From 56a300ba62b9066185dab413acb050786e98524e Mon Sep 17 00:00:00 2001 From: Panu Matilainen Date: Sep 07 2022 07:44:44 +0000 Subject: Fix buffer overrun on rpmdb queries involving ^ in version --- diff --git a/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch b/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch new file mode 100644 index 0000000..4010f59 --- /dev/null +++ b/0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch @@ -0,0 +1,28 @@ +From 19d73f67883c011cc74326a5dc34f7009efa60e1 Mon Sep 17 00:00:00 2001 +Message-Id: <19d73f67883c011cc74326a5dc34f7009efa60e1.1662536462.git.pmatilai@redhat.com> +From: Panu Matilainen +Date: Tue, 6 Sep 2022 13:15:44 +0300 +Subject: [PATCH] Fix buffer overrun from commit + 4420c78beb86cc67392274bf351478a3375626a2 + +The newly handled ^ needs to be accounted for when allocating memory. +Found when testing #1936, goes to show what a useful thing that is. +--- + lib/rpmdb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/lib/rpmdb.c b/lib/rpmdb.c +index fd2b0671a..b3c5da62d 100644 +--- a/lib/rpmdb.c ++++ b/lib/rpmdb.c +@@ -1107,6 +1107,7 @@ static char * mireDup(rpmTagVal tag, rpmMireMode *modep, + case '.': + case '+': + case '*': ++ case '^': + if (!brackets) nb++; + break; + case '\\': +-- +2.37.3 + diff --git a/rpm.spec b/rpm.spec index 0589b3d..bb0a908 100644 --- a/rpm.spec +++ b/rpm.spec @@ -30,7 +30,7 @@ %global rpmver 4.18.0 %global snapver rc1 -%global baserelease 2 +%global baserelease 3 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -56,6 +56,7 @@ Patch1: rpm-4.17.x-siteconfig.patch Patch3: rpm-4.9.90-no-man-dirs.patch # Patches already upstream: +Patch100: 0001-Fix-buffer-overrun-from-commit-4420c78beb86cc6739227.patch # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch @@ -610,6 +611,9 @@ fi %doc docs/librpm/html/* %changelog +* Wed Sep 07 2022 Panu Matilainen - 4.18.0-0.rc1.3 +- Fix buffer overrun on rpmdb queries involving ^ in version + * Wed Sep 07 2022 Panu Matilainen - 4.18.0-0.rc1.2 - Break selinux-policy <-> rpm-plugin-selinux ordering loop (#1851266)