diff --git a/backport-Fix-lr_fastestmirror_prepare-Resource-leaks.patch b/backport-Fix-lr_fastestmirror_prepare-Resource-leaks.patch new file mode 100644 index 0000000000000000000000000000000000000000..3da1c9a6a2469af66f44a3e72556031eca117557 --- /dev/null +++ b/backport-Fix-lr_fastestmirror_prepare-Resource-leaks.patch @@ -0,0 +1,32 @@ +From 9e9b29a8447403890bea6586804206e1060c27d1 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel +Date: Thu, 6 May 2021 17:34:16 +0200 +Subject: [PATCH] Fix: lr_fastestmirror_prepare: Resource leaks + +--- + librepo/fastestmirror.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/librepo/fastestmirror.c b/librepo/fastestmirror.c +index afa1f22..348483a 100644 +--- a/librepo/fastestmirror.c ++++ b/librepo/fastestmirror.c +@@ -352,6 +352,7 @@ lr_fastestmirror_prepare(LrHandle *handle, + g_set_error(err, LR_FASTESTMIRROR_ERROR, LRE_CURL, + "curl_easy_setopt(_, CURLOPT_URL, %s) failed: %s", + url, curl_easy_strerror(curlcode)); ++ curl_easy_cleanup(curlh); + ret = FALSE; + break; + } +@@ -361,6 +362,7 @@ lr_fastestmirror_prepare(LrHandle *handle, + g_set_error(err, LR_FASTESTMIRROR_ERROR, LRE_CURL, + "curl_easy_setopt(_, CURLOPT_CONNECT_ONLY, 1) failed: %s", + curl_easy_strerror(curlcode)); ++ curl_easy_cleanup(curlh); + ret = FALSE; + break; + } +-- +1.8.3.1 + diff --git a/backport-Fix-lr_get_curl_handle-Check-curl_easy-handle-before.patch b/backport-Fix-lr_get_curl_handle-Check-curl_easy-handle-before.patch new file mode 100644 index 0000000000000000000000000000000000000000..036a2a763098bb462fc13a41fa304868ec82f9b4 --- /dev/null +++ b/backport-Fix-lr_get_curl_handle-Check-curl_easy-handle-before.patch @@ -0,0 +1,26 @@ +From f889cdba3b71eec66c3f9756b11b709f74f8b388 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel +Date: Thu, 6 May 2021 17:54:11 +0200 +Subject: [PATCH] Fix: lr_get_curl_handle: Check curl_easy handle before use + +--- + librepo/handle.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/librepo/handle.c b/librepo/handle.c +index d59aad9..8db9c16 100644 +--- a/librepo/handle.c ++++ b/librepo/handle.c +@@ -56,6 +56,9 @@ lr_get_curl_handle() + lr_global_init(); + + h = curl_easy_init(); ++ if (!h) ++ return NULL; ++ + curl_easy_setopt(h, CURLOPT_FOLLOWLOCATION, 1); + curl_easy_setopt(h, CURLOPT_MAXREDIRS, 6); + curl_easy_setopt(h, CURLOPT_CONNECTTIMEOUT, LRO_CONNECTTIMEOUT_DEFAULT); +-- +1.8.3.1 + diff --git a/backport-Fix-memory-leaks.patch b/backport-Fix-memory-leaks.patch new file mode 100644 index 0000000000000000000000000000000000000000..7cb9488703222531306b770a8992d616ea892e35 --- /dev/null +++ b/backport-Fix-memory-leaks.patch @@ -0,0 +1,44 @@ +From 2e905e313c80a2b6b187a3b3e831e2e291f9a1eb Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel +Date: Tue, 23 Mar 2021 19:31:51 +0100 +Subject: [PATCH] Fix: memory leaks + +--- + librepo/metadata_downloader.c | 1 + + librepo/yum.c | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/librepo/metadata_downloader.c b/librepo/metadata_downloader.c +index fa05cc1..be6fe68 100644 +--- a/librepo/metadata_downloader.c ++++ b/librepo/metadata_downloader.c +@@ -307,6 +307,7 @@ create_repomd_xml_download_targets(GSList *targets, + + (*fd_list) = appendFdValue((*fd_list), fd); + (*paths) = appendPath((*paths), path); ++ lr_free(path); + } + } + +diff --git a/librepo/yum.c b/librepo/yum.c +index 4198d4a..7a26a8b 100644 +--- a/librepo/yum.c ++++ b/librepo/yum.c +@@ -875,12 +875,14 @@ error_handling(GSList *targets, GError **dest_error, GError *src_error) + target->err, + NULL); + } else { ++ char *tmp = error_summary; + error_summary = g_strconcat(error_summary, + "; ", + target->path, + " - ", + target->err, + NULL); ++ g_free(tmp); + } + } + +-- +1.8.3.1 + diff --git a/backport-Remove-may-be-used-uninitialized-compiler-warnings.patch b/backport-Remove-may-be-used-uninitialized-compiler-warnings.patch new file mode 100644 index 0000000000000000000000000000000000000000..8ba169e70cdecb44984fe02978ea8f62b0868fd3 --- /dev/null +++ b/backport-Remove-may-be-used-uninitialized-compiler-warnings.patch @@ -0,0 +1,56 @@ +From ac36c6a4269f25878b838825590e37c3bdcd67c8 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel +Date: Thu, 6 May 2021 18:16:38 +0200 +Subject: [PATCH] Remove "may be used uninitialized" compiler warnings + +warning: 'path' may be used uninitialized in this function + [-Wmaybe-uninitialized] + +warning: 'file_basename' may be used uninitialized in this function + [-Wmaybe-uninitialized] +--- + librepo/handle.c | 6 ++---- + librepo/package_downloader.c | 3 +-- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/librepo/handle.c b/librepo/handle.c +index c44ec61..8ac7234 100644 +--- a/librepo/handle.c ++++ b/librepo/handle.c +@@ -905,8 +905,7 @@ lr_handle_prepare_mirrorlist(LrHandle *handle, gchar *localpath, GError **err) + return TRUE; + } else if (localpath && !handle->mirrorlisturl) { + // Just try to use mirrorlist of the local repository +- _cleanup_free_ gchar *path; +- path = lr_pathconcat(localpath, "mirrorlist", NULL); ++ _cleanup_free_ gchar *path = lr_pathconcat(localpath, "mirrorlist", NULL); + + if (g_file_test(path, G_FILE_TEST_IS_REGULAR)) { + g_debug("%s: Local mirrorlist found at %s", __func__, path); +@@ -1021,8 +1020,7 @@ lr_handle_prepare_metalink(LrHandle *handle, gchar *localpath, GError **err) + return TRUE; + } else if (localpath && !handle->metalinkurl) { + // Just try to use metalink of the local repository +- _cleanup_free_ gchar *path; +- path = lr_pathconcat(localpath, "metalink.xml", NULL); ++ _cleanup_free_ gchar *path = lr_pathconcat(localpath, "metalink.xml", NULL); + + if (g_file_test(path, G_FILE_TEST_IS_REGULAR)) { + g_debug("%s: Local metalink.xml found at %s", __func__, path); +diff --git a/librepo/package_downloader.c b/librepo/package_downloader.c +index 509f2a0..adea459 100644 +--- a/librepo/package_downloader.c ++++ b/librepo/package_downloader.c +@@ -547,8 +547,7 @@ lr_check_packages(GSList *targets, + if (packagetarget->dest) { + if (g_file_test(packagetarget->dest, G_FILE_TEST_IS_DIR)) { + // Dir specified +- _cleanup_free_ gchar *file_basename; +- file_basename = g_path_get_basename(packagetarget->relative_url); ++ _cleanup_free_ gchar *file_basename = g_path_get_basename(packagetarget->relative_url); + + local_path = g_build_filename(packagetarget->dest, + file_basename, +-- +1.8.3.1 + diff --git a/backport-lr_get_curl_handle-Strict-check-of-curl_easy_setopt-.patch b/backport-lr_get_curl_handle-Strict-check-of-curl_easy_setopt-.patch new file mode 100644 index 0000000000000000000000000000000000000000..b1b0b95830f1685edba9ec1d53c84fbd79bd466a --- /dev/null +++ b/backport-lr_get_curl_handle-Strict-check-of-curl_easy_setopt-.patch @@ -0,0 +1,57 @@ +From bb7b40faae33b3b764429267df0f7c26c9f468b1 Mon Sep 17 00:00:00 2001 +From: Jaroslav Rohel +Date: Thu, 6 May 2021 17:59:00 +0200 +Subject: [PATCH] lr_get_curl_handle: Strict check of `curl_easy_setopt` return + code + +--- + librepo/handle.c | 31 ++++++++++++++++++++++++---------- + 1 file changed, 22 insertions(+), 9 deletions(-) + +diff --git a/librepo/handle.c b/librepo/handle.c +index 8db9c16..c44ec61 100644 +--- a/librepo/handle.c ++++ b/librepo/handle.c +@@ -59,17 +59,30 @@ lr_get_curl_handle() + if (!h) + return NULL; + +- curl_easy_setopt(h, CURLOPT_FOLLOWLOCATION, 1); +- curl_easy_setopt(h, CURLOPT_MAXREDIRS, 6); +- curl_easy_setopt(h, CURLOPT_CONNECTTIMEOUT, LRO_CONNECTTIMEOUT_DEFAULT); +- curl_easy_setopt(h, CURLOPT_LOW_SPEED_TIME, LRO_LOWSPEEDTIME_DEFAULT); +- curl_easy_setopt(h, CURLOPT_LOW_SPEED_LIMIT, LRO_LOWSPEEDLIMIT_DEFAULT); +- curl_easy_setopt(h, CURLOPT_SSL_VERIFYHOST, 2); +- curl_easy_setopt(h, CURLOPT_SSL_VERIFYPEER, 1); +- curl_easy_setopt(h, CURLOPT_FTP_USE_EPSV, LRO_FTPUSEEPSV_DEFAULT); +- curl_easy_setopt(h, CURLOPT_FILETIME, 0); ++ if (curl_easy_setopt(h, CURLOPT_FOLLOWLOCATION, 1) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_MAXREDIRS, 6) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_CONNECTTIMEOUT, LRO_CONNECTTIMEOUT_DEFAULT) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_LOW_SPEED_TIME, LRO_LOWSPEEDTIME_DEFAULT) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_LOW_SPEED_LIMIT, LRO_LOWSPEEDLIMIT_DEFAULT) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_SSL_VERIFYHOST, 2) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_SSL_VERIFYPEER, 1) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_FTP_USE_EPSV, LRO_FTPUSEEPSV_DEFAULT) != CURLE_OK) ++ goto err; ++ if (curl_easy_setopt(h, CURLOPT_FILETIME, 0) != CURLE_OK) ++ goto err; + + return h; ++ ++err: ++ curl_easy_cleanup(h); ++ return NULL; + } + + void +-- +1.8.3.1 + diff --git a/librepo.spec b/librepo.spec index 3f7c1bef4fa140a0c8e43b50c1fbc4f7636c9049..9a707ab1ae5c25acc2985dcb408c6272f31ceb85 100644 --- a/librepo.spec +++ b/librepo.spec @@ -8,13 +8,18 @@ Name: librepo Version: 1.12.0 -Release: 2 +Release: 3 Summary: Repodata downloading library License: LGPLv2+ URL: https://github.com/rpm-software-management/librepo Source0: %{url}/archive/%{version}/%{name}-%{version}.tar.gz Patch0: backport-CVE-2020-14352-Validate-path-read-from-repomd.xml.patch +Patch1: backport-Fix-memory-leaks.patch +Patch2: backport-Fix-lr_fastestmirror_prepare-Resource-leaks.patch +Patch3: backport-Fix-lr_get_curl_handle-Check-curl_easy-handle-before.patch +Patch4: backport-lr_get_curl_handle-Strict-check-of-curl_easy_setopt-.patch +Patch5: backport-Remove-may-be-used-uninitialized-compiler-warnings.patch BuildRequires: cmake check-devel doxygen pkgconfig(glib-2.0) gcc BuildRequires: libcurl-devel >= %{libcurl_version} pkgconfig(libxml-2.0) @@ -129,6 +134,17 @@ popd %endif %changelog +* Sat May 29 2021 fuanan - 1.12.0-3 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:[add] backport patches from upstream + Fix:memory leaks + Fix:lr_fastestmirror_prepare:Resource leaks + Fix:lr_get_curl_handle:Check curl_easy handle before use + lr_get_curl_handle:Strict check of curl_easy_setopt return code + Remove "may be used uninitialized" compiler warnings + * Mon Jan 25 2021 fuanan - 1.12.0-2 - fix CVE-2020-14352