8 changed files with 122 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,7 @@
-SOURCES/libeconf-0.4.1.tar.gz
+/libeconf-0.3.0.tar.gz
+/libeconf-0.3.1.tar.xz
+/libeconf-0.3.3.tar.xz
+/libeconf-0.3.4.tar.xz
+/libeconf-0.3.5.tar.xz
+/libeconf-0.3.8.tar.gz
+/libeconf-0.4.1.tar.gz
--- a/.libeconf.metadata
+++ b/.libeconf.metadata
@ -1 +0,0 @@
-5c0327c3a760a85f80016412771d701bd8a8dab6 SOURCES/libeconf-0.4.1.tar.gz
--- a/0001-getfilecontents-buffer-overflow.patch
+++ b/0001-getfilecontents-buffer-overflow.patch
@ -0,0 +1,31 @@
+From 8d086dfc69d4299e55e4844e3573b3a4cf420f19 Mon Sep 17 00:00:00 2001
+From: Stefan Schubert <stefan@gefluegelhof-schubert.de>
+Date: Fri, 24 Mar 2023 15:14:07 +0100
+Subject: [PATCH] Aarch64 gcc13 (#183)
+
+* fixed buffer overflow
+---
+ lib/getfilecontents.c | 7 +++----
+ 4 files changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/lib/getfilecontents.c b/lib/getfilecontents.c
+index 94e1db9..f9b1afc 100644
+--- a/lib/getfilecontents.c
+++ b/lib/getfilecontents.c
+@@ -265,11 +265,12 @@ read_file(econf_file *ef, const char *file,
+   }
+   ef->delimiter = *delim;
+ 
+-  while (fgets(buf, sizeof(buf), kf)) {
+  while (fgets(buf, BUFSIZ-1, kf)) {
+     char *p, *name, *data = NULL;
+     bool quote_seen = false, delim_seen = false;
+     char *org_buf __attribute__ ((__cleanup__(free_buffer))) = strdup(buf);
+ 
+    buf[BUFSIZ-1] = '\0';
+     line++;
+     last_scanned_line_nr = line;
+ 
+-- 
+2.40.1
+
--- a/0002-cmake-no-install-html.patch
+++ b/0002-cmake-no-install-html.patch
@ -0,0 +1,12 @@
+diff --git a/doc/CMakeLists.txt b/doc/CMakeLists.txt
+index 726183a..8da1f45 100644
+--- a/doc/CMakeLists.txt
+++ b/doc/CMakeLists.txt
+@@ -18,7 +18,6 @@ if(BUILD_DOCUMENTATION)
+         COMMENT "Generating API documentation with Doxygen"
+         VERBATIM)
+ 
+-    install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/html DESTINATION share/doc)
+ endif()
+ 
+ install(FILES ${CMAKE_CURRENT_SOURCE_DIR}/man/libeconf.3 DESTINATION ${CMAKE_INSTALL_MANDIR}/man3)
--- a/0003-Fix-static-analyzer-detected-issues.patch
+++ b/0003-Fix-static-analyzer-detected-issues.patch
@ -0,0 +1,54 @@
+diff --git a/lib/libeconf.c b/lib/libeconf.c
+index d7de070..c6a7c73 100644
+--- a/lib/libeconf.c
+++ b/lib/libeconf.c
+@@ -158,7 +158,7 @@ econf_err econf_readDirsHistory(econf_file ***key_files,
+ {
+   const char *suffix, *default_dirs[3] = {NULL, NULL, NULL};
+   char *distfile, *etcfile, *cp;
+-  econf_file *key_file;
+  econf_file *key_file = NULL;
+   econf_err error;
+ 
+   *size = 0;
+@@ -267,8 +267,12 @@ econf_err econf_readDirsHistory(econf_file ***key_files,
+     const char *conf_dirs[] = {  NULL, /* "/conf.d/", ".d/", "/", */ NULL};
+     char *project_path = combine_strings(default_dirs[i], project_name, '/');
+     char *suffix_d = malloc (strlen(suffix) + 4); /* + strlen(".d/") */
+-    if (suffix_d == NULL)
+    if (suffix_d == NULL) {
+      free(project_path);
+      free(*key_files);
+      *key_files = NULL;
+       return ECONF_NOMEM;
+    }
+     cp = stpcpy(suffix_d, suffix);
+     stpcpy(cp, ".d");
+     conf_dirs[0] = suffix_d;
+diff --git a/lib/libeconf_ext.c b/lib/libeconf_ext.c
+index aafba45..6155a0c 100644
+--- a/lib/libeconf_ext.c
+++ b/lib/libeconf_ext.c
+@@ -86,15 +86,19 @@ econf_getExtValue(econf_file *kf, const char *group,
+   {
+     /* one quoted string only */
+     (*result)->values = realloc ((*result)->values, sizeof (char*) * ++n_del);
+-    if ((*result)->values == NULL)
+    if ((*result)->values == NULL) {
+      econf_freeExtValue(*result);
+       return ECONF_NOMEM; /* memory allocation failed */
+    }
+     (*result)->values[n_del-1] = strdup(value_string);
+   } else {
+     /* splitting into a character array */
+     while ((line = strsep(&value_string, "\n")) != NULL) {
+       (*result)->values = realloc ((*result)->values, sizeof (char*) * ++n_del);
+-      if ((*result)->values == NULL)
+-	return ECONF_NOMEM; /* memory allocation failed */
+      if ((*result)->values == NULL) {
+        econf_freeExtValue(*result);
+	      return ECONF_NOMEM; /* memory allocation failed */
+      }
+       (*result)->values[n_del-1] = strdup(trim(line));
+     }
+   }
--- a/README.md
+++ b/README.md
@ -0,0 +1,3 @@
+# libeconf
+
+The libeconf package
--- a/SPECS/libeconf.spec
+++ b/SPECS/libeconf.spec
@ -5,13 +5,20 @@

 Name:           libeconf
 Version:        0.4.1
-Release:        2%{?dist}
+Release:        4%{?dist}
 Summary:        Enhanced config file parser library

 License:        MIT
 URL:            https://github.com/openSUSE/libeconf
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz

+
+### Patches ###
+Patch0001: 0001-getfilecontents-buffer-overflow.patch
+Patch0002: 0002-cmake-no-install-html.patch
+# https://github.com/openSUSE/libeconf/commit/7c5d0a7198eb97104952e56e43c37eb337c3cf21
+Patch0003: 0003-Fix-static-analyzer-detected-issues.patch
+
 BuildRequires:  cmake >= 3.12
 BuildRequires:  gcc
 BuildRequires:  make
@ -76,6 +83,12 @@ configuration files from applications that use %{name}.


 %changelog
+* Thu Apr 11 2024 Iker Pedrosa <ipedrosa@redhat.com> - 0.4.1-4
+- Fix static analyzer detected issues. Resolves: RHEL-24989
+
+* Wed Jun  7 2023 Iker Pedrosa <ipedrosa@redhat.com> - 0.4.1-3
+- Fix stack-based buffer overflow in read_file(). Resolves: #2212467 (CVE-2023-22652)
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.4.1-2
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (libeconf-0.4.1.tar.gz) = 0508e32298daeb4c140755f19f03be9812ead270b9cfbeb411057eb9c911a8c5c9ab2dd5436600d3f0aa517a25afdf0e3c9e995b296efac474dbd665362847ca
				`@ -1 +0,0 @@`
				`5c0327c3a760a85f80016412771d701bd8a8dab6 SOURCES/libeconf-0.4.1.tar.gz`
				`@ -0,0 +1 @@`
				`SHA512 (libeconf-0.4.1.tar.gz) = 0508e32298daeb4c140755f19f03be9812ead270b9cfbeb411057eb9c911a8c5c9ab2dd5436600d3f0aa517a25afdf0e3c9e995b296efac474dbd665362847ca`