1 files changed, 39 insertions, 0 deletions

diff --git a/gnu/packages/patches/atf-execute-with-shell.patch b/gnu/packages/patches/atf-execute-with-shell.patch
new file mode 100644
index 0000000000..bde4fb336a
--- /dev/null
+++ b/gnu/packages/patches/atf-execute-with-shell.patch
@@ -0,0 +1,39 @@
+Submitted here: https://github.com/freebsd/atf/pull/57
+
+From 098b66269b1cf1d944b8b214ceb7ce9febde3682 Mon Sep 17 00:00:00 2001
+From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
+Date: Mon, 29 Jan 2024 22:35:49 -0500
+Subject: [PATCH] Fix use after free in execute_with_shell.
+
+The temporary string returned by atf::env::get would be used outside
+its statement, which is invalid and cause undefined behavior.  Copy it
+to a local variable to avoid the issue.
+
+Fixes: https://github.com/freebsd/atf/issues/26
+Fixes: https://github.com/freebsd/kyua/issues/223
+
+Reported-by: Ruslan Bukin <br@bsdpad.com>
+---
+ atf-sh/atf-check.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/atf-sh/atf-check.cpp b/atf-sh/atf-check.cpp
+index 41f0b13..9d6f7a8 100644
+--- a/atf-sh/atf-check.cpp
++++ b/atf-sh/atf-check.cpp
+@@ -436,7 +436,9 @@ execute_with_shell(char* const* argv)
+     const std::string cmd = flatten_argv(argv);
+ 
+     const char* sh_argv[4];
+-    sh_argv[0] = atf::env::get("ATF_SHELL", ATF_SHELL).c_str();
++    const std::string shell = atf::env::get("ATF_SHELL", ATF_SHELL);
++
++    sh_argv[0] = shell.c_str();
+     sh_argv[1] = "-c";
+     sh_argv[2] = cmd.c_str();
+     sh_argv[3] = NULL;
+
+base-commit: 18eb8168b70a0f934b4824b6391b55ac0b2f4fdf
+-- 
+2.41.0
+