Hello community, here is the log from the commit of package pan for openSUSE:Factory checked in at 2018-05-06 15:02:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pan (Old) and /work/SRC/openSUSE:Factory/.pan.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pan" Sun May 6 15:02:19 2018 rev:4 rq:604425 version:0.144 Changes: -------- --- /work/SRC/openSUSE:Factory/pan/pan.changes 2018-02-09 15:53:07.287376814 +0100 +++ /work/SRC/openSUSE:Factory/.pan.new/pan.changes 2018-05-06 15:02:23.790982242 +0200 @@ -1,0 +2,11 @@ +Fri May 4 21:39:13 UTC 2018 - bjorn....@gmail.com + +- Add upstream bug fix patches: + + pan-fix-use-after-free-in-main.patch: Use after free in main() + (bgo#793277). + + pan-fix-empty-nzb-crash.patch: nzb file with empty segment + lists crash pan (bgo#793228). + + pan-do-not-use-front-on-empty-vector.patch: Do not use front() + on empty vector. + +------------------------------------------------------------------- @@ -4 +15,2 @@ -- Adapt license file location according to new suggestion around %license +- Adapt license file location according to new suggestion around + %%license New: ---- pan-do-not-use-front-on-empty-vector.patch pan-fix-empty-nzb-crash.patch pan-fix-use-after-free-in-main.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pan.spec ++++++ --- /var/tmp/diff_new_pack.YYDJPk/_old 2018-05-06 15:02:24.446958164 +0200 +++ /var/tmp/diff_new_pack.YYDJPk/_new 2018-05-06 15:02:24.450958017 +0200 @@ -20,11 +20,18 @@ Version: 0.144 Release: 0 Summary: A Newsreader for GNOME -License: GPL-2.0+ +License: GPL-2.0-or-later Group: Productivity/Networking/News/Clients Url: http://pan.rebelbase.com/ Source0: http://pan.rebelbase.com/download/releases/%{version}/source/%{name}-%{version}.tar.bz2 +# PATCH-FIX-UPSTREAM pan-fix-use-after-free-in-main.patch bgo#793277 -- Use after free in main() +Patch0: pan-fix-use-after-free-in-main.patch +# PATCH-FIX-UPSTREAM pan-fix-empty-nzb-crash.patch bgo#793228 -- nzb file with empty segment lists crash pan +Patch1: pan-fix-empty-nzb-crash.patch +# PATCH-FIX-UPSTREAM pan-do-not-use-front-on-empty-vector.patch -- Do not use front() on empty vector +Patch2: pan-do-not-use-front-on-empty-vector.patch + BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: gettext >= 0.19.7 @@ -49,7 +56,7 @@ %lang_package %prep -%autosetup +%autosetup -p1 %build %configure \ ++++++ pan-do-not-use-front-on-empty-vector.patch ++++++ >From 7ec8ca1c45763682f159793b720b982b1618a488 Mon Sep 17 00:00:00 2001 From: Jonathan Briggs <zl...@acm.org> Date: Fri, 6 Apr 2018 17:42:29 +0200 Subject: Do not use front() on empty vector --- pan/data-impl/rules-filter.cc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pan/data-impl/rules-filter.cc b/pan/data-impl/rules-filter.cc index abc2506..c0d26c4 100644 --- a/pan/data-impl/rules-filter.cc +++ b/pan/data-impl/rules-filter.cc @@ -36,7 +36,9 @@ RulesFilter :: finalize (Data& data) _delete.clear(); const std::vector<const Article*> tmp (_mark_read.begin(), _mark_read.end()); - data.mark_read ((const Article**)&tmp.front(), tmp.size()); + if (!tmp.empty()) { + data.mark_read ((const Article**)&tmp.front(), tmp.size()); + } _mark_read.clear(); const std::vector<const Article*> tmp2 ( _cached.begin(), _cached.end()); -- cgit v0.12 ++++++ pan-fix-empty-nzb-crash.patch ++++++ >From 29aad7ec8b2b0c74592342fcfa2aa3c830f9e592 Mon Sep 17 00:00:00 2001 From: "p...@flinders.org" <p...@flinders.org> Date: Thu, 8 Feb 2018 21:28:07 +0100 Subject: Bug 793228 nzb file with empty segment lists crash pan NZB files which have empty segment lists crash pan (up to 0.144), for me typically at the assertion on the last line of Parts :: set_parts (around parts.cc line 237). The problem is that "mc.parts" is not re-initialised for the new list of segments if the first segment is not seen, depending on the position in the file you will either get an incompletely constructed PartBatch used (PartBatch relies on a default constructor so packed_mids_len doesn't get initialised) or an old list of segments could get re-used. --- pan/tasks/nzb.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pan/tasks/nzb.cc b/pan/tasks/nzb.cc index e3e8547..af890e5 100644 --- a/pan/tasks/nzb.cc +++ b/pan/tasks/nzb.cc @@ -113,6 +113,8 @@ namespace gpointer user_data, GError **error UNUSED) { + static Quark null_mid; + MyContext& mc (*static_cast<MyContext*>(user_data)); if (!strcmp (element_name, "file")) { @@ -123,7 +125,9 @@ namespace else if (!strcmp (*k,"date")) mc.a.time_posted = strtoul(*v,0,10); } } - + else if (!strcmp (element_name, "segments")) { + mc.parts.init (null_mid); + } else if (!strcmp (element_name, "segment")) { mc.bytes = 0; mc.number = 0; -- cgit v0.12 ++++++ pan-fix-use-after-free-in-main.patch ++++++ >From 27190a525b6e5684af35566170c50f5beaa10c53 Mon Sep 17 00:00:00 2001 From: "p...@flinders.org" <p...@flinders.org> Date: Thu, 8 Feb 2018 21:23:32 +0100 Subject: Bug 793277 Use after free in main() The problem is the scope of the return value from data.get_servers() which is a std::set of Quarks The temporary used for this value goes out of scope at the end of the statement containing it - within the for loop control statement - it is not in scope in the loop body. The result is that later dereferencing the iterator on line 1158 accesses memory which has been returned to the heap. --- pan/gui/pan.cc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pan/gui/pan.cc b/pan/gui/pan.cc index b552a2c..f732398 100644 --- a/pan/gui/pan.cc +++ b/pan/gui/pan.cc @@ -1152,7 +1152,8 @@ main (int argc, char *argv[]) if (!data.get_servers().empty()) { // free secure passwords - foreach(quarks_t, data.get_servers(), it) + quarks_t srv_list = data.get_servers(); + foreach(quarks_t, srv_list, it) { Data::Server* s(data.find_server(*it)); if (s && s->gkr_pw) -- cgit v0.12
