Fix buffer overrun on rpmdb queries involving ^ in version

2022-09-07 10:44:44 +03:00 · 2022-09-07 10:44:44 +03:00 · 56a300ba62
parent 480384be6c
commit 56a300ba62
2 changed files with 33 additions and 1 deletions
--- a/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch
+++ b/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch
@ -0,0 +1,28 @@
+From 19d73f67883c011cc74326a5dc34f7009efa60e1 Mon Sep 17 00:00:00 2001
+Message-Id: <19d73f67883c011cc74326a5dc34f7009efa60e1.1662536462.git.pmatilai@redhat.com>
+From: Panu Matilainen <pmatilai@redhat.com>
+Date: Tue, 6 Sep 2022 13:15:44 +0300
+Subject: [PATCH] Fix buffer overrun from commit
+ 4420c78beb86cc67392274bf351478a3375626a2
+
+The newly handled ^ needs to be accounted for when allocating memory.
+Found when testing #1936, goes to show what a useful thing that is.
+---
+ lib/rpmdb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/lib/rpmdb.c b/lib/rpmdb.c
+index fd2b0671a..b3c5da62d 100644
+--- a/lib/rpmdb.c
+++ b/lib/rpmdb.c
+@@ -1107,6 +1107,7 @@ static char * mireDup(rpmTagVal tag, rpmMireMode *modep,
+ 	    case '.':
+ 	    case '+':
+ 	    case '*':
+	    case '^':
+ 		if (!brackets) nb++;
+ 		break;
+ 	    case '\\':
+-- 
+2.37.3
+
--- a/rpm.spec
+++ b/rpm.spec
@ -30,7 +30,7 @@

 %global rpmver 4.18.0
 %global snapver rc1
-%global baserelease 2
+%global baserelease 3
 %global sover 9

 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@ -56,6 +56,7 @@ Patch1: rpm-4.17.x-siteconfig.patch
 Patch3: rpm-4.9.90-no-man-dirs.patch

 # Patches already upstream:
+Patch100: 0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch

 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
@ -610,6 +611,9 @@ fi
 %doc docs/librpm/html/*

 %changelog
+* Wed Sep 07 2022 Panu Matilainen <pmatilai@redhat.com> - 4.18.0-0.rc1.3
+- Fix buffer overrun on rpmdb queries involving ^ in version
+
 * Wed Sep 07 2022 Panu Matilainen <pmatilai@redhat.com> - 4.18.0-0.rc1.2
 - Break selinux-policy <-> rpm-plugin-selinux ordering loop (#1851266)