1 files changed, 158 insertions, 0 deletions
diff --git a/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch b/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch
new file mode 100644
index 0000000000..85398a82ec
--- /dev/null
+++ b/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch
@@ -0,0 +1,158 @@
+From 6c99f33252d8bf8ff3e49013b8ad78aacf71c5d8 Mon Sep 17 00:00:00 2001
+From: Jaroslav Rohel <jrohel@redhat.com>
+Date: Tue, 11 Dec 2018 10:14:04 +0100
+Subject: [PATCH] Fix: Memory leaks
+Reply-To: muislam@microsoft.com
+CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
+Upstream-Status: Backport
+Signed-off-by: Muminul Islam <muislam@microsoft.com>
+Cherry picked from  https://github.com/openSUSE/libsolv/pull/291/commits
+---
+ ext/repo_rpmdb.c  | 16 ++++++++++++++++
+ ext/testcase.c    |  4 ++++
+ tools/repo2solv.c |  1 +
+ 3 files changed, 21 insertions(+)
+diff --git a/ext/repo_rpmdb.c b/ext/repo_rpmdb.c
+index 75bb6780..ff939978 100644
+--- a/ext/repo_rpmdb.c
+++ b/ext/repo_rpmdb.c
+@@ -1939,6 +1939,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (fread(lead, 96 + 16, 1, fp) != 1 || getu32(lead) != 0xedabeedb)
+     {
+       pool_error(pool, -1, "%s: not a rpm", rpm);
+      solv_chksum_free(leadsigchksumh, NULL);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -1951,12 +1953,16 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (lead[78] != 0 || lead[79] != 5)
+     {
+       pool_error(pool, -1, "%s: not a rpm v5 header", rpm);
+      solv_chksum_free(leadsigchksumh, NULL);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+   if (getu32(lead + 96) != 0x8eade801)
+     {
+       pool_error(pool, -1, "%s: bad signature header", rpm);
+      solv_chksum_free(leadsigchksumh, NULL);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -1965,6 +1971,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (sigcnt >= MAX_SIG_CNT || sigdsize >= MAX_SIG_DSIZE)
+     {
+       pool_error(pool, -1, "%s: bad signature header", rpm);
+      solv_chksum_free(leadsigchksumh, NULL);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -1975,6 +1983,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+     {
+       if (!headfromfp(&state, rpm, fp, lead + 96, sigcnt, sigdsize, sigpad, chksumh, leadsigchksumh))
+        {
+      solv_chksum_free(leadsigchksumh, NULL);
+      solv_chksum_free(chksumh, NULL);
+          fclose(fp);
+          return 0;
+        }
+@@ -2014,6 +2024,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+          if (fread(lead, l, 1, fp) != 1)
+            {
+              pool_error(pool, -1, "%s: unexpected EOF", rpm);
+          solv_chksum_free(leadsigchksumh, NULL);
+          solv_chksum_free(chksumh, NULL);
+              fclose(fp);
+              return 0;
+            }
+@@ -2034,6 +2046,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (fread(lead, 16, 1, fp) != 1)
+     {
+       pool_error(pool, -1, "%s: unexpected EOF", rpm);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -2042,6 +2055,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (getu32(lead) != 0x8eade801)
+     {
+       pool_error(pool, -1, "%s: bad header", rpm);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -2050,6 +2064,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+   if (sigcnt >= MAX_HDR_CNT || sigdsize >= MAX_HDR_DSIZE)
+     {
+       pool_error(pool, -1, "%s: bad header", rpm);
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+@@ -2057,6 +2072,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)
+ 
+   if (!headfromfp(&state, rpm, fp, lead, sigcnt, sigdsize, 0, chksumh, 0))
+     {
+      solv_chksum_free(chksumh, NULL);
+       fclose(fp);
+       return 0;
+     }
+diff --git a/ext/testcase.c b/ext/testcase.c
+index aa72a8d7..3901d90d 100644
+--- a/ext/testcase.c
+++ b/ext/testcase.c
+@@ -2348,6 +2348,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha
+          if (fclose(fp))
+            {
+              pool_error(solv->pool, 0, "testcase_write: write error");
+             solv_free(result);
+              strqueue_free(&sq);
+              return 0;
+            }
+@@ -2360,12 +2361,14 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha
+   if (!(fp = fopen(out, "w")))
+     {
+       pool_error(solv->pool, 0, "testcase_write: could not open '%s' for writing", out);
+      solv_free(cmd);
+       strqueue_free(&sq);
+       return 0;
+     }
+   if (*cmd && fwrite(cmd, strlen(cmd), 1, fp) != 1)
+     {
+       pool_error(solv->pool, 0, "testcase_write: write error");
+      solv_free(cmd);
+       strqueue_free(&sq);
+       fclose(fp);
+       return 0;
+@@ -2373,6 +2376,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha
+   if (fclose(fp))
+     {
+       pool_error(solv->pool, 0, "testcase_write: write error");
+      solv_free(cmd);
+       strqueue_free(&sq);
+       return 0;
+     }
+diff --git a/tools/repo2solv.c b/tools/repo2solv.c
+index e055e408..30a41f42 100644
+--- a/tools/repo2solv.c
+++ b/tools/repo2solv.c
+@@ -208,6 +208,7 @@ read_plaindir_repo(Repo *repo, const char *dir)
+        repodata_set_location(data, p, 0, 0, bp[0] == '.' && bp[1] == '/' ? bp + 2 : bp);
+       solv_free(rpm);
+     }
+  solv_free(buf);
+   fclose(fp);
+   while (waitpid(pid, &wstatus, 0) == -1)
+     {
+-- 
+2.23.0

diff --git a/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch b/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch new file mode 100644 index 0000000000..85398a82ec --- /dev/null +++ b/meta/recipes-extended/libsolv/libsolv/0005-Fix-Memory-leaks.patch
@@ -0,0 +1,158 @@
	1	From 6c99f33252d8bf8ff3e49013b8ad78aacf71c5d8 Mon Sep 17 00:00:00 2001
	2	From: Jaroslav Rohel <jrohel@redhat.com>
	3	Date: Tue, 11 Dec 2018 10:14:04 +0100
	4	Subject: [PATCH] Fix: Memory leaks
	5	Reply-To: muislam@microsoft.com
	6
	7	CVE: CVE-2018-20532 CVE-2018-20533 CVE-2018-20534
	8
	9	Upstream-Status: Backport
	10
	11	Signed-off-by: Muminul Islam <muislam@microsoft.com>
	12
	13	Cherry picked from https://github.com/openSUSE/libsolv/pull/291/commits
	14	---
	15	ext/repo_rpmdb.c \| 16 ++++++++++++++++
	16	ext/testcase.c \| 4 ++++
	17	tools/repo2solv.c \| 1 +
	18	3 files changed, 21 insertions(+)
	19
	20	diff --git a/ext/repo_rpmdb.c b/ext/repo_rpmdb.c
	21	index 75bb6780..ff939978 100644
	22	--- a/ext/repo_rpmdb.c
	23	+++ b/ext/repo_rpmdb.c
	24	@@ -1939,6 +1939,8 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	25	if (fread(lead, 96 + 16, 1, fp) != 1 \|\| getu32(lead) != 0xedabeedb)
	26	{
	27	pool_error(pool, -1, "%s: not a rpm", rpm);
	28	+ solv_chksum_free(leadsigchksumh, NULL);
	29	+ solv_chksum_free(chksumh, NULL);
	30	fclose(fp);
	31	return 0;
	32	}
	33	@@ -1951,12 +1953,16 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	34	if (lead[78] != 0 \|\| lead[79] != 5)
	35	{
	36	pool_error(pool, -1, "%s: not a rpm v5 header", rpm);
	37	+ solv_chksum_free(leadsigchksumh, NULL);
	38	+ solv_chksum_free(chksumh, NULL);
	39	fclose(fp);
	40	return 0;
	41	}
	42	if (getu32(lead + 96) != 0x8eade801)
	43	{
	44	pool_error(pool, -1, "%s: bad signature header", rpm);
	45	+ solv_chksum_free(leadsigchksumh, NULL);
	46	+ solv_chksum_free(chksumh, NULL);
	47	fclose(fp);
	48	return 0;
	49	}
	50	@@ -1965,6 +1971,8 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	51	if (sigcnt >= MAX_SIG_CNT \|\| sigdsize >= MAX_SIG_DSIZE)
	52	{
	53	pool_error(pool, -1, "%s: bad signature header", rpm);
	54	+ solv_chksum_free(leadsigchksumh, NULL);
	55	+ solv_chksum_free(chksumh, NULL);
	56	fclose(fp);
	57	return 0;
	58	}
	59	@@ -1975,6 +1983,8 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	60	{
	61	if (!headfromfp(&state, rpm, fp, lead + 96, sigcnt, sigdsize, sigpad, chksumh, leadsigchksumh))
	62	{
	63	+ solv_chksum_free(leadsigchksumh, NULL);
	64	+ solv_chksum_free(chksumh, NULL);
	65	fclose(fp);
	66	return 0;
	67	}
	68	@@ -2014,6 +2024,8 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	69	if (fread(lead, l, 1, fp) != 1)
	70	{
	71	pool_error(pool, -1, "%s: unexpected EOF", rpm);
	72	+ solv_chksum_free(leadsigchksumh, NULL);
	73	+ solv_chksum_free(chksumh, NULL);
	74	fclose(fp);
	75	return 0;
	76	}
	77	@@ -2034,6 +2046,7 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	78	if (fread(lead, 16, 1, fp) != 1)
	79	{
	80	pool_error(pool, -1, "%s: unexpected EOF", rpm);
	81	+ solv_chksum_free(chksumh, NULL);
	82	fclose(fp);
	83	return 0;
	84	}
	85	@@ -2042,6 +2055,7 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	86	if (getu32(lead) != 0x8eade801)
	87	{
	88	pool_error(pool, -1, "%s: bad header", rpm);
	89	+ solv_chksum_free(chksumh, NULL);
	90	fclose(fp);
	91	return 0;
	92	}
	93	@@ -2050,6 +2064,7 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	94	if (sigcnt >= MAX_HDR_CNT \|\| sigdsize >= MAX_HDR_DSIZE)
	95	{
	96	pool_error(pool, -1, "%s: bad header", rpm);
	97	+ solv_chksum_free(chksumh, NULL);
	98	fclose(fp);
	99	return 0;
	100	}
	101	@@ -2057,6 +2072,7 @@ repo_add_rpm(Repo repo, const char rpm, int flags)
	102
	103	if (!headfromfp(&state, rpm, fp, lead, sigcnt, sigdsize, 0, chksumh, 0))
	104	{
	105	+ solv_chksum_free(chksumh, NULL);
	106	fclose(fp);
	107	return 0;
	108	}
	109	diff --git a/ext/testcase.c b/ext/testcase.c
	110	index aa72a8d7..3901d90d 100644
	111	--- a/ext/testcase.c
	112	+++ b/ext/testcase.c
	113	@@ -2348,6 +2348,7 @@ testcase_write_mangled(Solver solv, const char dir, int resultflags, const cha
	114	if (fclose(fp))
	115	{
	116	pool_error(solv->pool, 0, "testcase_write: write error");
	117	+ solv_free(result);
	118	strqueue_free(&sq);
	119	return 0;
	120	}
	121	@@ -2360,12 +2361,14 @@ testcase_write_mangled(Solver solv, const char dir, int resultflags, const cha
	122	if (!(fp = fopen(out, "w")))
	123	{
	124	pool_error(solv->pool, 0, "testcase_write: could not open '%s' for writing", out);
	125	+ solv_free(cmd);
	126	strqueue_free(&sq);
	127	return 0;
	128	}
	129	if (*cmd && fwrite(cmd, strlen(cmd), 1, fp) != 1)
	130	{
	131	pool_error(solv->pool, 0, "testcase_write: write error");
	132	+ solv_free(cmd);
	133	strqueue_free(&sq);
	134	fclose(fp);
	135	return 0;
	136	@@ -2373,6 +2376,7 @@ testcase_write_mangled(Solver solv, const char dir, int resultflags, const cha
	137	if (fclose(fp))
	138	{
	139	pool_error(solv->pool, 0, "testcase_write: write error");
	140	+ solv_free(cmd);
	141	strqueue_free(&sq);
	142	return 0;
	143	}
	144	diff --git a/tools/repo2solv.c b/tools/repo2solv.c
	145	index e055e408..30a41f42 100644
	146	--- a/tools/repo2solv.c
	147	+++ b/tools/repo2solv.c
	148	@@ -208,6 +208,7 @@ read_plaindir_repo(Repo repo, const char dir)
	149	repodata_set_location(data, p, 0, 0, bp[0] == '.' && bp[1] == '/' ? bp + 2 : bp);
	150	solv_free(rpm);
	151	}
	152	+ solv_free(buf);
	153	fclose(fp);
	154	while (waitpid(pid, &wstatus, 0) == -1)
	155	{
	156	--
	157	2.23.0
	158