1 files changed, 48 insertions, 0 deletions

diff --git a/time-Fix-use-after-free-in-getdate.patch b/time-Fix-use-after-free-in-getdate.patch
new file mode 100644
index 0000000..c007d80
--- /dev/null
+++ b/time-Fix-use-after-free-in-getdate.patch
@@ -0,0 +1,48 @@
+From 85e6d8b4175fcb195011a0a1bad37d6f3b2355db Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Tue, 6 Jun 2023 19:20:31 +0200
+Subject: [PATCH] time: Fix use-after-free in getdate
+
+getdate would free the buffer pointed to by the result of its call to
+strptime, then reference the same buffer later on -- leading to a
+use-after-free.  This commit fixes that.
+
+Reported-by: Martin Coufal <mcoufal@redhat.com>
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ time/getdate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/time/getdate.c b/time/getdate.c
+index 1dcbd77188..ca058394a3 100644
+--- a/time/getdate.c
++++ b/time/getdate.c
+@@ -114,6 +114,7 @@ __getdate_r (const char *string, struct tm *tp)
+   struct tm tm;
+   struct __stat64_t64 st;
+   bool mday_ok = false;
++  bool found = false;
+ 
+   datemsk = getenv ("DATEMSK");
+   if (datemsk == NULL || *datemsk == '\0')
+@@ -181,7 +182,7 @@ __getdate_r (const char *string, struct tm *tp)
+       tp->tm_gmtoff = 0;
+       tp->tm_zone = NULL;
+       result = strptime (string, line, tp);
+-      if (result && *result == '\0')
++      if ((found = (result && *result == '\0')))
+ 	break;
+     }
+   while (!__feof_unlocked (fp));
+@@ -201,7 +202,7 @@ __getdate_r (const char *string, struct tm *tp)
+   /* Close template file.  */
+   fclose (fp);
+ 
+-  if (result == NULL || *result != '\0')
++  if (!found)
+     return 7;
+ 
+   /* Get current time.  */
+-- 
+2.33.0
+