From 4d6a9a10dd7d849dbd09ab46d0dc6db633563b8b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 12 2021 13:25:25 +0000 Subject: import certmonger-0.78.4-16.el7_9 --- diff --git a/SOURCES/0033-Fix-file-descriptor-leak-when-executing-CA-helpers.patch b/SOURCES/0033-Fix-file-descriptor-leak-when-executing-CA-helpers.patch new file mode 100644 index 0000000..5133ace --- /dev/null +++ b/SOURCES/0033-Fix-file-descriptor-leak-when-executing-CA-helpers.patch @@ -0,0 +1,37 @@ +From b4c090d2e12956a2df6157592839936adf4024f4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 12 Aug 2021 16:26:09 -0400 +Subject: [PATCH] Fix file descriptor leak when executing CA helpers + +cm_cadata_start_generic() creates a pipe. One half is passed +to fetch(), the function that does all helper calls, +via the cm_cadata_state variable ret. The other half is the +reader and is used to detect execution errors. There is a pair +of write/read on this descriptor which on error would be the +errno. + +This second half wasn't being closed after reading to test for +errors. + +https://bugzilla.redhat.com/show_bug.cgi?id=1992439 + +Signed-off-by: Rob Crittenden +--- + src/cadata.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cadata.c b/src/cadata.c +index cb9c13e2..c2764d3b 100644 +--- a/src/cadata.c ++++ b/src/cadata.c +@@ -773,6 +773,7 @@ cm_cadata_start_generic(struct cm_store_ca *ca, const char *op, + ca->cm_ca_external_helper, strerror(u)); + /* return the state so the process can be reaped */ + } ++ close(error_fd[0]); + return ret; + } + +-- +2.26.3 + diff --git a/SPECS/certmonger.spec b/SPECS/certmonger.spec index 3b4f8c3..d8d8f8f 100644 --- a/SPECS/certmonger.spec +++ b/SPECS/certmonger.spec @@ -26,7 +26,7 @@ Name: certmonger Version: 0.78.4 -Release: 15%{?dist} +Release: 16%{?dist} Summary: Certificate status monitor and PKI enrollment client Group: System Environment/Daemons @@ -68,6 +68,7 @@ Patch0029: 0029-Document-R-N-o-in-dogtag-ipa-renew-agent-submit.patch Patch0030: 0030-Ensure-that-files-read-in-have-a-trailing-new-line.patch Patch0031: 0031-Include-message-CA-IDENT-with-GetCACaps-and-GetCACer.patch Patch0032: 0032-Don-t-report-a-spurious-error-if-no-SCEP-pkiMessage-.patch +Patch0033: 0033-Fix-file-descriptor-leak-when-executing-CA-helpers.patch Patch1001: 1001-Remove-rekey-feature.patch Patch1002: 1002-Fix-CA-option-name-for-ipa-cert-request.patch @@ -288,6 +289,9 @@ exit 0 %endif %changelog +* Mon Sep 20 2021 Rob Crittenden - 0.78.4-16 +- Fix file descriptor leak when executing CA helpers (#1992439) + * Wed Jun 09 2021 Rob Crittenden - 0.78.4-15 - Don't report spurious error if no SCEP pkiMessage is ready yet (#1969854)