From 165614f3dd42caa188f78b55e7723dad2900b2f4 Mon Sep 17 00:00:00 2001 From: Lubos Kardos Date: Mon, 25 Apr 2016 15:48:15 +0200 Subject: [PATCH] - Fix sigsegv in stringFormat() - resolves: #1316903 - Fix reading rpmtd behind its size in formatValue() - resolves: #1316896 --- rpm-4.13.0-rpmtd-out-of-bounds.patch | 27 ++++++++++++++++++++++ rpm-4.13.0-stringFormat-sigsegv.patch | 33 +++++++++++++++++++++++++++ rpm.spec | 8 ++++++- 3 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 rpm-4.13.0-rpmtd-out-of-bounds.patch create mode 100644 rpm-4.13.0-stringFormat-sigsegv.patch diff --git a/rpm-4.13.0-rpmtd-out-of-bounds.patch b/rpm-4.13.0-rpmtd-out-of-bounds.patch new file mode 100644 index 0000000..9d3cad5 --- /dev/null +++ b/rpm-4.13.0-rpmtd-out-of-bounds.patch @@ -0,0 +1,27 @@ +From b722cf86200505b3e3fcbb2095c4ff61f1f5a2ab Mon Sep 17 00:00:00 2001 +From: Lubos Kardos +Date: Mon, 25 Apr 2016 13:31:08 +0200 +Subject: [PATCH 1/2] Fix reading rpmtd behind its size in formatValue() + (rhbz:1316896) + +When it is read from index higher than size of rpmtd, return "(none)". +--- + lib/headerfmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/headerfmt.c b/lib/headerfmt.c +index fb29d6f..f6fd707 100644 +--- a/lib/headerfmt.c ++++ b/lib/headerfmt.c +@@ -623,7 +623,7 @@ static char * formatValue(headerSprintfArgs hsa, sprintfTag tag, int element) + char * t, * te; + rpmtd td; + +- if ((td = getData(hsa, tag->tag))) { ++ if ((td = getData(hsa, tag->tag)) && td->count > element) { + td->ix = element; /* Ick, use iterators instead */ + val = tag->fmt(td); + } else { +-- +1.9.3 + diff --git a/rpm-4.13.0-stringFormat-sigsegv.patch b/rpm-4.13.0-stringFormat-sigsegv.patch new file mode 100644 index 0000000..d2010d0 --- /dev/null +++ b/rpm-4.13.0-stringFormat-sigsegv.patch @@ -0,0 +1,33 @@ +From cddf43a56f19711866371f02f378dc4095b0fadd Mon Sep 17 00:00:00 2001 +From: Lubos Kardos +Date: Mon, 25 Apr 2016 14:38:47 +0200 +Subject: [PATCH 2/2] Fix sigsegv in stringFormat() (rhbz:1316903) + +Just skip duping of NULL and return it. Returned NULL is handled in +upper layer. +--- + lib/formats.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/lib/formats.c b/lib/formats.c +index e3626ed..bad0b2d 100644 +--- a/lib/formats.c ++++ b/lib/formats.c +@@ -44,9 +44,12 @@ static char * stringFormat(rpmtd td) + case RPM_NUMERIC_CLASS: + rasprintf(&val, "%" PRIu64, rpmtdGetNumber(td)); + break; +- case RPM_STRING_CLASS: +- val = xstrdup(rpmtdGetString(td)); ++ case RPM_STRING_CLASS: { ++ const char *str = rpmtdGetString(td); ++ if (str) ++ val = xstrdup(str); + break; ++ } + case RPM_BINARY_CLASS: + val = pgpHexStr(td->data, td->count); + break; +-- +1.9.3 + diff --git a/rpm.spec b/rpm.spec index 8d405c2..65f0a69 100644 --- a/rpm.spec +++ b/rpm.spec @@ -27,7 +27,7 @@ Summary: The RPM package management system Name: rpm Version: %{rpmver} -Release: %{?snapver:0.%{snapver}.}16%{?dist} +Release: %{?snapver:0.%{snapver}.}17%{?dist} Group: System Environment/Base Url: http://www.rpm.org/ Source0: http://rpm.org/releases/rpm-4.12.x/%{name}-%{srcver}.tar.bz2 @@ -68,6 +68,8 @@ Patch110: rpm-4.12.0-Fix-Python3-import.patch Patch111: rpm-4.12.x-weakdeps-manpage.patch Patch112: rpm-4.12.0-fix-crash-on-corrupted.patch Patch113: rpm-4.12.0-unlimited-macro-expand.patch +Patch114: rpm-4.13.0-rpmtd-out-of-bounds.patch +Patch115: rpm-4.13.0-stringFormat-sigsegv.patch # These are not yet upstream Patch302: rpm-4.7.1-geode-i686.patch @@ -552,6 +554,10 @@ exit 0 %doc doc/librpm/html/* %changelog +* Mon Apr 25 2016 Lubos Kardos - 4.12.0.1-17 +- Fix sigsegv in stringFormat() (#1316903) +- Fix reading rpmtd behind its size in formatValue() (#1316896) + * Mon Feb 29 2016 Lubos Kardos - 4.12.0.1-16 - Fix problems caused by the changes done in the previous version