diff options
| author | Nicolas Graves <ngraves@ngraves.fr> | 2025-03-07 18:57:22 +0100 |
|---|---|---|
| committer | Zheng Junjie <z572@z572.online> | 2025-06-23 12:32:52 +0800 |
| commit | df77bafb7938e164b262031ac1fb4deb970624b0 (patch) | |
| tree | 6b54cea825aa86aace46faf2d59f281870c94a8e | |
| parent | 117de9378bc62963f56d4c5ec96f52792c0edbfc (diff) | |
gnu: libconfuse: Patch CVE-2022-40320.
* gnu/pacakges/patches/libconfuse-CVE-2022-40320.patch: Add file.
* gnu/packages/textutils.scm (libconfuse)[source]: Record patch.
* gnu/local.mk: Record patch.
Signed-off-by: Zheng Junjie <z572@z572.online>
| -rw-r--r-- | gnu/local.mk | 1 | ||||
| -rw-r--r-- | gnu/packages/patches/libconfuse-CVE-2022-40320.patch | 38 | ||||
| -rw-r--r-- | gnu/packages/textutils.scm | 4 |
3 files changed, 42 insertions, 1 deletions
diff --git a/gnu/local.mk b/gnu/local.mk index dcea2c3355..23eecc8a92 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1669,6 +1669,7 @@ dist_patch_DATA = \ %D%/packages/patches/julia-Use-MPFR-4.2.patch \ %D%/packages/patches/libcall-ui-make-it-installable.patch \ %D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch \ + %D%/packages/patches/libconfuse-CVE-2022-40320.patch \ %D%/packages/patches/libcss-check-format.patch \ %D%/packages/patches/libextractor-tidy-support.patch \ %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \ diff --git a/gnu/packages/patches/libconfuse-CVE-2022-40320.patch b/gnu/packages/patches/libconfuse-CVE-2022-40320.patch new file mode 100644 index 0000000000..5911f2d397 --- /dev/null +++ b/gnu/packages/patches/libconfuse-CVE-2022-40320.patch @@ -0,0 +1,38 @@ +[PATCH] Fix #163: unterminated username used with getpwnam() +Signed-off-by: Joachim Wiberg <troglobit@gmail.com> +--- + src/confuse.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/src/confuse.c b/src/confuse.c +index ce4fca8..060fae2 100644 +--- a/src/confuse.c ++++ b/src/confuse.c +@@ -1863,18 +1863,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename) + passwd = getpwuid(geteuid()); + file = filename + 1; + } else { +- /* ~user or ~user/path */ +- char *user; ++ char *user; /* ~user or ~user/path */ ++ size_t len; + + file = strchr(filename, '/'); + if (file == 0) + file = filename + strlen(filename); + +- user = malloc(file - filename); ++ len = file - filename - 1; ++ user = malloc(len + 1); + if (!user) + return NULL; + +- strncpy(user, filename + 1, file - filename - 1); ++ strncpy(user, &filename[1], len); ++ user[len] = 0; + passwd = getpwnam(user); + free(user); + } +-- +2.48.1 + diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm index 41c7890e04..3ae191664c 100644 --- a/gnu/packages/textutils.scm +++ b/gnu/packages/textutils.scm @@ -281,7 +281,9 @@ encoding, supporting Unicode version 9.0.0.") "releases/download/v" version "/confuse-" version ".tar.xz")) (sha256 - (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x")))) + (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x")) + (patches + (search-patches "libconfuse-CVE-2022-40320.patch")))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-static"))) |