From 443474e208c2749cfdbae081ecdfd0d7aa4f354f Mon Sep 17 00:00:00 2001 From: Florian Festi Date: Nov 16 2023 08:40:03 +0000 Subject: Fix short circuiting of versions in expressions Resolves: RHEL-15688 --- diff --git a/0001-Fix-short-circuiting-of-version-strings-in-expressio.patch b/0001-Fix-short-circuiting-of-version-strings-in-expressio.patch new file mode 100644 index 0000000..e06709a --- /dev/null +++ b/0001-Fix-short-circuiting-of-version-strings-in-expressio.patch @@ -0,0 +1,50 @@ +From 321933f060896f721e361a1c8a8d3731bdcee827 Mon Sep 17 00:00:00 2001 +From: Michael Schroeder +Date: Wed, 22 Jun 2022 14:07:01 +0200 +Subject: [PATCH] Fix short circuiting of version strings in expressions + +We use an empty string when discarding a value due to short circuiting, but +an empty string is not allowed for versions. So use "0" in that case. + +Fixes: #1883 +--- + rpmio/expression.c | 2 +- + tests/rpmmacro.at | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/rpmio/expression.c b/rpmio/expression.c +index a389a04d5..98a44bbdb 100644 +--- a/rpmio/expression.c ++++ b/rpmio/expression.c +@@ -477,7 +477,7 @@ static int rdToken(ParseState state) + if (qtok == TOK_STRING) { + v = valueMakeString(temp); + } else { +- v = valueMakeVersion(temp); ++ v = valueMakeVersion(state->flags & RPMEXPR_DISCARD ? "0" : temp); + free(temp); /* version doesn't take ownership of the string */ + if (v == 0) { + exprErr(state, _("invalid version"), p+1); +diff --git a/tests/rpmmacro.at b/tests/rpmmacro.at +index d1490b4d9..c4376d49e 100644 +--- a/tests/rpmmacro.at ++++ b/tests/rpmmacro.at +@@ -533,6 +533,7 @@ runroot rpm \ + --eval '%["%{aaa}"]' \ + --eval '%[%{?ccc}]' \ + --eval '%[v"1:2.3-4"]' \ ++ --eval '%[v"0" && v"0"]' \ + ]], + [0], + [4096 +@@ -542,6 +543,7 @@ runroot rpm \ + 5 + 0 + 1:2.3-4 ++0 + ], + []) + AT_CLEANUP +-- +2.41.0 + diff --git a/rpm.spec b/rpm.spec index 59207c1..72bdddc 100644 --- a/rpm.spec +++ b/rpm.spec @@ -32,7 +32,7 @@ %global rpmver 4.16.1.3 #global snapver rc1 -%global rel 26 +%global rel 27 %global sover 9 %global srcver %{rpmver}%{?snapver:-%{snapver}} @@ -101,6 +101,8 @@ Patch128: 0001-Pass-file-descriptor-to-file-prepare-plugin-hook-use.patch Patch129: 0001-Swap-over-to-dirfd-basename-based-operation-within-t.patch Patch130: 0001-Use-file-state-machine-from-rpm-4.19.patch +Patch131: 0001-Fix-short-circuiting-of-version-strings-in-expressio.patch + # These are not yet upstream Patch906: rpm-4.7.1-geode-i686.patch # Probably to be upstreamed in slightly different form @@ -649,6 +651,9 @@ fi %doc doc/librpm/html/* %changelog +* Thu 16 Nov 2023 Florian Festi - 4.16.1.3-27 +- Fix short circuiting of version strings in expressions (RHEL-15688) + * Fri Nov 10 2023 Florian Festi - 4.16.1.3-26 - Backport file handling code from rpm-4.19 to fix CVE-2021-35937, CVE-2021-35938 and CVE-2021-35939