diff --git a/SOURCES/0001-Plug-memory-leak-that-happens-upon-error.patch b/SOURCES/0001-Plug-memory-leak-that-happens-upon-error.patch new file mode 100644 index 0000000..c16e241 --- /dev/null +++ b/SOURCES/0001-Plug-memory-leak-that-happens-upon-error.patch @@ -0,0 +1,52 @@ +From e9caa2e14eda732d718691a6c4e61d2623adc068 Mon Sep 17 00:00:00 2001 +From: Sebastian Rasmussen +Date: Mon, 12 Feb 2024 14:46:22 +0800 +Subject: [PATCH] Plug memory leak that happens upon error. + +If fgStructure.CurrentMenu is set when glutAddMenuEntry() or +glutAddSubMenu() is called the allocated menuEntry variable will +leak. This commit postpones allocating menuEntry until after the +error checks, thereby plugging the memory leak. + +This fixes CVE-2024-24258 and CVE-2024-24259. +--- + src/fg_menu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/fg_menu.c b/src/fg_menu.c +index 36b24ce6..da7d9010 100644 +--- a/src/fg_menu.c ++++ b/src/fg_menu.c +@@ -843,12 +843,12 @@ void FGAPIENTRY glutAddMenuEntry( const char* label, int value ) + { + SFG_MenuEntry* menuEntry; + FREEGLUT_EXIT_IF_NOT_INITIALISED ( "glutAddMenuEntry" ); +- menuEntry = (SFG_MenuEntry *)calloc( sizeof(SFG_MenuEntry), 1 ); + + freeglut_return_if_fail( fgStructure.CurrentMenu ); + if (fgState.ActiveMenus) + fgError("Menu manipulation not allowed while menus in use."); + ++ menuEntry = (SFG_MenuEntry *)calloc( sizeof(SFG_MenuEntry), 1 ); + menuEntry->Text = strdup( label ); + menuEntry->ID = value; + +@@ -867,7 +867,6 @@ void FGAPIENTRY glutAddSubMenu( const char *label, int subMenuID ) + SFG_Menu *subMenu; + + FREEGLUT_EXIT_IF_NOT_INITIALISED ( "glutAddSubMenu" ); +- menuEntry = ( SFG_MenuEntry * )calloc( sizeof( SFG_MenuEntry ), 1 ); + subMenu = fgMenuByID( subMenuID ); + + freeglut_return_if_fail( fgStructure.CurrentMenu ); +@@ -876,6 +875,7 @@ void FGAPIENTRY glutAddSubMenu( const char *label, int subMenuID ) + + freeglut_return_if_fail( subMenu ); + ++ menuEntry = ( SFG_MenuEntry * )calloc( sizeof( SFG_MenuEntry ), 1 ); + menuEntry->Text = strdup( label ); + menuEntry->SubMenu = subMenu; + menuEntry->ID = -1; +-- +2.43.1 + diff --git a/SPECS/freeglut.spec b/SPECS/freeglut.spec index 04745fd..b6474dd 100644 --- a/SPECS/freeglut.spec +++ b/SPECS/freeglut.spec @@ -1,11 +1,12 @@ Summary: A freely licensed alternative to the GLUT library Name: freeglut Version: 3.0.0 -Release: 8%{?dist} +Release: 9%{?dist} URL: http://freeglut.sourceforge.net Source0: https://downloads.sourceforge.net/%{name}/%{name}-%{version}.tar.gz # For the manpages Source1: https://downloads.sourceforge.net/openglut/openglut-0.6.3-doc.tar.gz +Patch0: 0001-Plug-memory-leak-that-happens-upon-error.patch License: MIT Group: System Environment/Libraries @@ -49,6 +50,7 @@ license. %prep %setup -q -a 1 +%patch -P 0 -p1 %build %{cmake} -DFREEGLUT_BUILD_STATIC_LIBS=OFF . @@ -81,6 +83,11 @@ install -p -m 644 doc/man/*.3 $RPM_BUILD_ROOT/%{_mandir}/man3 %changelog +* Thu Feb 15 2024 José Expósito - 3.0.0-9 +- Fix CVE-2024-24258 and CVE-2024-24259 + Resolves: https://issues.redhat.com/browse/RHEL-25175 + Resolves: https://issues.redhat.com/browse/RHEL-25177 + * Tue May 01 2018 Adam Jackson - 3.0.0-8 - HTTPS URLs - Pin soname to libglut.so.3 in the %%files glob