Random memory override

Resolves: rhbz#2180445

0002-check-cjose_get_alloc.patch

@@ -0,0 +1,25 @@
+commit 54d449473b21e93805070264791e80f84f601b4d
+Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+Date:   Tue Apr 5 20:51:20 2022 +0200
+
+    check result of cek = cjose_get_alloc()(cek_len) in jwe.c
+    
+    see: https://github.com/cisco/cjose/issues/110
+    
+    Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
+
+diff --git a/src/jwe.c b/src/jwe.c
+index 4285097..157ddec 100644
+--- a/src/jwe.c
++++ b/src/jwe.c
+@@ -2064,6 +2064,10 @@ uint8_t *cjose_jwe_decrypt_multi(cjose_jwe_t *jwe, cjose_key_locator key_locator
+         {
+             cek_len = jwe->cek_len;
+             cek = cjose_get_alloc()(cek_len);
++            if (!cek) {
++               CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
++               return NULL;
++            }
+             memcpy(cek, jwe->cek, cek_len);
+         }
+         else

cjose.spec

@@ -1,6 +1,6 @@
 Name:           cjose
 Version:        0.6.1
-Release:        12%{?dist}
+Release:        13%{?dist}
 Summary:        C library implementing the Javascript Object Signing and Encryption (JOSE)
 
 License:        MIT
@@ -9,6 +9,7 @@ Source0:  	https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version
 
 Patch1: concatkdf.patch
 Patch2: 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
+Patch3: 0002-check-cjose_get_alloc.patch
 
 BuildRequires:  gcc
 BuildRequires:  doxygen
@@ -64,6 +65,10 @@ make check || (cat test/test-suite.log; exit 1)
 
 
 %changelog
+* Tue Mar 21 2023 <thalman@redhat.com> - 0.6.1-13
+- Random memory override
+  Resolves: rhbz#2180445
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.1-12
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
   Related: rhbz#1991688