Sync from SUSE:SLFO:Main patch revision 9750df08e7199381709ad94ff1299094

CVE-2019-20633.patch

@@ -0,0 +1,25 @@
+commit a09d9519a57e84d8e2ad592fbba09e8a9faf55f8
+Author: Wolfgang Frisch <wolfgang.frisch@suse.com>
+Date:   Tue Jul 30 14:17:32 2024 +0200
+
+    Fix double-free/OOB read in pch.c (CVE-2019-20633)
+    
+    see also: https://savannah.gnu.org/bugs/index.php?56683#comment1
+
+diff --git a/src/pch.c b/src/pch.c
+index fd9c480..57c76de 100644
+--- a/src/pch.c
++++ b/src/pch.c
+@@ -1183,8 +1183,11 @@ another_hunk (enum diff difftype, bool rev)
+     while (p_end >= 0) {
+ 	if (p_end == p_efake)
+ 	    p_end = p_bfake;		/* don't free twice */
+-	else
++	else {
+ 	    free(p_line[p_end]);
++	    p_line[p_end] = NULL;
++	    p_len[p_end] = 0;
++	}
+ 	p_end--;
+     }
+     assert(p_end == -1);

patch.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Tue Jul 30 12:19:54 UTC 2024 - Wolfgang Frisch <wolfgang.frisch@suse.com>
+
+- CVE-2019-20633.patch: Fix double-free/OOB read in pch.c (bsc#1167721)
+
 -------------------------------------------------------------------
 Tue May 24 14:16:43 UTC 2022 - Stephan Kulow <coolo@suse.com>
 

patch.spec

@@ -40,6 +40,7 @@ Patch10:        fix-swapping-fake-lines-in-pch_swap.patch
 Patch11:        abort-when-cleaning-up-fails.patch
 Patch12:        dont-follow-symlinks-unless-asked.patch
 Patch13:        pass-the-correct-stat-to-backup-files.patch
+Patch14:        CVE-2019-20633.patch
 # See bnc#662957. The fix for CVE-2010-4651 breaks the way interdiff was
 # invoking patch, so interdiff had to be fixed too.
 Conflicts:      patchutils < 0.3.2
@@ -67,6 +68,7 @@ changed files (generated by the diff command) to the original files.
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
+%patch14 -p1
 
 %build
 export CFLAGS="%{optflags} -Wall -O2 -pipe"