34 lines
1.1 KiB
Diff
34 lines
1.1 KiB
Diff
From ae3d2d234ae47ff85229d3fce97a266fa1aa5a61 Mon Sep 17 00:00:00 2001
|
|
From: Michal Domonkos <mdomonko@redhat.com>
|
|
Date: Fri, 7 Jan 2022 13:57:24 +0100
|
|
Subject: [PATCH] Fix use-after-free in haveSignature()
|
|
|
|
pgpPrtParams() may leave sig2 unchanged and if we're not in the very
|
|
first iteration of the while() loop, we could pass a freed pointer to
|
|
pgpDigParamsCmp(). Fix by setting it to NULL after freeing.
|
|
|
|
Found by Coverity, after commit bd36c5d (subkey binding validation),
|
|
although note that the commit didn't introduce this bug; it just seems
|
|
to have been a false negative that got "fixed" by the changes in
|
|
pgpPrtParams() in that commit.
|
|
---
|
|
sign/rpmgensig.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c
|
|
index d8c84e9..e88f9b7 100644
|
|
--- a/sign/rpmgensig.c
|
|
+++ b/sign/rpmgensig.c
|
|
@@ -364,7 +364,7 @@ static int haveSignature(rpmtd sigtd, Header h)
|
|
pgpPrtParams(oldtd.data, oldtd.count, PGPTAG_SIGNATURE, &sig2);
|
|
if (pgpDigParamsCmp(sig1, sig2) == 0)
|
|
rc = 1;
|
|
- pgpDigParamsFree(sig2);
|
|
+ sig2 = pgpDigParamsFree(sig2);
|
|
}
|
|
pgpDigParamsFree(sig1);
|
|
rpmtdFreeData(&oldtd);
|
|
--
|
|
1.8.3.1
|
|
|