From 53fc725e4e7841dc2540d7a6109792f314749973 Mon Sep 17 00:00:00 2001 From: Tanish Yadav Date: Tue, 4 Jun 2024 22:19:36 +0530 Subject: [PATCH] util-linux: su: fix use after free in run_shell --- .../su-fix-use-after-free-in-run_shell.patch | 49 +++++++++++++++++++ srcpkgs/util-linux/template | 2 +- 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/util-linux/patches/su-fix-use-after-free-in-run_shell.patch diff --git a/srcpkgs/util-linux/patches/su-fix-use-after-free-in-run_shell.patch b/srcpkgs/util-linux/patches/su-fix-use-after-free-in-run_shell.patch new file mode 100644 index 00000000000000..daf0f4a88b3883 --- /dev/null +++ b/srcpkgs/util-linux/patches/su-fix-use-after-free-in-run_shell.patch @@ -0,0 +1,49 @@ +From 4b2e6f5071a4c5beebbd9668d24dc05defc096d7 Mon Sep 17 00:00:00 2001 +From: Tanish Yadav +Date: Tue, 5 Mar 2024 00:51:41 +0530 +Subject: [PATCH] su: fix use after free in run_shell + +Do not free tmp for non login branch as basename may return a pointer to +some part of it. + +[kzak@redhat.com: - improve coding style of the function] + +Signed-off-by: Tanish Yadav +Signed-off-by: Karel Zak +--- + login-utils/su-common.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/login-utils/su-common.c b/login-utils/su-common.c +index 242b6ce4e..9bc023196 100644 +--- a/login-utils/su-common.c ++++ b/login-utils/su-common.c +@@ -835,13 +835,14 @@ static void run_shell( + size_t n_args = 1 + su->fast_startup + 2 * ! !command + n_additional_args + 1; + const char **args = xcalloc(n_args, sizeof *args); + size_t argno = 1; ++ char *tmp; + + DBG(MISC, ul_debug("starting shell [shell=%s, command=\"%s\"%s%s]", + shell, command, + su->simulate_login ? " login" : "", + su->fast_startup ? " fast-start" : "")); ++ tmp = xstrdup(shell); + +- char* tmp = xstrdup(shell); + if (su->simulate_login) { + char *arg0; + char *shell_basename; +@@ -851,10 +852,8 @@ static void run_shell( + arg0[0] = '-'; + strcpy(arg0 + 1, shell_basename); + args[0] = arg0; +- } else { +- args[0] = basename(tmp); +- } +- free(tmp); ++ } else ++ args[0] = basename(tmp); + + if (su->fast_startup) + args[argno++] = "-f"; diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template index 64f262c25a4a59..cbd705736f93aa 100644 --- a/srcpkgs/util-linux/template +++ b/srcpkgs/util-linux/template @@ -2,7 +2,7 @@ # Keep this package sync with util-linux-common pkgname=util-linux version=2.39.3 -revision=2 +revision=3 build_style=gnu-configure configure_args="--exec-prefix=\${prefix} --enable-libuuid --disable-makeinstall-chown --enable-libblkid --enable-fsck --disable-rpath --enable-fs-paths-extra=/usr/sbin:/usr/bin