diff options
Diffstat (limited to 'sys-apps/util-linux/files/util-linux-2.39.3-fix-use-after-free.patch')
-rw-r--r-- | sys-apps/util-linux/files/util-linux-2.39.3-fix-use-after-free.patch | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/sys-apps/util-linux/files/util-linux-2.39.3-fix-use-after-free.patch b/sys-apps/util-linux/files/util-linux-2.39.3-fix-use-after-free.patch new file mode 100644 index 000000000000..6ebbd0a430f7 --- /dev/null +++ b/sys-apps/util-linux/files/util-linux-2.39.3-fix-use-after-free.patch @@ -0,0 +1,52 @@ +https://bugs.gentoo.org/928396 +https://github.com/util-linux/util-linux/commit/4b2e6f5071a4c5beebbd9668d24dc05defc096d7 + +From 4b2e6f5071a4c5beebbd9668d24dc05defc096d7 Mon Sep 17 00:00:00 2001 +From: Tanish Yadav <devtany@gmail.com> +Date: Tue, 5 Mar 2024 00:51:41 +0530 +Subject: [PATCH] su: fix use after free in run_shell + +Do not free tmp for non login branch as basename may return a pointer to +some part of it. + +[kzak@redhat.com: - improve coding style of the function] + +Signed-off-by: Tanish Yadav <devtany@gmail.com> +Signed-off-by: Karel Zak <kzak@redhat.com> +--- + login-utils/su-common.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/login-utils/su-common.c b/login-utils/su-common.c +index 242b6ce4ea..9bc0231961 100644 +--- a/login-utils/su-common.c ++++ b/login-utils/su-common.c +@@ -835,13 +835,14 @@ static void run_shell( + size_t n_args = 1 + su->fast_startup + 2 * ! !command + n_additional_args + 1; + const char **args = xcalloc(n_args, sizeof *args); + size_t argno = 1; ++ char *tmp; + + DBG(MISC, ul_debug("starting shell [shell=%s, command=\"%s\"%s%s]", + shell, command, + su->simulate_login ? " login" : "", + su->fast_startup ? " fast-start" : "")); ++ tmp = xstrdup(shell); + +- char* tmp = xstrdup(shell); + if (su->simulate_login) { + char *arg0; + char *shell_basename; +@@ -851,10 +852,8 @@ static void run_shell( + arg0[0] = '-'; + strcpy(arg0 + 1, shell_basename); + args[0] = arg0; +- } else { +- args[0] = basename(tmp); +- } +- free(tmp); ++ } else ++ args[0] = basename(tmp); + + if (su->fast_startup) + args[argno++] = "-f"; |