diff --git a/SOURCES/0001-getfilecontents-buffer-overflow.patch b/SOURCES/0001-getfilecontents-buffer-overflow.patch new file mode 100644 index 0000000..ab86dfa --- /dev/null +++ b/SOURCES/0001-getfilecontents-buffer-overflow.patch @@ -0,0 +1,31 @@ +From 8d086dfc69d4299e55e4844e3573b3a4cf420f19 Mon Sep 17 00:00:00 2001 +From: Stefan Schubert +Date: Fri, 24 Mar 2023 15:14:07 +0100 +Subject: [PATCH] Aarch64 gcc13 (#183) + +* fixed buffer overflow +--- + lib/getfilecontents.c | 7 +++---- + 4 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/getfilecontents.c b/lib/getfilecontents.c +index 94e1db9..f9b1afc 100644 +--- a/lib/getfilecontents.c ++++ b/lib/getfilecontents.c +@@ -265,11 +265,12 @@ read_file(econf_file *ef, const char *file, + } + ef->delimiter = *delim; + +- while (fgets(buf, sizeof(buf), kf)) { ++ while (fgets(buf, BUFSIZ-1, kf)) { + char *p, *name, *data = NULL; + bool quote_seen = false, delim_seen = false; + char *org_buf __attribute__ ((__cleanup__(free_buffer))) = strdup(buf); + ++ buf[BUFSIZ-1] = '\0'; + line++; + last_scanned_line_nr = line; + +-- +2.40.1 + diff --git a/SPECS/libeconf.spec b/SPECS/libeconf.spec index 0be557d..8ffae26 100644 --- a/SPECS/libeconf.spec +++ b/SPECS/libeconf.spec @@ -5,13 +5,17 @@ Name: libeconf Version: 0.4.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Enhanced config file parser library License: MIT URL: https://github.com/openSUSE/libeconf Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz + +### Patches ### +Patch0001: 0001-getfilecontents-buffer-overflow.patch + BuildRequires: cmake >= 3.12 BuildRequires: gcc BuildRequires: make @@ -76,6 +80,9 @@ configuration files from applications that use %{name}. %changelog +* Wed Jun 7 2023 Iker Pedrosa - 0.4.1-3 +- Fix stack-based buffer overflow in read_file(). Resolves: #2212467 (CVE-2023-22652) + * Mon Aug 09 2021 Mohan Boddu - 0.4.1-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688