commit a7eb2444380ca2ef17cb0aada805b6304259baec Author: overweight <5324761+overweight@user.noreply.gitee.com> Date: Mon Sep 30 10:55:13 2019 -0400 Package init diff --git a/CVE-2019-3817-Fix-UAF-in-comps_objmrtree_unite-function.patch b/CVE-2019-3817-Fix-UAF-in-comps_objmrtree_unite-function.patch new file mode 100644 index 0000000..5c10c2e --- /dev/null +++ b/CVE-2019-3817-Fix-UAF-in-comps_objmrtree_unite-function.patch @@ -0,0 +1,91 @@ +From e3a5d056633677959ad924a51758876d415e7046 Mon Sep 17 00:00:00 2001 +From: Riccardo Schirone +Date: Mon, 21 Jan 2019 18:11:42 +0100 +Subject: [PATCH] Fix UAF in comps_objmrtree_unite function + +The added field is not used at all in many places and it is probably the +left-over of some copy-paste. + +Signed-off-by: root +--- + libcomps/src/comps_mradix.c | 2 -- + libcomps/src/comps_objmradix.c | 2 -- + libcomps/src/comps_objradix.c | 2 -- + libcomps/src/comps_radix.c | 1 - + 4 files changed, 7 deletions(-) + +diff --git a/libcomps/src/comps_mradix.c b/libcomps/src/comps_mradix.c +index 8ef9640..dfdee8e 100644 +--- a/libcomps/src/comps_mradix.c ++++ b/libcomps/src/comps_mradix.c +@@ -177,7 +177,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +@@ -195,7 +194,6 @@ void comps_mrtree_unite(COMPS_MRTree *rt1, COMPS_MRTree *rt2) { + parent_pair = (struct Pair*) it->data; + free(it); + +- pair->added = 0; + for (it = tmp_subnodes->first; it != NULL; it=it->next) { + pair = malloc(sizeof(struct Pair)); + pair->subnodes = ((COMPS_MRTreeData*)it->data)->subnodes; +diff --git a/libcomps/src/comps_objmradix.c b/libcomps/src/comps_objmradix.c +index 9a2038b..22ad262 100644 +--- a/libcomps/src/comps_objmradix.c ++++ b/libcomps/src/comps_objmradix.c +@@ -285,7 +285,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +@@ -303,7 +302,6 @@ void comps_objmrtree_unite(COMPS_ObjMRTree *rt1, COMPS_ObjMRTree *rt2) { + parent_pair = (struct Pair*) it->data; + free(it); + +- pair->added = 0; + for (it = tmp_subnodes->first; it != NULL; it=it->next) { + pair = malloc(sizeof(struct Pair)); + pair->subnodes = ((COMPS_ObjMRTreeData*)it->data)->subnodes; +diff --git a/libcomps/src/comps_objradix.c b/libcomps/src/comps_objradix.c +index c657b75..840592a 100644 +--- a/libcomps/src/comps_objradix.c ++++ b/libcomps/src/comps_objradix.c +@@ -692,7 +692,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +@@ -711,7 +711,6 @@ void comps_objrtree_unite(COMPS_ObjRTree *rt1, COMPS_ObjRTree *rt2) { + //printf("key-part:%s\n", parent_pair->key); + free(it); + +- //pair->added = 0; + for (it = tmp_subnodes->first; it != NULL; it=it->next) { + pair = malloc(sizeof(struct Pair)); + pair->subnodes = ((COMPS_ObjRTreeData*)it->data)->subnodes; +diff --git a/libcomps/src/comps_radix.c b/libcomps/src/comps_radix.c +index ada4fda..05dcaf2 100644 +--- a/libcomps/src/comps_radix.c ++++ b/libcomps/src/comps_radix.c +@@ -529,7 +529,6 @@ void comps_rtree_unite(COMPS_RTree *rt1, COMPS_RTree *rt2) { + struct Pair { + COMPS_HSList * subnodes; + char * key; +- char added; + } *pair, *parent_pair; + + pair = malloc(sizeof(struct Pair)); +-- +2.19.1 + diff --git a/libcomps-0.1.8.tar.gz b/libcomps-0.1.8.tar.gz new file mode 100644 index 0000000..e8b73d4 Binary files /dev/null and b/libcomps-0.1.8.tar.gz differ diff --git a/libcomps.spec b/libcomps.spec new file mode 100644 index 0000000..30319b7 --- /dev/null +++ b/libcomps.spec @@ -0,0 +1,177 @@ +%define with_python2 1 +%define with_python3 1 + +Name: libcomps +Version: 0.1.8 +Release: 19 +Summary: Comps XML file manipulation library +License: GPLv2+ +URL: https://github.com/rpm-software-management/libcomps +Source0: %{url}/archive/%{name}-%{version}/%{name}-%{version}.tar.gz + +Patch6000: CVE-2019-3817-Fix-UAF-in-comps_objmrtree_unite-function.patch + +BuildRequires: gcc cmake zlib-devel libxml2-devel check-devel expat-devel + +%description +Libcomps is library for structure-like manipulation with content of +comps XML files. Supports read/write XML file, structure(s) modification. + +%package devel +Summary: Development files for libcomps library +Requires: %{name} = %{version}-%{release} +%description devel +Development files for libcomps library. + +%package help +Summary: Documentation files for libcomps library +Requires: %{name} = %{version}-%{release} +BuildArch: noarch +%if %{with_python2} +BuildRequires: python2-sphinx +%else +BuildRequires: python3-sphinx +%endif +BuildRequires: doxygen + +%description help +Documentation files for libcomps library and python bindings libcomps library. + +%if %{with_python2} +%package -n python2-%{name} +Summary: Python 2 bindings for libcomps library +%{?python_provide:%python_provide python2-%{name}} +BuildRequires: python2-devel +Requires: %{name} = %{version}-%{release} +%description -n python2-%{name} +Python 2 bindings for libcomps library. +%endif + +%if %{with_python3} +%package -n python3-%{name} +Summary: Python 3 bindings for libcomps library +BuildRequires: python3-devel +%{?python_provide:%python_provide python3-%{name}} +Requires: %{name} = %{version}-%{release} +Obsoletes: platform-python-%{name} < %{version}-%{release} +%description -n python3-%{name} +Python3 bindings for libcomps library. +%endif + +%prep +%autosetup -n %{name}-%{name}-%{version} -p1 + +%build +%if %{with_python2} +mkdir build-py2 +pushd build-py2 +%cmake ../libcomps/ -DPYTHON_DESIRED:STRING=2 +%make_build +popd +%endif + +%if %{with_python2} +mkdir build-py3 +pushd build-py3 +%cmake ../libcomps/ -DPYTHON_DESIRED:STRING=3 +%make_build +popd +%endif + +mkdir build-doc +pushd build-doc +%if %{with_python2} +%cmake ../libcomps/ -DPYTHON_DESIRED:STRING=2 +%else +%cmake ../libcomps/ -DPYTHON_DESIRED:STRING=3 +%endif +make %{?_smp_mflags} docs +make %{?_smp_mflags} pydocs +popd + +%install +%if %{with_python2} +pushd build-py2 +%make_install +popd +%endif + + +%if %{with_python3} +pushd build-py3 +%make_install +popd +%endif + +%check +%if %{with_python2} +pushd build-py2 +make test +make pytest +popd +%endif + +%if %{with_python3} +pushd build-py3 +make test +make pytest +popd +%endif + +%post -p /sbin/ldconfig +%postun -p /sbin/ldconfig + +%files +%license COPYING +%doc README.md +%{_libdir}/%{name}.so.* + +%files devel +%{_libdir}/%{name}.so +%{_includedir}/%{name}/ + +%files help +%doc build-doc/docs/libcomps-doc/html +%doc build-doc/src/python/docs/html + +%if %{with_python2} +%files -n python2-%{name} +%{python2_sitearch}/%{name}/ +%endif + +%if %{with_python3} +%files -n python3-%{name} +%{python3_sitearch}/%{name}/ +%endif + +%changelog +* Wed Sep 26 2019 openEuler Buildteam - 0.1.8-18 +- del requires + +* Tue Sep 24 2019 shenyangyang - 0.1.8-18 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:revise help package + +* Thu Aug 22 2019 openEuler Buildteam - 0.1.8-17 +- Type:NA +- ID:NA +- SUG:NA +- DESC:rewrite spec file + +* Wed Aug 21 2019 Zhipeng Xie - 0.1.8-16 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:modify patch name + +* Mon Jun 3 2019 gaoyi - 0.1.8-15 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:CVE for libcomps + https://github.com/rpm-software-management/libcomps/commit/e3a5d056633677959ad924a51758876d415e7046 + +* Fri Jul 13 2018 openEuler Buildteam - 0.1.8-14 +- Package init