fix findings from static application security testing (#RHEL-35578)

translation update (#RHEL-12111) Resolves: #RHEL-35578
2024-07-23 21:05:37 +02:00 · 2024-07-23 21:05:37 +02:00 · 177685d091
commit 177685d091
parent ff77ebb0f4
2 changed files with 55 additions and 10 deletions
--- a/0010-resource-leak.patch
+++ b/0010-resource-leak.patch
@ -0,0 +1,39 @@
+diff -up libuser-0.62/lib/user.c.orig libuser-0.62/lib/user.c
+--- libuser-0.62/lib/user.c.orig	2024-05-07 17:03:45.220514343 +0200
+++ libuser-0.62/lib/user.c	2024-05-07 17:05:17.855649386 +0200
+@@ -986,7 +986,10 @@ lu_dispatch(struct lu_context *context,
+ 	case user_default:
+ 	case group_default:
+ 		/* Make sure we have both name and boolean here. */
+-		g_return_val_if_fail(sdata != NULL, FALSE);
+		if (sdata == NULL) {
+			free(tmp);
+			return FALSE;
+		}
+ 		/* Run the checks and preps. */
+ 		if (run_list(context, context->create_module_names,
+ 			    logic_and, id,
+@@ -1065,7 +1068,10 @@ lu_dispatch(struct lu_context *context,
+ 	case user_setpass:
+ 	case group_setpass:
+ 		/* Make sure we have a valid password. */
+-		g_return_val_if_fail(sdata != NULL, FALSE);
+		if (sdata == NULL) {
+			free(tmp);
+			return FALSE;
+		}
+ 		/* no break: fall through */
+ 	case user_removepass:
+ 	case group_removepass:
+@@ -1094,7 +1100,10 @@ lu_dispatch(struct lu_context *context,
+ 	case users_enumerate_by_group:
+ 	case groups_enumerate_by_user:
+ 		/* Make sure we have both name and ID here. */
+-		g_return_val_if_fail(sdata != NULL, FALSE);
+		if (sdata == NULL) {
+			free(tmp);
+			return FALSE;
+		}
+ 		if (id == users_enumerate_by_group)
+ 			ldata = convert_group_name_to_id(context, sdata,
+ 							 error);
--- a/libuser.spec
+++ b/libuser.spec
@ -1,6 +1,6 @@
 Name: libuser
 Version: 0.62
-Release: 25%{?dist}
+Release: 26%{?dist}
 Group: System Environment/Base
 License: LGPLv2+
 URL: https://pagure.io/libuser
@ -42,6 +42,7 @@ Patch6: 0006-merge_ent_array_duplicates-Only-use-values-if-valid.patch
 Patch7: 0007-editing_open-close-fd-after-we-ve-established-its-va.patch
 Patch8: 0008-lgroupmod-Emit-AUDIT_GRP_CHAUTHTOK-not-AUDIT_GRP_MGM.patch
 Patch9: 0009-man-typo.patch
+Patch10: 0010-resource-leak.patch

 %description
 The libuser library implements a standardized interface for manipulating
@ -77,15 +78,16 @@ administering user and group accounts.
 %prep
 %setup -q -n libuser-%{version}

-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
-%patch7 -p1
-%patch8 -p1
-%patch9 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
+%patch -P 7 -p1
+%patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
 cp %{SOURCE1}  po/ja.po
 cp %{SOURCE2}  po/zh-Hans.po
 cp %{SOURCE3}  po/zh-Hant.po
@ -168,6 +170,10 @@ LC_ALL=C.UTF-8 python3 -c "import libuser"
 %{_datadir}/gtk-doc/html/*

 %changelog
+* Tue Jul 23 2024 Michal Hlavinka <mhlavink@redhat.com> - 0.62-26
+- fix findings from static application security testing (#RHEL-35578)
+- translation update (#RHEL-12111)
+
 * Tue Nov 29 2022 Tomas Halman <thalman@redhat.com> - 0.62-25
 - Man-page update
 - Resolves: rhbz#2070941 - small typo in lchage man page