yasm-1.3.0/modules/arch/x86/x86arch.c
+@@ -165,8 +165,9 @@ x86_dir_cpu(yasm_object *object, yasm_va
+                 yasm_error_set(YASM_ERROR_SYNTAX,
+                                N_("invalid argument to [%s]"), "CPU");
+             else {
+-                char strcpu[16];
+-                sprintf(strcpu, "%lu", yasm_intnum_get_uint(intcpu));
++                char strcpu[21]; /* 21 = ceil(log10(LONG_MAX)+1) */
++                assert(8*sizeof(unsigned long) <= 64);
++                snprintf(strcpu, sizeof(strcpu), "%lu", yasm_intnum_get_uint(intcpu));
+                 yasm_x86__parse_cpu(arch_x86, strcpu, strlen(strcpu));
+             }
+         } else
diff --git a/yasm.spec b/yasm.spec
index 02654cc..78c0995 100644
--- a/yasm.spec
+++ b/yasm.spec
@@ -1,14 +1,19 @@
 Name:           yasm
 Version:        1.3.0
-Release:        12
+Release:        13
 Summary:        NASM assembler
-License:        BSD
-URL:            http://yasm.tortall.net/
-Source0:        http://www.tortall.net/projects/yasm/releases/yasm-1.3.0.tar.gz
+License:        BSD-2-Clause AND BSD-3-Clause AND (GPL-1.0-or-later AND GPL-2.0-or-later OR Artistic-1.0-Perl OR LGPL-2.0-or-later)
+URL:            https://yasm.tortall.net/
+Source0:        https://www.tortall.net/projects/yasm/releases/yasm-1.3.0.tar.gz
 
 Patch1:         yasm-1.3.0-sw.patch
 Patch2:         CVE-2023-37732.patch
 Patch3:         CVE-2023-31975.patch
+Patch4:         CVE-2021-33454.patch
+# from debian
+Patch5:         CVE-2021-33464.patch
+# from debian
+Patch6:         CVE-2023-29579.patch
 
 BuildRequires:  gcc bison byacc gettext-devel xmlto
 Provides:       bundled(md5-plumb)
@@ -34,7 +39,6 @@ The package contains the libraries and headers necessary for the yasm Modular As
 %make_build
 
 %install
-rm -rf %{buildroot}
 %make_install
 
 %files
@@ -47,9 +51,12 @@ rm -rf %{buildroot}
 %{_libdir}/libyasm.a
 
 %files help
-%{_mandir}/*
+%{_mandir}/man?/*
 
 %changelog
+* Mon May 12 2025 Funda Wang <fundawang@yeah.net> - 1.3.0-13
+- fix CVE-2021-33454, CVE-2021-33464, CVE-2023-29579
+
 * Tue Aug 15 2023 liningjie <liningjie@xfusion.com> - 1.3.0-12
 - fix CVE-2023-31975
 
-- 
Gitee