From c7a3ee8328934e89e042723578bb939f247190d6 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Thu, 1 Jul 2021 15:49:06 -0500 Subject: [PATCH] Refresh gnutls-hmac patchset to fix leaks in error path Related: #1971823 --- glib2.spec | 6 +++- gnutls-hmac.patch | 78 ++++++++++++++++++++++++----------------------- 2 files changed, 45 insertions(+), 39 deletions(-) diff --git a/glib2.spec b/glib2.spec index 0019e9f..d132014 100644 --- a/glib2.spec +++ b/glib2.spec @@ -1,6 +1,6 @@ Name: glib2 Version: 2.68.3 -Release: 1%{?dist} +Release: 2%{?dist} Summary: A library of handy utility functions License: LGPLv2+ @@ -236,6 +236,10 @@ glib-compile-schemas %{_datadir}/glib-2.0/schemas &> /dev/null || : %{_datadir}/installed-tests %changelog +* Thu Jul 01 2021 Michael Catanzaro - 2.68.3-2 +- Refresh gnutls-hmac patchset to fix leaks in error path +- Related: #1971823 + * Mon Jun 28 2021 Michael Catanzaro - 2.68.3-1 - Update to 2.68.3 - Resolves: #1976713 diff --git a/gnutls-hmac.patch b/gnutls-hmac.patch index b6c3dc4..0455ed8 100644 --- a/gnutls-hmac.patch +++ b/gnutls-hmac.patch @@ -1,4 +1,4 @@ -From 86412ea2265ae018ba6146d525cafce78782c0fc Mon Sep 17 00:00:00 2001 +From ff90bb8474b1e724727f4014b446e7c851e609bd Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 18:44:43 +0000 Subject: [PATCH 1/4] ghmac: Split off wrapper functions into ghmac-utils.c @@ -284,10 +284,10 @@ index 49fd272f0..4f181f21f 100644 - (const guchar *) str, length); -} diff --git a/glib/meson.build b/glib/meson.build -index 28bfae200..0a37d19ea 100644 +index 8c18e6de4..329b8d197 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -254,6 +254,7 @@ glib_sources = files( +@@ -253,6 +253,7 @@ glib_sources = files( 'ggettext.c', 'ghash.c', 'ghmac.c', @@ -298,7 +298,7 @@ index 28bfae200..0a37d19ea 100644 -- 2.31.1 -From a5ee9970772e182de1c249ee514e87ef38e08360 Mon Sep 17 00:00:00 2001 +From 5395d36e6685e0b7377794c59c5820970bb472ef Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 7 Jun 2019 19:36:54 +0000 Subject: [PATCH 2/4] Add a gnutls backend for GHmac @@ -354,8 +354,8 @@ https://gitlab.gnome.org/GNOME/glib/-/merge_requests/903 glib/ghmac.c | 15 ++++ glib/meson.build | 10 ++- meson.build | 7 ++ - meson_options.txt | 5 ++ - 7 files changed, 259 insertions(+), 6 deletions(-) + meson_options.txt | 7 +- + 7 files changed, 260 insertions(+), 7 deletions(-) create mode 100644 glib/gchecksumprivate.h create mode 100644 glib/ghmac-gnutls.c @@ -434,10 +434,10 @@ index 000000000..86c7a3b61 \ No newline at end of file diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c new file mode 100644 -index 000000000..a55375060 +index 000000000..9fb775f89 --- /dev/null +++ b/glib/ghmac-gnutls.c -@@ -0,0 +1,186 @@ +@@ -0,0 +1,187 @@ +/* ghmac.h - data hashing functions + * + * Copyright (C) 2011 Collabora Ltd. @@ -516,6 +516,7 @@ index 000000000..a55375060 + algo = GNUTLS_MAC_SHA512; + break; + default: ++ g_free (hmac); + g_return_val_if_reached (NULL); + } + @@ -525,7 +526,7 @@ index 000000000..a55375060 + /* There is no way to report an error here, but one possible cause of + * failure is that the requested digest may be disabled by FIPS mode. + */ -+ g_free (hmac->hmac); ++ g_free (hmac); + return NULL; + } + @@ -658,10 +659,10 @@ index 4f181f21f..0e39ea40a 100644 * Use g_hmac_unref() to free the memory allocated by it. * diff --git a/glib/meson.build b/glib/meson.build -index 0a37d19ea..b17c89dd9 100644 +index 329b8d197..2417de53d 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -253,7 +253,6 @@ glib_sources = files( +@@ -252,7 +252,6 @@ glib_sources = files( 'gfileutils.c', 'ggettext.c', 'ghash.c', @@ -669,7 +670,7 @@ index 0a37d19ea..b17c89dd9 100644 'ghmac-utils.c', 'ghook.c', 'ghostutils.c', -@@ -309,6 +308,7 @@ glib_sources = files( +@@ -308,6 +307,7 @@ glib_sources = files( 'guriprivate.h', 'gutils.c', 'gutilsprivate.h', @@ -677,7 +678,7 @@ index 0a37d19ea..b17c89dd9 100644 'guuid.c', 'gvariant.c', 'gvariant-core.c', -@@ -353,6 +353,12 @@ else +@@ -352,6 +352,12 @@ else glib_dtrace_hdr = [] endif @@ -690,20 +691,20 @@ index 0a37d19ea..b17c89dd9 100644 pcre_static_args = [] if use_pcre_static_flag -@@ -379,7 +385,7 @@ libglib = library('glib-2.0', +@@ -378,7 +384,7 @@ libglib = library('glib-2.0', # intl.lib is not compatible with SAFESEH link_args : [noseh_link_args, glib_link_flags, win32_ldflags], include_directories : configinc, - dependencies : pcre_deps + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep], -+ dependencies : pcre_deps + libgnutls_dep + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep], ++ dependencies : pcre_deps + [thread_dep, librt] + libgnutls_dep + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep], c_args : glib_c_args, objc_args : glib_c_args, ) diff --git a/meson.build b/meson.build -index a0ee8b774..064dba800 100644 +index e2eba1871..cca15f653 100644 --- a/meson.build +++ b/meson.build -@@ -2104,6 +2104,13 @@ if host_system == 'linux' +@@ -2090,6 +2090,13 @@ if host_system == 'linux' glib_conf.set('HAVE_LIBMOUNT', libmount_dep.found()) endif @@ -718,25 +719,25 @@ index a0ee8b774..064dba800 100644 winsock2 = cc.find_library('ws2_32') endif diff --git a/meson_options.txt b/meson_options.txt -index 072765361..d2370042f 100644 +index 072765361..c8f26ac02 100644 --- a/meson_options.txt +++ b/meson_options.txt -@@ -34,6 +34,11 @@ option('libmount', - value : 'auto', - description : 'build with libmount support') +@@ -39,6 +39,11 @@ option('internal_pcre', + value : false, + description : 'whether to use internal PCRE') +option('gnutls', + type : 'boolean', + value : false, + description : 'build with gnutls support') + - option('internal_pcre', + option('man', type : 'boolean', value : false, -- 2.31.1 -From cde56a63aa12ae7c30f85af7d058fa5e666aa2e9 Mon Sep 17 00:00:00 2001 +From a2429b6b2b12ebec5b51ec1bd287674c104877c1 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 16 Jun 2021 20:35:00 -0500 Subject: [PATCH 3/4] dlopen GnuTLS instead of linking directly @@ -764,7 +765,7 @@ for our purposes. 4 files changed, 102 insertions(+), 9 deletions(-) diff --git a/glib/ghmac-gnutls.c b/glib/ghmac-gnutls.c -index a55375060..0469d2bd0 100644 +index 9fb775f89..1800fc2e0 100644 --- a/glib/ghmac-gnutls.c +++ b/glib/ghmac-gnutls.c @@ -19,8 +19,8 @@ @@ -918,23 +919,23 @@ index 0e39ea40a..2d9be91b8 100644 #endif diff --git a/glib/meson.build b/glib/meson.build -index b17c89dd9..a015f7755 100644 +index 2417de53d..1b4a2477c 100644 --- a/glib/meson.build +++ b/glib/meson.build -@@ -385,7 +385,7 @@ libglib = library('glib-2.0', +@@ -384,7 +384,7 @@ libglib = library('glib-2.0', # intl.lib is not compatible with SAFESEH link_args : [noseh_link_args, glib_link_flags, win32_ldflags], include_directories : configinc, -- dependencies : pcre_deps + libgnutls_dep + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep], -+ dependencies : pcre_deps + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep] + [libdl_dep], +- dependencies : pcre_deps + [thread_dep, librt] + libgnutls_dep + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep], ++ dependencies : pcre_deps + [thread_dep, librt] + libintl_deps + libiconv + platform_deps + [gnulib_libm_dependency, libm] + [libsysprof_capture_dep], c_args : glib_c_args, objc_args : glib_c_args, ) diff --git a/meson.build b/meson.build -index 064dba800..7aae7dfea 100644 +index cca15f653..404ef1790 100644 --- a/meson.build +++ b/meson.build -@@ -2104,11 +2104,9 @@ if host_system == 'linux' +@@ -2090,11 +2090,9 @@ if host_system == 'linux' glib_conf.set('HAVE_LIBMOUNT', libmount_dep.found()) endif @@ -951,7 +952,7 @@ index 064dba800..7aae7dfea 100644 -- 2.31.1 -From b61ea19037287cae2e6152e9616767a691bf4af0 Mon Sep 17 00:00:00 2001 +From 14b214e82d7f58739c180d3c777b0a000cf0590f Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 16 Jun 2021 20:46:24 -0500 Subject: [PATCH 4/4] Add test for GHmac in FIPS mode @@ -967,11 +968,11 @@ Crash when passing -1 length to g_hmac_update() (discovered in #1971533) We'll also test to ensure MD5 fails, and stop compiling the other MD5 tests. --- - glib/tests/hmac.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 45 insertions(+) + glib/tests/hmac.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) diff --git a/glib/tests/hmac.c b/glib/tests/hmac.c -index 3ac3206df..6698c4d19 100644 +index 3ac3206df..2fa447984 100644 --- a/glib/tests/hmac.c +++ b/glib/tests/hmac.c @@ -1,7 +1,10 @@ @@ -1009,7 +1010,7 @@ index 3ac3206df..6698c4d19 100644 HmacCase hmac_sha1_tests[] = { { G_CHECKSUM_SHA1, key_sha_test1, 20, "Hi There", 8, result_sha1_test1 }, -@@ -493,11 +499,44 @@ test_hmac_for_bytes (void) +@@ -493,11 +499,45 @@ test_hmac_for_bytes (void) g_bytes_unref (data); } @@ -1048,13 +1049,14 @@ index 3ac3206df..6698c4d19 100644 int i; + +#ifdef USE_GNUTLS ++ /* This has to happen before GnuTLS is dlopened. */ + g_setenv ("GNUTLS_FORCE_FIPS_MODE", "1", FALSE); +#endif + g_test_init (&argc, &argv, NULL); for (i = 0 ; hmac_sha1_tests[i].key_len > 0 ; i++) -@@ -532,6 +571,7 @@ main (int argc, +@@ -532,6 +572,7 @@ main (int argc, g_free (name); } @@ -1062,7 +1064,7 @@ index 3ac3206df..6698c4d19 100644 for (i = 0 ; hmac_md5_tests[i].key_len > 0 ; i++) { gchar *name = g_strdup_printf ("/hmac/md5-%d", i + 1); -@@ -539,6 +579,7 @@ main (int argc, +@@ -539,6 +580,7 @@ main (int argc, (void (*)(const void *)) test_hmac); g_free (name); } @@ -1070,7 +1072,7 @@ index 3ac3206df..6698c4d19 100644 g_test_add_func ("/hmac/ref-unref", test_hmac_ref_unref); g_test_add_func ("/hmac/copy", test_hmac_copy); -@@ -546,5 +587,9 @@ main (int argc, +@@ -546,5 +588,9 @@ main (int argc, g_test_add_func ("/hmac/for-string", test_hmac_for_string); g_test_add_func ("/hmac/for-bytes", test_hmac_for_bytes);