Fix issues in bundled libopts, spotted by covscan

Resolves: #1938730 Signed-off-by: Daiki Ueno <dueno@redhat.com>
2021-10-21 14:19:04 +02:00 · 2021-10-21 14:19:04 +02:00 · 8daf88e559
parent b9240f3e7a
commit 8daf88e559
2 changed files with 77 additions and 1 deletions
--- a/gnutls-3.7.2-libopts-covscan.patch
+++ b/gnutls-3.7.2-libopts-covscan.patch
@ -0,0 +1,72 @@
+From de11338de900f5c8840268264bceccbf76cca34f Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 21 Oct 2021 12:19:30 +0200
+Subject: [PATCH 1/2] autoopts: makeshell: use ferror before fclose
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ src/libopts/makeshell.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/libopts/makeshell.c b/src/libopts/makeshell.c
+index b6cb441a..7eb17a1f 100644
+--- a/src/libopts/makeshell.c
+++ b/src/libopts/makeshell.c
+@@ -164,9 +164,8 @@ optionParseShell(tOptions * opts)
+ #ifdef HAVE_FCHMOD
+     fchmod(STDOUT_FILENO, 0755);
+ #endif
+-    fclose(stdout);
+ 
+-    if (ferror(stdout))
+    if (ferror(stdout) || fclose(stdout))
+         fserr_exit(opts->pzProgName, zwriting, zstdout_name);
+ 
+     AGFREE(script_text);
+-- 
+2.31.1
+
+
+From 161097d36b608b615482e42e56a465c9fd740c26 Mon Sep 17 00:00:00 2001
+From: Daiki Ueno <dueno@redhat.com>
+Date: Thu, 21 Oct 2021 12:43:07 +0200
+Subject: [PATCH 2/2] autoopts: load: fix resource leak in error path
+
+Signed-off-by: Daiki Ueno <dueno@redhat.com>
+---
+ src/libopts/load.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopts/load.c b/src/libopts/load.c
+index 3f1ce2e6..ad1c4584 100644
+--- a/src/libopts/load.c
+++ b/src/libopts/load.c
+@@ -219,8 +219,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
+      *  IF we cannot find a directory name separator,
+      *  THEN we do not have a path name to our executable file.
+      */
+-    if (pz == NULL)
+    if (pz == NULL) {
+        if (path != prg_path)
+            AGFREE(path);
+         return false;
+    }
+ 
+     fname    += skip;
+     fname_len = strlen(fname) + 1; // + NUL byte
+@@ -230,8 +233,11 @@ add_prog_path(char * buf, int b_sz, char const * fname, char const * prg_path)
+      *  Concatenate the file name to the end of the executable path.
+      *  The result may be either a file or a directory.
+      */
+-    if (dir_len + fname_len > (unsigned)b_sz)
+    if (dir_len + fname_len > (unsigned)b_sz) {
+        if (path != prg_path)
+            AGFREE(path);
+         return false;
+    }
+ 
+     memcpy(buf, path, dir_len);
+     memcpy(buf + dir_len, fname, fname_len);
+-- 
+2.31.1
+
--- a/gnutls.spec
+++ b/gnutls.spec
@ -1,11 +1,12 @@
 # This spec file has been automatically updated
 Version:	3.7.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 Patch1:	gnutls-3.6.7-no-now-guile.patch
 Patch2:	gnutls-3.2.7-rpath.patch
 Patch3:	gnutls-3.7.2-config-allowlisting.patch
 Patch4:	gnutls-3.7.2-key-share-ecdhx.patch
 Patch5:	gnutls-3.7.2-enable-intel-cet.patch
+Patch6: gnutls-3.7.2-libopts-covscan.patch
 %bcond_with bootstrap
 %bcond_without dane
 %if 0%{?rhel}
@ -321,6 +322,9 @@ make check %{?_smp_mflags} GNUTLS_SYSTEM_PRIORITY_FILE=/dev/null
 %endif

 %changelog
+* Thu Oct 21 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-8
+- Fix issues in bundled libopts, spotted by covscan (#1938730)
+
 * Tue Oct 12 2021 Daiki Ueno <dueno@redhat.com> - 3.7.2-7
 - Enable Intel CET
 - Remove unnecessary CCASFLAGS setting for annocheck