You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
131 lines
3.5 KiB
131 lines
3.5 KiB
9 years ago
|
From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
||
|
Date: Fri, 19 Dec 2014 18:53:34 -0500
|
||
|
Subject: [PATCH] sm: Avoid double-free on iconv failure
|
||
|
|
||
|
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
|
||
|
double-free of pwbuf.
|
||
|
|
||
|
--
|
||
|
|
||
|
Observed by Joshua Rogers <honey@internot.info>, who proposed a
|
||
|
slightly different fix.
|
||
|
|
||
|
Debian-Bug-Id: 773472
|
||
|
|
||
|
Added fix at a second place - wk.
|
||
|
---
|
||
|
sm/minip12.c | 2 ++
|
||
|
1 file changed, 2 insertions(+)
|
||
|
|
||
|
diff --git a/sm/minip12.c b/sm/minip12.c
|
||
|
index 01b91b7..ca4d248 100644
|
||
|
--- a/sm/minip12.c
|
||
|
+++ b/sm/minip12.c
|
||
|
@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen,
|
||
|
" requested charset '%s': %s\n",
|
||
|
charset, strerror (errno));
|
||
|
gcry_free (pwbuf);
|
||
|
+ pwbuf = NULL;
|
||
|
goto failure;
|
||
|
}
|
||
|
|
||
|
@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen,
|
||
|
" requested charset '%s': %s\n",
|
||
|
charset, strerror (errno));
|
||
|
gcry_free (pwbuf);
|
||
|
+ pwbuf = NULL;
|
||
|
jnlib_iconv_close (cd);
|
||
|
goto failure;
|
||
|
}
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001
|
||
|
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
|
||
|
Date: Fri, 19 Dec 2014 18:07:55 -0500
|
||
|
Subject: [PATCH] scd: Avoid double-free on error condition in scd
|
||
|
|
||
|
* scd/command.c (cmd_readkey): avoid double-free of cert
|
||
|
|
||
|
--
|
||
|
|
||
|
When ksba_cert_new() fails, cert will be double-freed.
|
||
|
|
||
|
Debian-Bug-Id: 773471
|
||
|
|
||
|
Original patch changed by wk to do the free only at leave.
|
||
|
---
|
||
|
scd/command.c | 6 ++----
|
||
|
1 file changed, 2 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/scd/command.c b/scd/command.c
|
||
|
index dd4191f..1cc580a 100644
|
||
|
--- a/scd/command.c
|
||
|
+++ b/scd/command.c
|
||
|
@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line)
|
||
|
|
||
|
rc = ksba_cert_new (&kc);
|
||
|
if (rc)
|
||
|
- {
|
||
|
- xfree (cert);
|
||
|
- goto leave;
|
||
|
- }
|
||
|
+ goto leave;
|
||
|
+
|
||
|
rc = ksba_cert_init_from_mem (kc, cert, ncert);
|
||
|
if (rc)
|
||
|
{
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|
||
|
From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001
|
||
|
From: Werner Koch <wk@gnupg.org>
|
||
|
Date: Mon, 22 Dec 2014 12:16:46 +0100
|
||
|
Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail
|
||
|
|
||
|
* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL.
|
||
|
* sm/gpgsm.c (parse_keyserver_line): Ditto.
|
||
|
--
|
||
|
|
||
|
Reported-by: Joshua Rogers <git@internot.info>
|
||
|
|
||
|
"If something inside the ldapserver_parse_one function failed,
|
||
|
'server' would be freed, then returned, leading to a
|
||
|
use-after-free. This code is likely copied from sm/gpgsm.c, which
|
||
|
was also susceptible to this bug."
|
||
|
|
||
|
Signed-off-by: Werner Koch <wk@gnupg.org>
|
||
|
---
|
||
|
dirmngr/ldapserver.c | 1 +
|
||
|
sm/gpgsm.c | 1 +
|
||
|
2 files changed, 2 insertions(+)
|
||
|
|
||
|
diff --git a/dirmngr/ldapserver.c b/dirmngr/ldapserver.c
|
||
|
index 20a574c..5808c5b 100644
|
||
|
--- a/dirmngr/ldapserver.c
|
||
|
+++ b/dirmngr/ldapserver.c
|
||
|
@@ -125,6 +125,7 @@ ldapserver_parse_one (char *line,
|
||
|
{
|
||
|
log_info (_("%s:%u: skipping this line\n"), filename, lineno);
|
||
|
ldapserver_list_free (server);
|
||
|
+ server = NULL;
|
||
|
}
|
||
|
|
||
|
return server;
|
||
|
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
|
||
|
index 3398d17..72bceb4 100644
|
||
|
--- a/sm/gpgsm.c
|
||
|
+++ b/sm/gpgsm.c
|
||
|
@@ -862,6 +862,7 @@ parse_keyserver_line (char *line,
|
||
|
{
|
||
|
log_info (_("%s:%u: skipping this line\n"), filename, lineno);
|
||
|
keyserver_list_free (server);
|
||
|
+ server = NULL;
|
||
|
}
|
||
|
|
||
|
return server;
|
||
|
--
|
||
|
1.7.10.4
|
||
|
|