diff --git a/0008-rhbz-Fix-a-double-free-condition.patch b/0008-rhbz-Fix-a-double-free-condition.patch new file mode 100644 index 0000000..a25b684 --- /dev/null +++ b/0008-rhbz-Fix-a-double-free-condition.patch @@ -0,0 +1,48 @@ +From 6cd4fa7749b2de7a39b6bf22373b56d1c1be91d1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= +Date: Mon, 2 Nov 2020 11:45:23 +0100 +Subject: [PATCH 1/2] rhbz: Fix a double-free condition + +The `cc` string must not be freed after the variable goes out of scope +since it's appended to `cc_list`. (`g_list_append()` does not copy its +input.) We only need to free the last string in the loop, which is an +empty string. + +The bug was introduced in 7aba6e53. + +Resolves rhbz#1893595 +--- + src/plugins/rhbz.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/plugins/rhbz.c b/src/plugins/rhbz.c +index 25d30207..c2855a70 100644 +--- a/src/plugins/rhbz.c ++++ b/src/plugins/rhbz.c +@@ -407,18 +407,20 @@ GList *rhbz_bug_cc(xmlrpc_value* result_xml) + if (!item) + continue; + +- const char* cc = NULL; +- xmlrpc_read_string(&env, item, &cc); ++ char *cc = NULL; ++ xmlrpc_read_string(&env, item, (const char **)&cc); + xmlrpc_DECREF(item); + if (env.fault_occurred) + abrt_xmlrpc_die(&env); + + if (*cc != '\0') + { +- cc_list = g_list_append(cc_list, (char*)cc); ++ cc_list = g_list_append(cc_list, cc); + log_debug("member on cc is %s", cc); + continue; + } ++ ++ free(cc); + } + xmlrpc_DECREF(cc_member); + return cc_list; +-- +2.26.2 + diff --git a/libreport.spec b/libreport.spec index f17e39f..d233c98 100644 --- a/libreport.spec +++ b/libreport.spec @@ -15,7 +15,7 @@ Summary: Generic library for reporting various problems Name: libreport Version: 2.14.0 -Release: 11%{?dist} +Release: 12%{?dist} License: GPLv2+ URL: https://abrt.readthedocs.org/ Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz @@ -27,6 +27,7 @@ Patch3: 0004-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch Patch4: 0005-gui-wizard-gtk-Fix-segfault.patch Patch5: 0006-event_config-Null-autofree-pointers-before-returning.patch Patch6: 0007-gui-wizard-gtk-Don-t-autofree-URL-string.patch +Patch7: 0008-rhbz-Fix-a-double-free-condition.patch BuildRequires: %{dbus_devel} BuildRequires: gtk3-devel @@ -667,6 +668,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %endif %changelog +* Tue Nov 3 2020 Matěj Grabovský - 2.14.0-12 +- Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1893595 + * Fri Oct 09 2020 Matěj Grabovský - 2.14.0-11 - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1882328