GNU bug report logs - #76819
[PATCH v7 00/35] Add lint-hidden-cpe-vendors property

Previous Next

Package: guix-patches;

Reported by: Nicolas Graves <ngraves <at> ngraves.fr>

Date: Fri, 7 Mar 2025 18:36:01 UTC

Severity: normal

Tags: patch

Full log

View this message in rfc822 format

From: Nicolas Graves <ngraves <at> ngraves.fr>
To: 76819 <at> debbugs.gnu.org
Cc: Nicolas Graves <ngraves <at> ngraves.fr>
Subject: [bug#76819] [PATCH v7 32/35] gnu: libconfuse: Patch CVE-2022-40320.
Date: Fri,  7 Mar 2025 19:39:01 +0100

* gnu/pacakges/patches/libconfuse-CVE-2022-40320.patch: Add file.
* gnu/packages/textutils.scm (libconfuse)[source]: Record patch.
* gnu/local.mk: Record patch.
---
 gnu/local.mk                                  |  1 +
 .../patches/libconfuse-CVE-2022-40320.patch   | 38 +++++++++++++++++++
 gnu/packages/textutils.scm                    |  4 +-
 3 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/libconfuse-CVE-2022-40320.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index d08f3bba0a..dc7836d9a5 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1656,6 +1656,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/julia-Use-MPFR-4.2.patch	                \
   %D%/packages/patches/libcall-ui-make-it-installable.patch	\
   %D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch	\
+  %D%/packages/patches/libconfuse-CVE-2022-40320.patch		\
   %D%/packages/patches/libcss-check-format.patch		\
   %D%/packages/patches/libextractor-tidy-support.patch		\
   %D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch	\
diff --git a/gnu/packages/patches/libconfuse-CVE-2022-40320.patch b/gnu/packages/patches/libconfuse-CVE-2022-40320.patch
new file mode 100644
index 0000000000..5911f2d397
--- /dev/null
+++ b/gnu/packages/patches/libconfuse-CVE-2022-40320.patch
@@ -0,0 +1,38 @@
+[PATCH] Fix #163: unterminated username used with getpwnam()
+Signed-off-by: Joachim Wiberg <troglobit <at> gmail.com>
+---
+ src/confuse.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/confuse.c b/src/confuse.c
+index ce4fca8..060fae2 100644
+--- a/src/confuse.c
++++ b/src/confuse.c
+@@ -1863,18 +1863,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+ 			passwd = getpwuid(geteuid());
+ 			file = filename + 1;
+ 		} else {
+-			/* ~user or ~user/path */
+-			char *user;
++			char *user; /* ~user or ~user/path */
++			size_t len;
+ 
+ 			file = strchr(filename, '/');
+ 			if (file == 0)
+ 				file = filename + strlen(filename);
+ 
+-			user = malloc(file - filename);
++			len = file - filename - 1;
++			user = malloc(len + 1);
+ 			if (!user)
+ 				return NULL;
+ 
+-			strncpy(user, filename + 1, file - filename - 1);
++			strncpy(user, &filename[1], len);
++			user[len] = 0;
+ 			passwd = getpwnam(user);
+ 			free(user);
+ 		}
+-- 
+2.48.1
+
diff --git a/gnu/packages/textutils.scm b/gnu/packages/textutils.scm
index c886b009be..9567e222ba 100644
--- a/gnu/packages/textutils.scm
+++ b/gnu/packages/textutils.scm
@@ -280,7 +280,9 @@ (define-public libconfuse
                            "releases/download/v" version
                            "/confuse-" version ".tar.xz"))
        (sha256
-        (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x"))))
+        (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x"))
+       (patches
+        (search-patches "libconfuse-CVE-2022-40320.patch"))))
     (build-system gnu-build-system)
     (arguments
      '(#:configure-flags '("--disable-static")))
-- 
2.48.1
This bug report was last modified 100 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.