diff --git a/SOURCES/0000-CVE-2020-28241.patch b/SOURCES/0000-CVE-2020-28241.patch new file mode 100644 index 0000000..981754e --- /dev/null +++ b/SOURCES/0000-CVE-2020-28241.patch @@ -0,0 +1,123 @@ +From eac45e29196bcde1d123a6035c15d30356bed248 Mon Sep 17 00:00:00 2001 +From: Gregory Oschwald +Date: Wed, 5 Aug 2020 14:16:17 -0700 +Subject: [PATCH] Replace most malloc uses with calloc + +Closes #236. +--- + Changes.md | 4 ++++ + bin/mmdblookup.c | 10 +++++----- + doc/libmaxminddb.md | 2 +- + src/maxminddb.c | 21 ++++++++++++--------- + 4 files changed, 22 insertions(+), 15 deletions(-) + +diff --git a/bin/mmdblookup.c b/bin/mmdblookup.c +index 4a3403c6..d7ec3fff 100644 +--- a/bin/mmdblookup.c ++++ b/bin/mmdblookup.c +@@ -294,7 +294,7 @@ LOCAL const char **get_options( + } + + const char **lookup_path = +- malloc(sizeof(const char *) * ((argc - optind) + 1)); ++ calloc((argc - optind) + 1, sizeof(const char *)); + int i; + for (i = 0; i < argc - optind; i++) { + lookup_path[i] = argv[i + optind]; +diff --git a/doc/libmaxminddb.md b/doc/libmaxminddb.md +index 191637b3..6e841cbc 100644 +--- a/doc/libmaxminddb.md ++++ b/doc/libmaxminddb.md +@@ -307,7 +307,7 @@ libmaxminddb code. + + The `utf8_string`, `bytes`, and (maybe) the `uint128` members of this structure + are all pointers directly into the database's data section. This can either be +-a `malloc`'d or `mmap`'d block of memory. In either case, these pointers will ++a `calloc`'d or `mmap`'d block of memory. In either case, these pointers will + become invalid after `MMDB_close()` is called. + + If you need to refer to this data after that time you should copy the data +diff --git a/src/maxminddb.c b/src/maxminddb.c +index 21c18f2b..b45d5afa 100644 +--- a/src/maxminddb.c ++++ b/src/maxminddb.c +@@ -36,7 +36,7 @@ + do { \ + char *binary = byte_to_binary(byte); \ + if (NULL == binary) { \ +- fprintf(stderr, "Malloc failed in DEBUG_BINARY\n"); \ ++ fprintf(stderr, "Calloc failed in DEBUG_BINARY\n"); \ + abort(); \ + } \ + fprintf(stderr, fmt "\n", binary); \ +@@ -54,7 +54,7 @@ + #ifdef MMDB_DEBUG + DEBUG_FUNC char *byte_to_binary(uint8_t byte) + { +- char *bits = malloc(sizeof(char) * 9); ++ char *bits = calloc(9, sizeof(char)); + if (NULL == bits) { + return bits; + } +@@ -704,7 +704,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.languages.count = 0; +- mmdb->metadata.languages.names = malloc(array_size * sizeof(char *)); ++ mmdb->metadata.languages.names = calloc(array_size, sizeof(char *)); + if (NULL == mmdb->metadata.languages.names) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -722,7 +722,7 @@ LOCAL int populate_languages_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + if (NULL == mmdb->metadata.languages.names[i]) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +- // We assign this as we go so that if we fail a malloc and need to ++ // We assign this as we go so that if we fail a calloc and need to + // free it, the count is right. + mmdb->metadata.languages.count = i + 1; + } +@@ -774,7 +774,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + MMDB_INVALID_METADATA_ERROR); + + mmdb->metadata.description.descriptions = +- malloc(map_size * sizeof(MMDB_description_s *)); ++ calloc(map_size, sizeof(MMDB_description_s *)); + if (NULL == mmdb->metadata.description.descriptions) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -782,7 +782,7 @@ LOCAL int populate_description_metadata(MMDB_s *mmdb, MMDB_s *metadata_db, + + for (uint32_t i = 0; i < map_size; i++) { + mmdb->metadata.description.descriptions[i] = +- malloc(sizeof(MMDB_description_s)); ++ calloc(1, sizeof(MMDB_description_s)); + if (NULL == mmdb->metadata.description.descriptions[i]) { + status = MMDB_OUT_OF_MEMORY_ERROR; + goto cleanup; +@@ -1134,7 +1134,7 @@ int MMDB_vget_value(MMDB_entry_s *const start, + MAYBE_CHECK_SIZE_OVERFLOW(length, SIZE_MAX / sizeof(const char *) - 1, + MMDB_INVALID_METADATA_ERROR); + +- const char **path = malloc((length + 1) * sizeof(const char *)); ++ const char **path = calloc(length + 1, sizeof(const char *)); + if (NULL == path) { + return MMDB_OUT_OF_MEMORY_ERROR; + } +@@ -2010,6 +2010,7 @@ LOCAL MMDB_entry_data_list_s *dump_entry_data_list( + char *hex_string = + bytes_to_hex((uint8_t *)entry_data_list->entry_data.bytes, + entry_data_list->entry_data.data_size); ++ + if (NULL == hex_string) { + *status = MMDB_OUT_OF_MEMORY_ERROR; + return NULL; +@@ -2103,7 +2104,7 @@ LOCAL char *bytes_to_hex(uint8_t *bytes, uint32_t size) + char *hex_string; + MAYBE_CHECK_SIZE_OVERFLOW(size, SIZE_MAX / 2 - 1, NULL); + +- hex_string = malloc((size * 2) + 1); ++ hex_string = calloc((size * 2) + 1, sizeof(char)); + if (NULL == hex_string) { + return NULL; + } diff --git a/SPECS/libmaxminddb.spec b/SPECS/libmaxminddb.spec index bc3d280..e633ee1 100644 --- a/SPECS/libmaxminddb.spec +++ b/SPECS/libmaxminddb.spec @@ -1,7 +1,7 @@ Name: libmaxminddb Summary: C library for the MaxMind DB file format Version: 1.2.0 -Release: 10%{?dist} +Release: 10%{?dist}.1 URL: https://maxmind.github.io/libmaxminddb Source0: https://github.com/maxmind/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz @@ -12,6 +12,8 @@ License: ASL 2.0 and BSD BuildRequires: perl-interpreter Recommends: geolite2-city, geolite2-country +Patch0000: 0000-CVE-2020-28241.patch + %description The package contains libmaxminddb library. @@ -30,6 +32,8 @@ and the mmdblookup utility which allows IP address lookup in a MaxMind DB file. %prep %setup -q +%patch0000 -p1 -b .cve-2020-28241 + %build %configure --disable-static # remove embeded RPATH @@ -83,6 +87,9 @@ EOF %{_mandir}/man3/* %changelog +* Thu Jan 04 2024 Michal Ruprich - 1.2.0-10.1 +- Resolves: RHEL-20594 - improper initialization in dump_entry_data_list() in maxminddb.c + * Mon Jun 08 2020 Michal Ruprich - 1.2.0-10 - Related: #1642001 - Obsoleting -devel-debuginfo to enable clean update path