rpms/libdb
5
0
Fork 0
Code Issues Pull Requests Releases Activity

fix static analyzer issues CWE-686-398

Browse Source 
Resolves: #1938760
This commit is contained in:
Filip Januš 2021-08-05 15:19:30 +02:00
parent aeef6efe4b
commit 8f9ea1097d
2 changed files with 62 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
db-5.3.28-fix-CWE-686-398.patch Normal file
View File

@ -0,0 +1,54 @@
This patch fixes: CWE-686,CWE-398
diff -ur db-5.3.28/src/log/log_verify_int.c new/src/log/log_verify_int.c
--- db-5.3.28/src/log/log_verify_int.c 2013-09-09 17:35:08.000000000 +0200
+++ new/src/log/log_verify_int.c 2021-08-05 13:33:06.378608924 +0200
@@ -433,9 +433,9 @@
putflag = DB_CURRENT;
doput = 1;
}
+ if (doput)
+ ret = __dbc_put(csr, &key, &data, putflag);
- if (doput && (ret = __dbc_put(csr, &key, &data, putflag)) != 0)
- goto err;
err:
if (csr != NULL && (tret = __dbc_close(csr)) != 0 && ret == 0)
ret = tret;
diff -ur db-5.3.28/src/log/log_verify_util.c new/src/log/log_verify_util.c
--- db-5.3.28/src/log/log_verify_util.c 2013-09-09 17:35:08.000000000 +0200
+++ new/src/log/log_verify_util.c 2021-08-04 15:10:07.900854238 +0200
@@ -2140,8 +2140,7 @@
for (ret = __dbc_pget(csr, &key, &data2, &data, DB_SET); ret == 0;
ret = __dbc_pget(csr, &key, &data2, &data, DB_NEXT_DUP))
BDBOP(__db_put(pdb, lvh->ip, NULL, &data2, &key2, 0));
- if ((ret = __del_txn_pages(lvh, ctxn)) != 0 && ret != DB_NOTFOUND)
- goto err;
+ ret = __del_txn_pages(lvh, ctxn);
err:
if (csr != NULL && (tret = __dbc_close(csr)) != 0 && ret == 0)
ret = tret;
diff -ur db-5.3.28/src/rep/rep_backup.c new/src/rep/rep_backup.c
--- db-5.3.28/src/rep/rep_backup.c 2013-09-09 17:35:09.000000000 +0200
+++ new/src/rep/rep_backup.c 2021-08-04 14:47:51.967782566 +0200
@@ -542,8 +542,6 @@
ret = __memp_fput(dbp->mpf, ip, pagep, dbc->priority);
pagep = NULL;
- if (ret != 0)
- goto err;
err:
/*
* Check status of pagep in case any new error paths out leave
diff -ur db-5.3.28/util/db_dump185.c new/util/db_dump185.c
--- db-5.3.28/util/db_dump185.c 2013-09-09 17:35:12.000000000 +0200
+++ new/util/db_dump185.c 2021-08-04 14:45:37.592794678 +0200
@@ -19,7 +19,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-
+#include <unistd.h>
#ifdef HAVE_DB_185_H
#include <db_185.h>
#else

10
libdb.spec
View File

@ -5,7 +5,7 @@
Summary: The Berkeley DB database library for C Summary: The Berkeley DB database library for C
Name: libdb Name: libdb
Version: 5.3.28 Version: 5.3.28
Release: 49%{?dist} Release: 50%{?dist}
Source0: http://download.oracle.com/berkeley-db/db-%{version}.tar.gz Source0: http://download.oracle.com/berkeley-db/db-%{version}.tar.gz
Source1: http://download.oracle.com/berkeley-db/db.1.85.tar.gz Source1: http://download.oracle.com/berkeley-db/db.1.85.tar.gz
# For mt19937db.c # For mt19937db.c
@ -56,7 +56,8 @@ Patch38: libdb-limit-cpu.patch
Patch39: libdb-5.3.21-trickle_cpu.patch Patch39: libdb-5.3.21-trickle_cpu.patch
# cve-2019-2708 fixed by mmuzila # cve-2019-2708 fixed by mmuzila
Patch40: db-5.3.28_cve-2019-2708.patch Patch40: db-5.3.28_cve-2019-2708.patch
# Downstream covscan patch
Patch41: db-5.3.28-fix-CWE-686-398.patch
URL: http://www.oracle.com/database/berkeley-db/ URL: http://www.oracle.com/database/berkeley-db/
License: BSD and LGPLv2 and Sleepycat License: BSD and LGPLv2 and Sleepycat
@ -227,6 +228,7 @@ popd
%patch38 -p1 %patch38 -p1
%patch39 -p1 %patch39 -p1
%patch40 -p1 -b .cve-2019-2708 %patch40 -p1 -b .cve-2019-2708
%patch41 -p1
cd dist cd dist
./s_config ./s_config
@ -388,6 +390,10 @@ mv man/* ${RPM_BUILD_ROOT}%{_mandir}/man1
%{_includedir}/%{name}/dbsql.h %{_includedir}/%{name}/dbsql.h
%changelog %changelog
* Thu Aug 05 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-50
- fix static analyzer issues CWE-686-398
- Resolves: #1938760
* Mon Jul 12 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-49 * Mon Jul 12 2021 Filip Januš <fjanus@redhat.com> - 5.3.28-49
- Rebuild due to glibc - Rebuild due to glibc
- Resolves: #1980975 - Resolves: #1980975