Apply upstream patch to fix 3 findings from static application security testing

Resolves: RHEL-27656 Signed-off-by: Adrian Reber <areber@redhat.com>
2024-03-07 16:59:06 +01:00 · 2024-03-07 16:59:06 +01:00 · 224920f3f0
commit 224920f3f0
parent cf4314ba1f
2 changed files with 41 additions and 1 deletions
--- a/102.patch
+++ b/102.patch
@ -0,0 +1,34 @@
+From 425162fb7a9577f212d44c1b6f6e2ccc36acf131 Mon Sep 17 00:00:00 2001
+From: Thomas Habets <habets@google.com>
+Date: Fri, 1 Nov 2019 17:08:08 +0000
+Subject: [PATCH] Fix possible overflows
+
+---
+ src/libnet_port_list.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/libnet_port_list.c b/src/libnet_port_list.c
+index fff151ea..942a856f 100644
+--- a/src/libnet_port_list.c
+++ b/src/libnet_port_list.c
+@@ -250,16 +250,17 @@ libnet_plist_chain_dump_string(libnet_plist_t *plist)
+     {
+         if (plist->bport == plist->eport)
+         {
+-            i = snprintf(&buf[j], BUFSIZ, "%d", plist->bport);
+            i = snprintf(&buf[j], BUFSIZ-j, "%d", plist->bport);
+         }
+         else
+         {
+-            i = snprintf(&buf[j], BUFSIZ, "%d-%d", plist->bport, plist->eport);
+            i = snprintf(&buf[j], BUFSIZ-j, "%d-%d", plist->bport, plist->eport);
+         }
+         j += i;
+         if (plist->next)
+         {
+-            snprintf(&buf[j++], BUFSIZ, ",");
+            snprintf(&buf[j], BUFSIZ-j, ",");
+            j++;
+         }
+     }
+     return (strdup(buf));       /* XXX - reentrancy == no */
--- a/libnet.spec
+++ b/libnet.spec
@ -1,7 +1,7 @@
 Summary:        C library for portable packet creation and injection
 Name:           libnet
 Version:        1.2
-Release:        6%{?dist}
+Release:        7%{?dist}
 License:        BSD
 URL:            https://github.com/libnet/libnet
 # This used to be https://github.com/libnet/libnet/releases/download/v%%{version}/%%{name}-%%{version}.tar.gz
@ -13,6 +13,7 @@ Source0:        libnet-1.2-repack.tar.gz
 Patch0:         libnet-config.patch
 Patch1:         libnet_pblock.patch
 Patch2:         https://patch-diff.githubusercontent.com/raw/libnet/libnet/pull/120.patch
+Patch3:         https://patch-diff.githubusercontent.com/raw/libnet/libnet/pull/102.patch
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  %{_bindir}/pod2man
@ -55,6 +56,7 @@ developing applications that use libnet.
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 # Avoid library soname bump (https://github.com/libnet/libnet/issues/115)
 sed -e 's/-version-info 9:0:0/-version-info 9:0:8/' -i src/Makefile.{am,in}

@ -104,6 +106,10 @@ done
 %endif

 %changelog
+* Thu Mar 07 2024 Adrian Reber <areber@redhat.com> - 1.2-7
+- Apply upstream patch to fix 3 findings from static application security testing
+  Resolves: RHEL-27656
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.2-6
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688