!42 [sync] PR-36: fix CVE-2018-17942

From: @openeuler-sync-bot 
Reviewed-by: @shenyangyang01 
Signed-off-by: @shenyangyang01

backport-CVE-2018-17942.patch

@@ -0,0 +1,32 @@
+From 278b4175c9d7dd47c1a3071554aac02add3b3c35 Mon Sep 17 00:00:00 2001
+From: Bruno Haible <bruno@clisp.org>
+Date: Sun, 23 Sep 2018 14:13:52 +0200
+Subject: vasnprintf: Fix heap memory overrun bug.
+
+Reported by Ben Pfaff <blp@cs.stanford.edu> in
+<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
+
+* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
+memory.
+---
+ lib/vasnprintf.c        |  4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
+index 56ffbe3..30d021b 100644
+--- a/lib/vasnprintf.c
++++ b/lib/vasnprintf.c
+@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
+   size_t a_len = a.nlimbs;
+   /* 0.03345 is slightly larger than log(2)/(9*log(10)).  */
+   size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
+-  char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
++  /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
++     digits of a, followed by 1 byte for the terminating NUL.  */
++  char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
+   if (c_ptr != NULL)
+     {
+       char *d_ptr = c_ptr;
+-- 
+cgit v1.1
+

backport-Pass-the-correct-stat-to-backup-files.patch

@@ -0,0 +1,62 @@
+From c835ecc67b7e37c0d0b7dd7e032209fdaa285808 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 6 Apr 2022 10:48:35 +0200
+Subject: [PATCH] Pass the correct stat to backup files
+
+The last case to call output_file() in the main loop is
+    output_file (outname, NULL, &tmpoutst, NULL, NULL,
+                 file_type | 0, backup);
+and this essentially means to create a backup file (where to=NULL)
+only if backup=true, and does nothing else.
+
+And, in the current code, the passed file stat (&tmpoutst) is a file
+stat of the temporary file that has been processed, not the original
+file (outname) to be backed up.  When the backup is performed
+immediately, this is no big problem.  However, output_file() may
+schedule the deferred handling, and the given file may be backed up at
+a later point.  The problem is that create_backup() tries to avoid the
+backup of the same file twice, and it checks the given stat i-node
+number in the hash list.  Since it's a stat of a temporary file, the
+same i-node number may be reused once a temp file is deleted and
+another is created.  This results in a false-positive detection of the
+already existing file, eventually missing a backup file.
+
+This patch attempts to address the issue:
+- Modify the condition for better understanding, clearly indicating
+  that the code there is for creating a backup file
+- Pass the stat of the original file instead of a temporary file
+
+BugLink: https://bugzilla.opensuse.org/show_bug.cgi?id=1198106
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+---
+ src/patch.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/patch.c b/src/patch.c
+index 9684794..5a61241 100644
+--- a/src/patch.c
++++ b/src/patch.c
+@@ -622,9 +622,16 @@ main (int argc, char **argv)
+ 			output_file (NULL, NULL, NULL, inname, &instat,
+ 				     mode, backup);
+ 		    }
+-		  else
+-		    output_file (outname, NULL, &tmpoutst, NULL, NULL,
+-				 file_type | 0, backup);
++		  else if (backup)
++		    {
++		      struct stat outstat;
++
++		      if (stat_file (outname, &outstat, NULL) != 0)
++			say ("Cannot stat file %s, skipping backup\n", outname);
++		      else
++			output_file (outname, NULL, &outstat, NULL, NULL,
++				     file_type | 0, true);
++		    }
+ 		}
+ 	    }
+       }
+-- 
+2.23.0
+

patch-selinux.patch

@@ -0,0 +1,326 @@
+diff -up patch-2.7.6/src/common.h.selinux patch-2.7.6/src/common.h
+--- patch-2.7.6/src/common.h.selinux	2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/common.h	2018-02-12 12:29:44.415225377 +0000
+@@ -30,6 +30,8 @@
+ #include <sys/types.h>
+ #include <time.h>
+ 
++#include <selinux/selinux.h>
++
+ #include <sys/stat.h>
+ 
+ #include <limits.h>
+@@ -84,6 +86,7 @@ XTERN char *outfile;
+ XTERN int inerrno;
+ XTERN int invc;
+ XTERN struct stat instat;
++XTERN security_context_t incontext;
+ XTERN bool dry_run;
+ XTERN bool posixly_correct;
+ 
+diff -up patch-2.7.6/src/inp.c.selinux patch-2.7.6/src/inp.c
+--- patch-2.7.6/src/inp.c.selinux	2017-09-04 12:34:16.000000000 +0100
++++ patch-2.7.6/src/inp.c	2018-02-12 12:29:44.415225377 +0000
+@@ -145,7 +145,7 @@ get_input_file (char const *filename, ch
+     char *getbuf;
+ 
+     if (inerrno == -1)
+-      inerrno = stat_file (filename, &instat);
++	inerrno = stat_file (filename, &instat, &incontext);
+ 
+     /* Perhaps look for RCS or SCCS versions.  */
+     if (S_ISREG (file_type)
+@@ -190,7 +190,7 @@ get_input_file (char const *filename, ch
+ 	    }
+ 
+ 	    if (cs && version_get (filename, cs, ! inerrno, elsewhere, getbuf,
+-				   &instat))
++				   &instat, &incontext))
+ 	      inerrno = 0;
+ 
+ 	    free (getbuf);
+@@ -201,6 +201,7 @@ get_input_file (char const *filename, ch
+       {
+ 	instat.st_mode = S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP|S_IROTH|S_IWOTH;
+ 	instat.st_size = 0;
++	incontext = NULL;
+       }
+     else if (! ((S_ISREG (file_type) || S_ISLNK (file_type))
+ 	        && (file_type & S_IFMT) == (instat.st_mode & S_IFMT)))
+diff -up patch-2.7.6/src/Makefile.am.selinux patch-2.7.6/src/Makefile.am
+--- patch-2.7.6/src/Makefile.am.selinux	2017-09-04 12:34:16.000000000 +0100
++++ patch-2.7.6/src/Makefile.am	2018-02-12 12:29:44.415225377 +0000
+@@ -37,7 +37,7 @@ patch_SOURCES = \
+ 
+ AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib
+ patch_LDADD = $(LDADD) $(top_builddir)/lib/libpatch.a $(LIB_CLOCK_GETTIME) \
+-	      $(LIB_XATTR) $(LIB_EACCESS)
++	      $(LIB_XATTR) $(LIB_EACCESS) -lselinux
+ 
+ if ENABLE_MERGE
+   patch_SOURCES += merge.c
+diff -up patch-2.7.6/src/Makefile.in.selinux patch-2.7.6/src/Makefile.in
+--- patch-2.7.6/src/Makefile.in.selinux	2018-02-03 13:33:56.000000000 +0000
++++ patch-2.7.6/src/Makefile.in	2018-02-12 12:29:44.415225377 +0000
+@@ -1147,7 +1147,7 @@ patch_SOURCES = bestmatch.h common.h inp
+ AM_CPPFLAGS = -I$(top_builddir)/lib -I$(top_srcdir)/lib \
+ 	$(am__append_2)
+ patch_LDADD = $(LDADD) $(top_builddir)/lib/libpatch.a $(LIB_CLOCK_GETTIME) \
+-	      $(LIB_XATTR) $(LIB_EACCESS)
++	      $(LIB_XATTR) $(LIB_EACCESS) -lselinux
+ 
+ all: all-am
+ 
+diff -up patch-2.7.6/src/patch.c.selinux patch-2.7.6/src/patch.c
+--- patch-2.7.6/src/patch.c.selinux	2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/patch.c	2018-02-12 12:30:27.315164138 +0000
+@@ -269,19 +269,19 @@ main (int argc, char **argv)
+ 	  if (! strcmp (inname, outname))
+ 	    {
+ 	      if (inerrno == -1)
+-		inerrno = stat_file (inname, &instat);
++		inerrno = stat_file (inname, &instat, NULL);
+ 	      outstat = instat;
+ 	      outerrno = inerrno;
+ 	    }
+ 	  else
+-	    outerrno = stat_file (outname, &outstat);
++	    outerrno = stat_file (outname, &outstat, NULL);
+ 
+ 	  if (! outerrno)
+ 	    {
+ 	      if (has_queued_output (&outstat))
+ 		{
+ 		  output_files (&outstat);
+-		  outerrno = stat_file (outname, &outstat);
++		  outerrno = stat_file (outname, &outstat, NULL);
+ 		  inerrno = -1;
+ 		}
+ 	      if (! outerrno)
+@@ -598,7 +598,7 @@ main (int argc, char **argv)
+ 			}
+ 		      else
+ 			{
+-			  attr |= FA_IDS | FA_MODE | FA_XATTRS;
++			  attr |= FA_IDS | FA_MODE | FA_XATTRS | FA_SECCONTEXT;
+ 			  set_file_attributes (TMPOUTNAME, attr, inname, &instat,
+ 					       mode, &new_time);
+ 			}
+@@ -658,7 +658,7 @@ main (int argc, char **argv)
+ 			struct stat oldst;
+ 			int olderrno;
+ 
+-			olderrno = stat_file (rej, &oldst);
++			olderrno = stat_file (rej, &oldst, NULL);
+ 			if (olderrno && olderrno != ENOENT)
+ 			  write_fatal ();
+ 		        if (! olderrno && lookup_file_id (&oldst) == CREATED)
+@@ -1790,7 +1790,7 @@ delete_file_later (const char *name, con
+ 
+   if (! st)
+     {
+-      if (stat_file (name, &st_tmp) != 0)
++      if (stat_file (name, &st_tmp, NULL) != 0)
+ 	pfatal ("Can't get file attributes of %s %s", "file", name);
+       st = &st_tmp;
+     }
+diff -up patch-2.7.6/src/pch.c.selinux patch-2.7.6/src/pch.c
+--- patch-2.7.6/src/pch.c.selinux	2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/pch.c	2018-02-12 12:29:44.416225375 +0000
+@@ -1,6 +1,6 @@
+ /* reading patches */
+ 
+-/* Copyright (C) 1986, 1987, 1988 Larry Wall
++/* Copyright (C) 1986, 1987, 1988, 2012 Larry Wall
+ 
+    Copyright (C) 1990-1993, 1997-2003, 2006, 2009-2012 Free Software
+    Foundation, Inc.
+@@ -296,7 +296,7 @@ there_is_another_patch (bool need_header
+ 	if (t > buf + 1 && *(t - 1) == '\n')
+ 	  {
+ 	    inname = xmemdup0 (buf, t - buf - 1);
+-	    inerrno = stat_file (inname, &instat);
++	    inerrno = stat_file (inname, &instat, &incontext);
+ 	    if (inerrno)
+ 	      {
+ 		perror (inname);
+@@ -433,6 +433,7 @@ intuit_diff_type (bool need_header, mode
+     bool extended_headers = false;
+     enum nametype i;
+     struct stat st[3];
++    security_context_t con[3];
+     int stat_errno[3];
+     int version_controlled[3];
+     enum diff retval;
+@@ -473,6 +474,7 @@ intuit_diff_type (bool need_header, mode
+     version_controlled[OLD] = -1;
+     version_controlled[NEW] = -1;
+     version_controlled[INDEX] = -1;
++    con[OLD] = con[NEW] = con[INDEX] = NULL;
+     p_rfc934_nesting = 0;
+     p_timestamp[OLD].tv_sec = p_timestamp[NEW].tv_sec = -1;
+     p_says_nonexistent[OLD] = p_says_nonexistent[NEW] = 0;
+@@ -883,7 +885,7 @@ intuit_diff_type (bool need_header, mode
+ 		}
+ 	      else
+ 		{
+-		  stat_errno[i] = stat_file (p_name[i], &st[i]);
++		  stat_errno[i] = stat_file (p_name[i], &st[i], &con[i]);
+ 		  if (! stat_errno[i])
+ 		    {
+ 		      if (lookup_file_id (&st[i]) == DELETE_LATER)
+@@ -922,7 +924,7 @@ intuit_diff_type (bool need_header, mode
+ 			  if (cs)
+ 			    {
+ 			      if (version_get (p_name[i], cs, false, readonly,
+-					       getbuf, &st[i]))
++					       getbuf, &st[i], &con[i]))
+ 				stat_errno[i] = 0;
+ 			      else
+ 				version_controlled[i] = 0;
+@@ -985,7 +987,7 @@ intuit_diff_type (bool need_header, mode
+       {
+ 	if (inname)
+ 	  {
+-	    inerrno = stat_file (inname, &instat);
++	    inerrno = stat_file (inname, &instat, &incontext);
+ 	    if (inerrno || (instat.st_mode & S_IFMT) == file_type)
+ 	      maybe_reverse (inname, inerrno, inerrno || instat.st_size == 0);
+ 	  }
+@@ -998,8 +1000,14 @@ intuit_diff_type (bool need_header, mode
+ 	inerrno = stat_errno[i];
+ 	invc = version_controlled[i];
+ 	instat = st[i];
++	incontext = con[i];
++	con[i] = NULL;
+       }
+ 
++    for (i = OLD; i <= INDEX; i++)
++      if (con[i])
++	freecon (con[i]);
++
+     return retval;
+ }
+ 
+diff -up patch-2.7.6/src/util.c.selinux patch-2.7.6/src/util.c
+--- patch-2.7.6/src/util.c.selinux	2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/util.c	2018-02-12 12:29:44.417225374 +0000
+@@ -300,6 +300,23 @@ set_file_attributes (char const *to, enu
+ 		S_ISLNK (mode) ? "symbolic link" : "file",
+ 		quotearg (to));
+     }
++  if (attr & FA_SECCONTEXT)
++    {
++      security_context_t outcontext;
++      if (incontext && getfilecon (to, &outcontext) != -1 && outcontext)
++	{
++	  if (strcmp (outcontext, incontext) &&
++	      setfilecon (to, incontext) != 0)
++	    {
++	      freecon (outcontext);
++	      if (errno != ENOTSUP && errno != EPERM)
++		pfatal ("Can't set security context on file %s",
++			quotearg (to));
++	    }
++	  else
++	    freecon (outcontext);
++	}
++    }
+ }
+ 
+ static void
+@@ -446,7 +463,7 @@ move_file (char const *from, bool *from_
+   struct stat to_st;
+   int to_errno;
+ 
+-  to_errno = stat_file (to, &to_st);
++  to_errno = stat_file (to, &to_st, NULL);
+   if (backup)
+     create_backup (to, to_errno ? NULL : &to_st, false);
+   if (! to_errno)
+@@ -818,7 +835,8 @@ version_controller (char const *filename
+    Return true if successful.  */
+ bool
+ version_get (char const *filename, char const *cs, bool exists, bool readonly,
+-	     char const *getbuf, struct stat *filestat)
++	     char const *getbuf, struct stat *filestat,
++	     security_context_t *filecontext)
+ {
+   if (patch_get < 0)
+     {
+@@ -843,6 +861,13 @@ version_get (char const *filename, char
+ 	fatal ("Can't get file %s from %s", quotearg (filename), cs);
+       if (safe_stat (filename, filestat) != 0)
+ 	pfatal ("%s", quotearg (filename));
++      if (filecontext && getfilecon (filename, filecontext) == -1)
++	{
++	  if (errno == ENODATA || errno == ENOTSUP)
++	    *filecontext = NULL;
++	  else
++	    pfatal ("%s", quotearg (filename));
++	}
+     }
+ 
+   return 1;
+@@ -1670,12 +1695,28 @@ make_tempfile (char const **name, char l
+   return fd;
+ }
+ 
+-int stat_file (char const *filename, struct stat *st)
++int stat_file (char const *filename, struct stat *st, security_context_t *con)
+ {
+   int (*xstat)(char const *, struct stat *) =
+     follow_symlinks ? safe_stat : safe_lstat;
++  int (*xgetfilecon)(char const *, security_context_t *) =
++    follow_symlinks ? getfilecon : lgetfilecon;
++
++  if (xstat (filename, st) == 0)
++    {
++      if (con)
++	{
++	  if (xgetfilecon (filename, con) != -1 ||
++	      errno == ENODATA || errno == ENOTSUP)
++	    return 0;
+ 
+-  return xstat (filename, st) == 0 ? 0 : errno;
++	  *con = NULL;
++	}
++      else
++	return 0;
++    }
++ 
++  return errno;
+ }
+ 
+ /* Check if a filename is relative and free of ".." components.
+diff -up patch-2.7.6/src/util.h.selinux patch-2.7.6/src/util.h
+--- patch-2.7.6/src/util.h.selinux	2018-02-03 12:41:49.000000000 +0000
++++ patch-2.7.6/src/util.h	2018-02-12 12:30:08.533190949 +0000
+@@ -44,7 +44,7 @@ char *parse_name (char const *, int, cha
+ char *savebuf (char const *, size_t);
+ char *savestr (char const *);
+ char const *version_controller (char const *, bool, struct stat const *, char **, char **);
+-bool version_get (char const *, char const *, bool, bool, char const *, struct stat *);
++bool version_get (char const *, char const *, bool, bool, char const *, struct stat *, security_context_t *);
+ int create_file (char const *, int, mode_t, bool);
+ int systemic (char const *);
+ char *format_linenum (char[LINENUM_LENGTH_BOUND + 1], lin);
+@@ -67,7 +67,7 @@ void insert_file_id (struct stat const *
+ enum file_id_type lookup_file_id (struct stat const *);
+ void set_queued_output (struct stat const *, bool);
+ bool has_queued_output (struct stat const *);
+-int stat_file (char const *, struct stat *);
++int stat_file (char const *, struct stat *, security_context_t *);
+ bool filename_is_safe (char const *) _GL_ATTRIBUTE_PURE;
+ bool cwd_is_root (char const *);
+ 
+@@ -75,7 +75,8 @@ enum file_attributes {
+   FA_TIMES = 1,
+   FA_IDS = 2,
+   FA_MODE = 4,
+-  FA_XATTRS = 8
++  FA_XATTRS = 8,
++  FA_SECCONTEXT = 16
+ };
+ 
+ void set_file_attributes (char const *, enum file_attributes, char const *,

patch.spec

@@ -1,6 +1,6 @@
 Name:		patch
 Version:	2.7.6
-Release:	11
+Release:	15
 Summary:	Utiliity which applies a patch file to original files.
 License:	GPLv3+
 URL:	 	http://www.gnu.org/software/patch/patch.html
@@ -13,6 +13,9 @@ Patch4: 	Don-t-leak-temporary-file-on-failed-multi-file-ed-st.patch
 Patch5: 	Fix-swapping-fake-lines-in-pch_swap.patch
 Patch6:         CVE-2018-20969-and-CVE-2019-13638.patch
 Patch7:         CVE-2019-13636.patch
+Patch8:         patch-selinux.patch
+Patch9:         backport-Pass-the-correct-stat-to-backup-files.patch
+Patch10:        backport-CVE-2018-17942.patch
 
 BuildRequires:	gcc libselinux-devel libattr-devel ed
 Buildroot:	%{_tmppath}/%{name}-%{version}-%{release}-root-root
@@ -38,7 +41,7 @@ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE"
 %make_build
 
 %check
-make check
+%make_build check
 
 %install
 %makeinstall
@@ -55,6 +58,21 @@ make check
 %{_mandir}/man1/*
 
 %changelog
+* Mon Feb 10 2025 fuanan <fuanan3@h-partners.com> - 2.7.6-15
+- fix CVE-2018-17942
+
+* Wed May 22 2024 kouwenqi <kouwenqi@kylinos.cn> - 2.7.6-14
+- Pass the correct stat to backup files
+
+* Wed Oct 19 2022 fuanan <fuanan3@h-partners.com> - 2.7.6-13
+- optimize check by running make in parallel
+
+* Wed Mar 18 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.7.6-12
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC:Fix memory leak
+
 * Mon Feb 3 2020 openEuler Buildteam <buildteam@openeuler.org> - 2.7.6-11
 - Type:CVE
 - ID:NA

patch.yaml

@@ -0,0 +1,4 @@
+version_control: git
+src_repo: https://git.savannah.gnu.org/git/patch.git
+tag_prefix: ^v
+seperator: .