Fix OpenScanHub findings

Resolves: RHEL-22604 Resolves: RHEL-22605
2024-07-11 13:32:57 +02:00 · 2024-07-11 13:32:57 +02:00 · e0ff81088a
commit e0ff81088a
parent 19aad8075d
3 changed files with 50 additions and 0 deletions
--- a/0001-Fix-potential-use-of-uninitialized-pgp-struct.patch
+++ b/0001-Fix-potential-use-of-uninitialized-pgp-struct.patch
@ -0,0 +1,12 @@
+diff -up rpm-4.16.1.3/lib/rpmts.c.orig rpm-4.16.1.3/lib/rpmts.c
+--- rpm-4.16.1.3/lib/rpmts.c.orig	2024-07-11 13:55:35.430198126 +0200
+++ rpm-4.16.1.3/lib/rpmts.c	2024-07-11 13:55:59.243061182 +0200
+@@ -482,6 +482,8 @@ static int makePubkeyHeader(rpmts ts, rp
+     int rc = -1;
+     int i;
+ 
+    memset(&kd, 0, sizeof(kd));
+
+     if ((enc = rpmPubkeyBase64(key)) == NULL)
+ 	goto exit;
+     if ((dig = rpmPubkeyDig(key)) == NULL)
--- a/0001-Fix-potential-use-of-uninitialized-pipe-array.patch
+++ b/0001-Fix-potential-use-of-uninitialized-pipe-array.patch
@ -0,0 +1,32 @@
+From bff65aad8af719542c7b0c6429e09223c014a909 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Thu, 6 Jun 2024 09:15:02 +0200
+Subject: [PATCH] Fix potential use of uninitialized pipe array
+
+We only call pipe(2) after the script is written to disk so if the
+latter fails, the array will be left uninitialized and subsequently read
+after skipping to the exit label.  Fix by initializing it.
+
+Found by Coverity.
+
+Fixes: RHEL-22604
+---
+ lib/rpmscript.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/rpmscript.c b/lib/rpmscript.c
+index 281c55c53..1de4acf8e 100644
+--- a/lib/rpmscript.c
+++ b/lib/rpmscript.c
+@@ -316,7 +316,7 @@ static rpmRC runExtScript(rpmPlugins plugins, ARGV_const_t prefixes,
+     char * fn = NULL;
+     pid_t pid, reaped;
+     int status;
+-    int inpipe[2];
+    int inpipe[2] = { -1, -1 };
+     FILE *in = NULL;
+     const char *line;
+     char *mline = NULL;
+-- 
+2.45.2
+
--- a/rpm.spec
+++ b/rpm.spec
@ -110,6 +110,8 @@ Patch141: 0001-Fix-a-copy-paste-help-description-of-whatconflicts-R.patch
 Patch142: 0001-Expose-and-document-rpmdb-verifydb-operation.patch
 Patch143: 0001-Don-t-segfault-on-missing-priority-tag.patch
 Patch144: 0001-Use-unsigned-integers-for-buildtime-too-for-Y2K38-sa.patch
+Patch145: 0001-Fix-potential-use-of-uninitialized-pipe-array.patch
+Patch146: 0001-Fix-potential-use-of-uninitialized-pgp-struct.patch

 # These are not yet upstream
 Patch906: rpm-4.7.1-geode-i686.patch
@ -659,6 +661,10 @@ fi
 %doc doc/librpm/html/*

 %changelog
+* Thu Jul 11 2024 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-31
+- Fix potential use of uninitialized pipe array (RHEL-22604)
+- Fix potential use of uninitialized pgp struct (RHEL-22605)
+
 * Mon Jun 03 2024 Michal Domonkos <mdomonko@redhat.com> - 4.16.1.3-30
 - Don't segfault on missing priority tag (RHEL-35249)
 - Use unsigned integers for buildtime too for Y2K38 safety (RHEL-22602)