Fix buffer overrun on rpmdb queries involving ^ in version

2022-09-07 10:44:44 +03:00 · 2022-09-07 10:44:44 +03:00 · 56a300ba62
commit 56a300ba62
parent 480384be6c
2 changed files with 33 additions and 1 deletions
--- a/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch
+++ b/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch
@ -0,0 +1,28 @@
 From 19d73f67883c011cc74326a5dc34f7009efa60e1 Mon Sep 17 00:00:00 2001
 Message-Id: <19d73f67883c011cc74326a5dc34f7009efa60e1.1662536462.git.pmatilai@redhat.com>
 From: Panu Matilainen <pmatilai@redhat.com>
 Date: Tue, 6 Sep 2022 13:15:44 +0300
 Subject: [PATCH] Fix buffer overrun from commit
 4420c78beb86cc67392274bf351478a3375626a2
 The newly handled ^ needs to be accounted for when allocating memory.
 Found when testing #1936, goes to show what a useful thing that is.
 ---
 lib/rpmdb.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/lib/rpmdb.c b/lib/rpmdb.c
 index fd2b0671a..b3c5da62d 100644
 --- a/lib/rpmdb.c
 +++ b/lib/rpmdb.c
@@ -1107,6 +1107,7 @@ static char * mireDup(rpmTagVal tag, rpmMireMode *modep,
 	    case '.':
 	    case '+':
 	    case '*':
 +	    case '^':
 		if (!brackets) nb++;
 		break;
 	    case '\\':
 -- 
 2.37.3
--- a/rpm.spec
+++ b/rpm.spec
@ -30,7 +30,7 @@
 %global rpmver 4.18.0
 %global snapver rc1
-%global baserelease 2
+%global baserelease 3
 %global sover 9
 %global srcver %{rpmver}%{?snapver:-%{snapver}}
@ -56,6 +56,7 @@ Patch1: rpm-4.17.x-siteconfig.patch
 Patch3: rpm-4.9.90-no-man-dirs.patch
 # Patches already upstream:
 Patch100: 0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch
 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
@ -610,6 +611,9 @@ fi
 %doc docs/librpm/html/*
 %changelog
 * Wed Sep 07 2022 Panu Matilainen <pmatilai@redhat.com> - 4.18.0-0.rc1.3
 - Fix buffer overrun on rpmdb queries involving ^ in version
 * Wed Sep 07 2022 Panu Matilainen <pmatilai@redhat.com> - 4.18.0-0.rc1.2
 - Break selinux-policy <-> rpm-plugin-selinux ordering loop (#1851266)