From fab3cacf81543ecea8b85068b3985d8e2966cd9b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2016 06:22:14 +0000 Subject: import openslp-2.0.0-6.el7 --- diff --git a/SOURCES/openslp-2.0.0-fortify-source-buffer-overflow.patch b/SOURCES/openslp-2.0.0-fortify-source-buffer-overflow.patch new file mode 100644 index 0000000..0048606 --- /dev/null +++ b/SOURCES/openslp-2.0.0-fortify-source-buffer-overflow.patch @@ -0,0 +1,53 @@ +diff -up openslp-2.0.0/slpd/slpd_predicate.c.orig openslp-2.0.0/slpd/slpd_predicate.c +--- openslp-2.0.0/slpd/slpd_predicate.c.orig 2012-12-11 00:31:53.000000000 +0100 ++++ openslp-2.0.0/slpd/slpd_predicate.c 2015-01-14 13:17:45.115104003 +0100 +@@ -1425,6 +1425,8 @@ void freePredicateParseTree(SLPDPredicat + break; + } + pNextNode = pNode->next; ++ xfree(pNode->nodeBody.comparison.tag_str); ++ xfree(pNode->nodeBody.comparison.value_str); + xfree(pNode); + pNode = pNextNode; + } +@@ -1643,26 +1645,28 @@ SLPDPredicateParseResult createPredicate + rhs = val_start; + + /***** Create leaf node. *****/ +- *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode) + lhs_len + rhs_len); ++ *ppNode = (SLPDPredicateTreeNode *)xmalloc(sizeof (SLPDPredicateTreeNode)); + if (!(*ppNode)) + return PREDICATE_PARSE_INTERNAL_ERROR; + ++ (*ppNode)->nodeBody.comparison.tag_str = (char *)xmalloc((lhs_len+1) * sizeof(char)); ++ if (!((*ppNode)->nodeBody.comparison.tag_str)) ++ return PREDICATE_PARSE_INTERNAL_ERROR; ++ ++ (*ppNode)->nodeBody.comparison.value_str = (char *)xmalloc((rhs_len+1) * sizeof(char)); ++ if (!((*ppNode)->nodeBody.comparison.value_str)) ++ return PREDICATE_PARSE_INTERNAL_ERROR; ++ + (*ppNode)->nodeType = op; + (*ppNode)->next = (SLPDPredicateTreeNode *)0; + +- /* Finished with "operator" now - just use as temporary pointer to assist with copying the +- * attribute name (lhs) and required value (rhs) into the node +- */ +- operator = (*ppNode)->nodeBody.comparison.storage; +- strncpy(operator, lhs, lhs_len); +- operator[lhs_len] = '\0'; + (*ppNode)->nodeBody.comparison.tag_len = lhs_len; +- (*ppNode)->nodeBody.comparison.tag_str = operator; +- operator += lhs_len + 1; +- strncpy(operator, rhs, rhs_len); +- operator[rhs_len] = '\0'; ++ strncpy((*ppNode)->nodeBody.comparison.tag_str, lhs, lhs_len); ++ (*ppNode)->nodeBody.comparison.tag_str[lhs_len] = '\0'; ++ + (*ppNode)->nodeBody.comparison.value_len = rhs_len; +- (*ppNode)->nodeBody.comparison.value_str = operator; ++ strncpy((*ppNode)->nodeBody.comparison.value_str, rhs, rhs_len); ++ (*ppNode)->nodeBody.comparison.value_str[rhs_len] = '\0'; + + return PREDICATE_PARSE_OK; + } diff --git a/SPECS/openslp.spec b/SPECS/openslp.spec index 29e61dd..9560cda 100644 --- a/SPECS/openslp.spec +++ b/SPECS/openslp.spec @@ -1,6 +1,6 @@ Name: openslp Version: 2.0.0 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 Summary: Open implementation of Service Location Protocol V2 @@ -18,6 +18,8 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) # Patch0: creates script from upstream init script that sets multicast # prior to the start of the service Patch0: openslp-2.0.0-multicast-set.patch +# Patch1: fixes buffer overflow, rhbz#1181474 +Patch1: openslp-2.0.0-fortify-source-buffer-overflow.patch BuildRequires: bison flex openssl-devel doxygen BuildRequires: automake libtool @@ -68,7 +70,8 @@ such applications. %prep %setup -q -%patch0 -p1 -b .orig +%patch0 -p1 -b .multicast-set +%patch1 -p1 -b .fortify-source-buffer-overflow %build @@ -149,6 +152,10 @@ rm -rf $RPM_BUILD_ROOT %changelog +* Tue Jun 28 2016 Vitezslav Crhonek - 1:2.0.0-6 +- Fix buffer overflow termination of slpd with -D_FORTIFY_SOURCE=2 + Resolves: #1181474 + * Fri Jan 24 2014 Daniel Mach - 1:2.0.0-5 - Mass rebuild 2014-01-24