blob: 869d0d36dd9517169d39f49b6f0241ab0d399843 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 Mon Sep 17 00:00:00 2001
From: Michal Domonkos <mdomonko@redhat.com>
Date: Fri, 7 Jan 2022 13:57:24 +0100
Subject: [PATCH] Fix use-after-free in haveSignature()
pgpPrtParams() may leave sig2 unchanged and if we're not in the very
first iteration of the while() loop, we could pass a freed pointer to
pgpDigParamsCmp(). Fix by setting it to NULL after freeing.
Found by Coverity, after commit bd36c5d (subkey binding validation),
although note that the commit didn't introduce this bug; it just seems
to have been a false negative that got "fixed" by the changes in
pgpPrtParams() in that commit.
---
sign/rpmgensig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
index d8c84e9..e88f9b7 100644
--- a/sign/rpmgensig.c
+++ b/sign/rpmgensig.c
@@ -364,7 +364,7 @@ static int haveSignature(rpmtd sigtd, Header h)
pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
if (pgpDigParamsCmp(sig1, sig2) == 0)
rc = 1;
- pgpDigParamsFree(sig2);
+ sig2 = pgpDigParamsFree(sig2);
}
pgpDigParamsFree(sig1);
rpmtdFreeData(&oldtd);
--
1.8.3.1
|
