Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libHX for openSUSE:Factory checked in at 2024-10-30 17:29:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libHX (Old) and /work/SRC/openSUSE:Factory/.libHX.new.2020 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libHX" Wed Oct 30 17:29:46 2024 rev:80 rq:1218870 version:4.24 Changes: -------- --- /work/SRC/openSUSE:Factory/libHX/libHX.changes 2024-02-23 16:41:50.451749553 +0100 +++ /work/SRC/openSUSE:Factory/.libHX.new.2020/libHX.changes 2024-10-30 17:29:49.064654963 +0100 @@ -1,0 +2,8 @@ +Wed Jul 17 17:39:05 UTC 2024 - Jan Engelhardt <jeng...@inai.de> + +- Update to release 4.24 + * io: resolve use-after-free and out-of-bounds writes in + conjunction with ``HX_realpath`` + * io: add ``HX_getcwd`` function + +------------------------------------------------------------------- Old: ---- libHX-4.23.tar.asc libHX-4.23.tar.xz New: ---- _scmsync.obsinfo build.specials.obscpio libHX-4.24.tar.asc libHX-4.24.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libHX.spec ++++++ --- /var/tmp/diff_new_pack.CbHwnz/_old 2024-10-30 17:29:50.128699481 +0100 +++ /var/tmp/diff_new_pack.CbHwnz/_new 2024-10-30 17:29:50.132699648 +0100 @@ -18,7 +18,7 @@ Name: libHX %define lname libHX32 -Version: 4.23 +Version: 4.24 Release: 0 Summary: Collection of routines for C and C++ programming License: LGPL-2.1-or-later ++++++ _scmsync.obsinfo ++++++ mtime: 1721238307 commit: d55d2c50a9ae9c03dcff9e9ce643422a8435cc384aa8de7daa5ddc0e72414b9d url: https://src.opensuse.org/jengelh/libHX revision: master ++++++ libHX-4.23.tar.xz -> libHX-4.24.tar.xz ++++++ ++++ 6643 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/config.h.in new/libHX-4.24/config.h.in --- old/libHX-4.23/config.h.in 2024-02-15 17:30:43.398275427 +0100 +++ new/libHX-4.24/config.h.in 2024-07-17 19:35:56.003063613 +0200 @@ -1,45 +1,45 @@ /* config.h.in. Generated from configure.ac by autoheader. */ -/* Define to 1 if you have the `copy_file_range' function. */ +/* Define to 1 if you have the 'copy_file_range' function. */ #undef HAVE_COPY_FILE_RANGE /* Define to 1 if you have the <dlfcn.h> header file. */ #undef HAVE_DLFCN_H -/* Define to 1 if you have the `execv' function. */ +/* Define to 1 if you have the 'execv' function. */ #undef HAVE_EXECV -/* Define to 1 if you have the `execvp' function. */ +/* Define to 1 if you have the 'execvp' function. */ #undef HAVE_EXECVP -/* Define to 1 if you have the `fork' function. */ +/* Define to 1 if you have the 'fork' function. */ #undef HAVE_FORK -/* Define to 1 if you have the `getegid' function. */ +/* Define to 1 if you have the 'getegid' function. */ #undef HAVE_GETEGID -/* Define to 1 if you have the `geteuid' function. */ +/* Define to 1 if you have the 'geteuid' function. */ #undef HAVE_GETEUID -/* Define to 1 if you have the `getpid' function. */ +/* Define to 1 if you have the 'getpid' function. */ #undef HAVE_GETPID -/* Define to 1 if you have the `getppid' function. */ +/* Define to 1 if you have the 'getppid' function. */ #undef HAVE_GETPPID -/* Define to 1 if you have the `initgroups' function. */ +/* Define to 1 if you have the 'initgroups' function. */ #undef HAVE_INITGROUPS /* Define to 1 if you have the <inttypes.h> header file. */ #undef HAVE_INTTYPES_H -/* Define to 1 if you have the `pipe' function. */ +/* Define to 1 if you have the 'pipe' function. */ #undef HAVE_PIPE -/* Define to 1 if you have the `posix_fadvise' function. */ +/* Define to 1 if you have the 'posix_fadvise' function. */ #undef HAVE_POSIX_FADVISE -/* Define to 1 if you have the `setgid' function. */ +/* Define to 1 if you have the 'setgid' function. */ #undef HAVE_SETGID /* Define to 1 if you have the <stdint.h> header file. */ @@ -57,34 +57,34 @@ /* Define to 1 if you have the <string.h> header file. */ #undef HAVE_STRING_H -/* Define to 1 if `st_mtim' is a member of `struct stat'. */ +/* Define to 1 if 'st_mtim' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_MTIM -/* Define to 1 if `st_mtime' is a member of `struct stat'. */ +/* Define to 1 if 'st_mtime' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_MTIME -/* Define to 1 if `st_mtimensec' is a member of `struct stat'. */ +/* Define to 1 if 'st_mtimensec' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_MTIMENSEC -/* Define to 1 if `st_mtimespec' is a member of `struct stat'. */ +/* Define to 1 if 'st_mtimespec' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_MTIMESPEC -/* Define to 1 if `st_otim' is a member of `struct stat'. */ +/* Define to 1 if 'st_otim' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_OTIM -/* Define to 1 if `st_otime' is a member of `struct stat'. */ +/* Define to 1 if 'st_otime' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_OTIME -/* Define to 1 if `st_otimensec' is a member of `struct stat'. */ +/* Define to 1 if 'st_otimensec' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_OTIMENSEC -/* Define to 1 if `st_otimespec' is a member of `struct stat'. */ +/* Define to 1 if 'st_otimespec' is a member of 'struct stat'. */ #undef HAVE_STRUCT_STAT_ST_OTIMESPEC -/* Define to 1 if `tv_nsec' is a member of `struct timespec'. */ +/* Define to 1 if 'tv_nsec' is a member of 'struct timespec'. */ #undef HAVE_STRUCT_TIMESPEC_TV_NSEC -/* Define to 1 if `tv_usec' is a member of `struct timeval'. */ +/* Define to 1 if 'tv_usec' is a member of 'struct timeval'. */ #undef HAVE_STRUCT_TIMEVAL_TV_USEC /* Define to 1 if you have the <sys/resource.h> header file. */ @@ -129,19 +129,19 @@ /* Define to the version of this package. */ #undef PACKAGE_VERSION -/* The size of `char *', as computed by sizeof. */ +/* The size of 'char *', as computed by sizeof. */ #undef SIZEOF_CHAR_P -/* The size of `struct x *', as computed by sizeof. */ +/* The size of 'struct x *', as computed by sizeof. */ #undef SIZEOF_STRUCT_X_P -/* The size of `struct x **', as computed by sizeof. */ +/* The size of 'struct x **', as computed by sizeof. */ #undef SIZEOF_STRUCT_X_PP -/* The size of `void *', as computed by sizeof. */ +/* The size of 'void *', as computed by sizeof. */ #undef SIZEOF_VOID_P -/* Define to 1 if all of the C90 standard headers exist (not just the ones +/* Define to 1 if all of the C89 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for backward compatibility; new code need not use it. */ #undef STDC_HEADERS diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/configure.ac new/libHX-4.24/configure.ac --- old/libHX-4.23/configure.ac 2024-02-15 17:25:36.606354473 +0100 +++ new/libHX-4.24/configure.ac 2024-07-17 19:35:41.339776737 +0200 @@ -1,4 +1,4 @@ -AC_INIT([libHX], [4.23]) +AC_INIT([libHX], [4.24]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/doc/api.rst new/libHX-4.24/doc/api.rst --- old/libHX-4.23/doc/api.rst 2023-11-27 12:23:38.307646091 +0100 +++ new/libHX-4.24/doc/api.rst 2024-07-17 19:32:53.706976228 +0200 @@ -9,7 +9,8 @@ ====== ====== ====== ======================================== RMV MinVer FirstA Name ====== ====== ====== ======================================== -4.18 4.18 4.18 HX_getopt5 +4.24 4.24 4.24 HX_getcwd +4.19 4.18 4.18 HX_getopt5 4.16 4.16 4.16 HX_strtoull_nsec 4.15 4.15 4.15 HX_flpr 4.15 4.15 4.15 HX_flprf diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/doc/changelog.rst new/libHX-4.24/doc/changelog.rst --- old/libHX-4.23/doc/changelog.rst 2024-02-15 17:25:43.159657826 +0100 +++ new/libHX-4.24/doc/changelog.rst 2024-07-17 19:35:41.339776737 +0200 @@ -1,3 +1,12 @@ +v4.24 (2024-07-17) +================== + +Fixes: + +* io: resolve use-after-free and out-of-bounds writes in conjunction + with HX_realpath + + v4.23 (2024-02-15) ================== diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/doc/files_and_dirs.rst new/libHX-4.24/doc/files_and_dirs.rst --- old/libHX-4.23/doc/files_and_dirs.rst 2023-11-02 09:21:21.307067051 +0100 +++ new/libHX-4.24/doc/files_and_dirs.rst 2024-07-17 19:33:03.896943730 +0200 @@ -57,9 +57,15 @@ #include <libHX/io.h> + int HX_getcwd(hxmc_t **buf); int HX_readlink(hxmc_t **buf, const char *path); int HX_realpath(hxmc_t **buf, const char *path, unsigned int flags); +``HX_getcwd`` is a length-agnostic version of getcwd. On error, a negative +integer is returned indicating the errno; the contents of ``*buf`` are +unspecified if that happens. On success, a non-zero positive integer is +returned. + ``HX_readlink`` calls through to readlink to read the target of a symbolic link, and stores the result in the memory container referenced by ``*buf`` (similar to ``HX_getl`` semantics). If ``*buf`` is ``NULL``, a new container @@ -91,7 +97,8 @@ The result is stored in a memory container whose pointer is returned through ``*buf``. The return value of the function will be negative to indicate a -possible system error, or be positive non-zero for success. +possible system error, or be positive non-zero for success. The contents of the +buffer are unspecified in case HX_realpath returns an error. Operations on directories diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/include/libHX/io.h new/libHX-4.24/include/libHX/io.h --- old/libHX-4.23/include/libHX/io.h 2023-01-23 02:50:13.540712293 +0100 +++ new/libHX-4.24/include/libHX/io.h 2024-07-17 19:32:53.706976228 +0200 @@ -33,6 +33,7 @@ extern int HX_copy_dir(const char *, const char *, unsigned int, ...); extern int HX_copy_file(const char *, const char *, unsigned int, ...); extern int HX_mkdir(const char *, unsigned int); +extern int HX_getcwd(hxmc_t **); extern int HX_readlink(hxmc_t **, const char *); extern int HX_realpath(hxmc_t **, const char *, unsigned int); extern int HX_rrmdir(const char *); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/src/Makefile.am new/libHX-4.24/src/Makefile.am --- old/libHX-4.23/src/Makefile.am 2024-02-04 23:44:08.208501461 +0100 +++ new/libHX-4.24/src/Makefile.am 2024-07-17 19:32:53.706976228 +0200 @@ -9,7 +9,7 @@ mc.c misc.c opt.c proc.c \ rand.c socket.c string.c time.c libHX_la_LIBADD = ${libdl_LIBS} -lm ${libpthread_LIBS} ${librt_LIBS} ${libsocket_LIBS} -libHX_la_LDFLAGS = -no-undefined -version-info 39:0:7 +libHX_la_LDFLAGS = -no-undefined -version-info 40:0:8 if WITH_GNU_LD libHX_la_LDFLAGS += -Wl,--version-script=${srcdir}/libHX.map endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/src/io.c new/libHX-4.24/src/io.c --- old/libHX-4.23/src/io.c 2024-02-15 17:23:20.596974250 +0100 +++ new/libHX-4.24/src/io.c 2024-07-17 19:33:24.623544359 +0200 @@ -351,12 +351,17 @@ size_t linkbuf_size; if (allocate) { - linkbuf_size = 32; - *target = HXmc_meminit(NULL, 32); + linkbuf_size = 128; + *target = HXmc_meminit(nullptr, 128); if (*target == NULL) return -errno; } else { linkbuf_size = HXmc_length(*target); + if (linkbuf_size < 128) { + linkbuf_size = 128; + if (HXmc_setlen(target, 128) == nullptr) + return -errno; + } } while (true) { ssize_t ret = readlink(path, *target, linkbuf_size); @@ -453,6 +458,45 @@ return 1; } +EXPORT_SYMBOL int HX_getcwd(hxmc_t **target) +{ + bool allocate = *target == nullptr; + size_t linkbuf_size; + + if (allocate) { + linkbuf_size = 128; + *target = HXmc_meminit(nullptr, linkbuf_size); + if (*target == nullptr) + return -errno; + } else { + linkbuf_size = HXmc_length(*target); + if (linkbuf_size < 128) { + linkbuf_size = 128; + if (HXmc_setlen(target, linkbuf_size) == nullptr) + return -errno; + } + } + while (true) { + const char *ret = getcwd(*target, linkbuf_size); + if (ret != nullptr) { + HXmc_setlen(target, strlen(ret)); /* shrink to fit */ + return 1; + } + if (errno == ERANGE) { + if (HXmc_setlen(target, linkbuf_size *= 2) != nullptr) + continue; + /* errno already set by realloc, fall into next if block */ + } + int saved_errno = errno; + if (allocate) { + HXmc_free(*target); + *target = nullptr; + } + return -(errno = saved_errno); + } + return -EINVAL; +} + EXPORT_SYMBOL int HX_realpath(hxmc_t **dest_pptr, const char *path, unsigned int flags) { @@ -462,7 +506,7 @@ int ret = 0; if (dnull) { - state.dest = HXmc_meminit(NULL, PATH_MAX); + state.dest = HXmc_meminit(NULL, 256); if (state.dest == NULL) goto err; } @@ -470,11 +514,9 @@ if (*path == '/') { rq_slash = true; } else if (flags & HX_REALPATH_ABSOLUTE) { - if (getcwd(state.dest, PATH_MAX) == NULL) + if (HX_getcwd(&state.dest) < 0) goto err; rq_slash = true; - if (HXmc_setlen(&state.dest, strlen(state.dest)) == NULL) - goto err; } while (*path != '\0') { @@ -541,6 +583,8 @@ /* If caller supplied a buffer, do not take it away. */ HXmc_free(state.dest); *dest_pptr = NULL; + } else { + *dest_pptr = state.dest; } HXmc_free(state.link_target); HXmc_free(state.new_path); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/src/libHX.map new/libHX-4.24/src/libHX.map --- old/libHX-4.23/src/libHX.map 2023-11-27 12:23:38.307646091 +0100 +++ new/libHX-4.24/src/libHX.map 2024-07-17 19:32:53.706976228 +0200 @@ -183,3 +183,8 @@ global: HX_getopt5; } LIBHX_4.16; + +LIBHX_4.24 { +global: + HX_getcwd; +} LIBHX_4.18; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/src/tc-io.c new/libHX-4.24/src/tc-io.c --- old/libHX-4.23/src/tc-io.c 2023-11-02 09:21:21.307067051 +0100 +++ new/libHX-4.24/src/tc-io.c 2024-07-17 19:32:53.706976228 +0200 @@ -28,6 +28,16 @@ close(src); } +static void t_getcwd(void) +{ + hxmc_t *s = nullptr; + if (HX_getcwd(&s) > 0) + printf("cwd1: >%s<\n", s); + HXmc_setlen(&s, 0); + if (HX_getcwd(&s) > 0) + printf("cwd2: >%s<\n", s); +} + int main(void) { size_t z; @@ -55,5 +65,7 @@ fprintf(stderr, "copy_file ok\n"); unlink("tciocopy.txt"); } + + t_getcwd(); return 0; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/libHX-4.23/src/tc-realpath.c new/libHX-4.24/src/tc-realpath.c --- old/libHX-4.23/src/tc-realpath.c 2023-11-27 12:23:38.307646091 +0100 +++ new/libHX-4.24/src/tc-realpath.c 2024-07-17 19:33:00.006956135 +0200 @@ -48,6 +48,15 @@ HXmc_free(tmp); } +static void t_2(void) +{ + hxmc_t *tmp = HXmc_strinit(""); + int ret = HX_realpath(&tmp, "../../../../dev/tty", HX_REALPATH_ABSOLUTE | HX_REALPATH_DEFAULT); + if (ret > 0) + printf("t_2: %s\n", tmp); + HXmc_free(tmp); +} + int main(int argc, char **oargv) { char **argv = nullptr; @@ -57,6 +66,7 @@ if (!rp_get_options(oargv, &argc, &argv)) return EXIT_FAILURE; t_1(); + t_2(); res = NULL; for (int i = 1; i < argc; ++i) {
