1 files changed, 33 insertions, 0 deletions

diff --git a/backport-Fix-use-after-free-in-haveSignature.patch b/backport-Fix-use-after-free-in-haveSignature.patch
new file mode 100644
index 0000000..869d0d3
--- /dev/null
+++ b/backport-Fix-use-after-free-in-haveSignature.patch
@@ -0,0 +1,33 @@
+From ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 Mon Sep 17 00:00:00 2001
+From: Michal Domonkos <mdomonko@redhat.com>
+Date: Fri, 7 Jan 2022 13:57:24 +0100
+Subject: [PATCH] Fix use-after-free in haveSignature()
+
+pgpPrtParams() may leave sig2 unchanged and if we're not in the very
+first iteration of the while() loop, we could pass a freed pointer to
+pgpDigParamsCmp().  Fix by setting it to NULL after freeing.
+
+Found by Coverity, after commit bd36c5d (subkey binding validation),
+although note that the commit didn't introduce this bug; it just seems
+to have been a false negative that got "fixed" by the changes in
+pgpPrtParams() in that commit.
+---
+ sign/rpmgensig.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
+index d8c84e9..e88f9b7 100644
+--- a/sign/rpmgensig.c
++++ b/sign/rpmgensig.c
+@@ -364,7 +364,7 @@ static int haveSignature(rpmtd sigtd, Header h)
+ 	pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
+ 	if (pgpDigParamsCmp(sig1, sig2) == 0)
+ 	    rc = 1;
+-	pgpDigParamsFree(sig2);
++	sig2 = pgpDigParamsFree(sig2);
+     }
+     pgpDigParamsFree(sig1);
+     rpmtdFreeData(&oldtd);
+-- 
+1.8.3.1
+