diff --git a/0010-Fix-reported-SAST-findings.patch b/0010-Fix-reported-SAST-findings.patch new file mode 100644 index 0000000..791ff29 --- /dev/null +++ b/0010-Fix-reported-SAST-findings.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Leo Sandoval +Date: Wed, 24 Jul 2024 12:17:12 -0600 +Subject: [PATCH] Fix reported SAST findings + +- efi/console.c: Initialize pointer + + "Error: UNINIT (CWE-457): + syslinux-6.04-pre1/efi/console.c:242: var_decl: Declaring variable ""first"" without initializer. + syslinux-6.04-pre1/efi/console.c:271: uninit_use: Using uninitialized value ""first"". + + "Error: UNINIT (CWE-457): + syslinux-6.04-pre1/efi/console.c:242: var_decl: Declaring variable ""first"" without initializer. + syslinux-6.04-pre1/efi/console.c:282: uninit_use: Using uninitialized value ""first"". + 280| } + 281| + 282|-> if (!first) + 283| goto out; + 284| rv = 1;" + +- xfs_dir2.c: return NULL instead of a freed pointer + + Error: USE_AFTER_FREE (CWE-416): + syslinux-6.04-pre1/core/fs/xfs/xfs_dir2.c:521: freed_arg: "free" frees "ip". [Note: The source code implementation of the function has been overridden by a builtin model.] + syslinux-6.04-pre1/core/fs/xfs/xfs_dir2.c:523: use_after_free: Using freed pointer "ip". + # 521| free(ip); + # 522| + # 523|-> return ip; + # 524| } + # 525| + +Signed-off-by: Leo Sandoval +--- + core/fs/xfs/xfs_dir2.c | 2 +- + efi/console.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/core/fs/xfs/xfs_dir2.c b/core/fs/xfs/xfs_dir2.c +index 2f5928a5..e73e45f1 100644 +--- a/core/fs/xfs/xfs_dir2.c ++++ b/core/fs/xfs/xfs_dir2.c +@@ -520,7 +520,7 @@ found: + failed: + free(ip); + +- return ip; ++ return NULL; + } + + static xfs_fsblock_t +diff --git a/efi/console.c b/efi/console.c +index d7ed0b4a..206a8131 100644 +--- a/efi/console.c ++++ b/efi/console.c +@@ -239,7 +239,7 @@ struct _EFI_UGA_DRAW_PROTOCOL { + + static int setup_uga(struct screen_info *si) + { +- EFI_UGA_DRAW_PROTOCOL *uga, *first; ++ EFI_UGA_DRAW_PROTOCOL *uga, *first = NULL; + EFI_GUID UgaProtocol = EFI_UGA_PROTOCOL_GUID; + UINT32 width, height; + EFI_STATUS status; diff --git a/syslinux.spec b/syslinux.spec index 183dfb4..98c4fcf 100644 --- a/syslinux.spec +++ b/syslinux.spec @@ -10,7 +10,7 @@ Summary: Simple kernel loader which boots from a FAT filesystem Name: syslinux Version: 6.04 %define tarball_version 6.04-pre1 -Release: 0.30%{?dist} +Release: 0.31%{?dist} License: GPL-2.0-or-later URL: http://syslinux.zytor.com/wiki/index.php/The_Syslinux_Project Source0: http://www.kernel.org/pub/linux/utils/boot/syslinux/%{name}-%{tarball_version}.tar.xz @@ -23,6 +23,7 @@ Patch0006: 0006-Replace-builtin-strlen-that-appears-to-get-optimized.patch Patch0007: 0007-Fix-backspace-when-editing-a-multiline-cmdline.patch Patch0008: 0008-Fix-build-with-GCC-14.patch Patch0009: 0009-Rewrite_Digest_SHA1_to_SHA.patch +Patch0010: 0010-Fix-reported-SAST-findings.patch # this is to keep rpmbuild from thinking the .c32 / .com / .0 / memdisk files # in noarch packages are a reason to stop the build. @@ -262,6 +263,10 @@ fi %endif %changelog +* Wed Feb 19 2025 Leo Sandoval - 6.04-0.31 +- Fix true positives SAST findings +- Resolves: #RHEL-51170 + * Tue Oct 29 2024 Troy Dawson - 6.04-0.30 - Bump release for October 2024 mass rebuild: Resolves: RHEL-64018