Accepting request 1062028 from home:qzhao:branches:devel:tools

Add pkgconf-CVE-2023-24056.patch: Backport commit 628b2b2baf from upstream, test for, and stop string processing, on truncation (bsc#1207394 CVE-2023-24056). OBS-URL: https://build.opensuse.org/request/show/1062028 OBS-URL: https://build.opensuse.org/package/show/devel:tools/pkgconf?expand=0&rev=26
2023-01-30 12:44:21 +00:00 · 2023-01-30 12:44:21 +00:00 · 10f0d517c1
commit 10f0d517c1
parent 517f858857
3 changed files with 63 additions and 1 deletions
--- a/pkgconf-CVE-2023-24056.patch
+++ b/pkgconf-CVE-2023-24056.patch
@ -0,0 +1,53 @@
+diff -Nura pkgconf-1.8.0/libpkgconf/tuple.c pkgconf-1.8.0_new/libpkgconf/tuple.c
+--- pkgconf-1.8.0/libpkgconf/tuple.c	2021-03-18 20:15:16.000000000 +0800
+++ pkgconf-1.8.0_new/libpkgconf/tuple.c	2023-01-30 16:07:40.750297141 +0800
+@@ -293,12 +293,23 @@
+ 				}
+ 			}
+ 
+                        PKGCONF_TRACE(client, "lookup tuple %s", varname);
+
+                        size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
+ 			ptr += (pptr - ptr);
+ 			kv = pkgconf_tuple_find_global(client, varname);
+ 			if (kv != NULL)
+ 			{
+-				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
+-				bptr += strlen(kv);
+                       	        size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
+				if (nlen > remain)
+				{
+					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+
+					bptr = buf + (PKGCONF_BUFSIZE - 1);
+					break;
+				}
+
+				bptr += nlen;
+ 			}
+ 			else
+ 			{
+@@ -306,12 +317,20 @@
+ 
+ 				if (kv != NULL)
+ 				{
+                                        size_t nlen;
+
+ 					parsekv = pkgconf_tuple_parse(client, vars, kv);
+                                        nlen = pkgconf_strlcpy(bptr, parsekv, remain);
+					free(parsekv);
+ 
+-					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
+-					bptr += strlen(parsekv);
+                                        if (nlen > remain)
+                                        {
+                                                pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+                                                bptr = buf + (PKGCONF_BUFSIZE - 1);
+                                                break;
+                                        }
+ 
+-					free(parsekv);
+                                        bptr += nlen;
+ 				}
+ 			}
+ 		}
--- a/pkgconf.changes
+++ b/pkgconf.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Sun Jan 29 09:26:47 UTC 2023 - Cliff Zhao <qzhao@suse.com>
+
+- Add pkgconf-CVE-2023-24056.patch: Backport commit 628b2b2baf from
+  upstream, test for, and stop string processing, on truncation
+  (bsc#1207394 CVE-2023-24056). 
+
 -------------------------------------------------------------------
 Mon Aug 23 09:18:29 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>

--- a/pkgconf.spec
+++ b/pkgconf.spec
@ -1,7 +1,7 @@
 #
 # spec file for package pkgconf
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 # Copyright (c) 2020 Neal Gompa <ngompa13@gmail.com>.
 #
 # All modifications and additions to the file contributed by third parties
@ -54,6 +54,8 @@ URL:            http://pkgconf.org/
 Source0:        https://distfiles.dereferenced.org/%{name}/%{name}-%{version}.tar.xz
 # Simple wrapper script to offer platform versions of pkgconfig from Fedora
 Source1:        platform-pkg-config.in
+# PATCH-FIX-UPSTREAM pkgconf-CVE-2023-24056.patch bsc#1207394 CVE-2023-24056 qzhao@suse.com -- Backport commit 628b2b2baf from upstream, test for, and stop string processing, on truncation.
+Patch0:         pkgconf-CVE-2023-24056.patch
 # For regenerating autotools scripts
 BuildRequires:  autoconf
 BuildRequires:  automake