!26 [sync] PR-23: fix CVE-2021-42523

From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng
fix CVE-2021-42523
2022-09-07 09:28:09 +00:00 · 2022-09-07 16:53:51 +08:00 · 2022-08-29 07:41:34 +00:00 · 2022-08-29 14:29:40 +08:00 · 2022-03-29 06:55:48 +00:00 · 2022-03-29 10:52:02 +08:00
6 changed files with 81 additions and 4 deletions
--- a/backport-0001-CVE-2021-42523.patch
+++ b/backport-0001-CVE-2021-42523.patch
@ -0,0 +1,27 @@
 From adf41f36cf7214d7d6fa8d528b74eba47c377405 Mon Sep 17 00:00:00 2001
 From: Zero0one1 <arya_lee@qq.com>
 Date: Fri, 2 Apr 2021 16:45:56 +0800
 Subject: [PATCH] Fix a small memory leak in sqlite3_exec()
 Fixes https://github.com/hughsie/colord/issues/110
 Conflict:NA
 Reference:https://github.com/hughsie/colord/commit/adf41f36cf7214d7d6fa8d528b74eba47c377405
 ---
 src/cd-device-db.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/cd-device-db.c b/src/cd-device-db.c
 index a212c83d..3ae44ef2 100644
 --- a/src/cd-device-db.c
 +++ b/src/cd-device-db.c
@@ -91,7 +91,7 @@ cd_device_db_load (CdDeviceDb *ddb,
 	/* check properties version 2 */
 	rc = sqlite3_exec (priv->db, "SELECT * FROM properties_v2 LIMIT 1",
 -			   NULL, NULL, &error_msg);
 +			   NULL, NULL, NULL);
 	if (rc != SQLITE_OK) {
 		statement = "CREATE TABLE properties_v2 ("
 			    "device_id TEXT,"
--- a/backport-0002-CVE-2021-42523.patch
+++ b/backport-0002-CVE-2021-42523.patch
@ -0,0 +1,25 @@
 From 1452a975ecae14299fb27d41522dfd32305481ce Mon Sep 17 00:00:00 2001
 From: Richard Hughes <richard@hughsie.com>
 Date: Wed, 13 Apr 2022 14:21:32 +0100
 Subject: [PATCH] trivial: Fix a small memory leak on db open failure
 Conflict:Using g_autofree will make the testcase fail, so here we use sqlite3_free to free the memory
 Reference:https://github.com/hughsie/colord/commit/1452a975ecae14299fb27d41522dfd32305481ce
 ---
 src/cd-profile-db.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/cd-profile-db.c b/src/cd-profile-db.c
 index 5661d09..d6361ac 100644
 --- a/src/cd-profile-db.c
 +++ b/src/cd-profile-db.c
@@ -87,6 +87,7 @@ cd_profile_db_load (CdProfileDb *pdb,
 			    "uid INTEGER,"
 			    "value TEXT,"
 			    "PRIMARY KEY (profile_id, property, uid));";
 +		sqlite3_free (error_msg);
 		sqlite3_exec (priv->db, statement, NULL, NULL, NULL);
 	}
 	return TRUE;
 -- 
 2.33.0
--- a/colord-1.4.4.tar.xz
+++ b/colord-1.4.4.tar.xz
--- a/colord-1.4.5.tar.xz
+++ b/colord-1.4.5.tar.xz
--- a/colord.spec
+++ b/colord.spec
@ -1,11 +1,14 @@
 Name:           colord
-Version:        1.4.4
+Version:        1.4.5
-Release:        1
+Release:        4
 Summary:        A system activated daemon
 License:        GPLv2+ and LGPLv2+
 URL:            https://www.freedesktop.org/software/colord/
 Source0:        https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz
 Patch6000:	backport-0001-CVE-2021-42523.patch
 Patch6001:	backport-0002-CVE-2021-42523.patch
 BuildRequires:  color-filesystem dbus-devel docbook5-style-xsl gettext glib2-devel
 BuildRequires:  gobject-introspection-devel gtk-doc libgudev1-devel
 BuildRequires:  libxslt meson sqlite-devel systemd systemd-devel vala-tools
@ -57,8 +60,12 @@ This help package contains help documents for color.
 %build
 ulimit -Sv 2000000
 # colord-test-private test cases always fail, so we don't run this case
 # https://github.com/hughsie/colord/issues/139 use this link to track bugs
 sed -i 's/test('"'"'colord-test-private'"'"'/# test('"'"'colord-test-private'"'"'/g' %{_builddir}/%{name}-%{version}/lib/colord/meson.build
 %meson -Dargyllcms_sensor=false -Dbash_completion=false -Ddaemon_user=colord \
-       -Dprint_profiles=false -Dvapi=true -Dinstalled_tests=true
+       -Dprint_profiles=false -Dvapi=true -Dinstalled_tests=true -Dtests=true
 %meson_build
 %install
@ -75,6 +82,9 @@ cat /etc/passwd | grep colord >/dev/null || useradd -r -g colord \
    -s /sbin/nologin -d /var/lib/colord -c "User for colord" colord
 exit 0
 %check
 %meson_test
 %preun
 %systemd_preun colord.service
@ -161,6 +171,21 @@ exit 0
 %{_datadir}/man/man1/*.1.gz
 %changelog
 * Wed Aug 31 2022 wangkerong <wangkerong@h-partners.com> - 1.4.5-4
 - fix CVE-2021-42523
 * Mon Aug 29 2022 wangkerong <wangkerong@h-partners.com> - 1.4.5-3
 - fix CVE-2021-42523
 * Mon Mar 28 2022 wangkerong <wangkerong@h-partners.com> - 1.4.5-2
 - enable test case
 * Sat Jan 30 2021 yanglu <yanglu60@huawei.com> - 1.4.5-1
 - Type:enhancement
 - ID:NA
 - SUG:NA
 - DESC:upgrade to version 1.4.5
 * Sat Jul 25 2020 zhangqiumiao <zhangqiumiao1@huawei.com> - 1.4.4-1
 - Type:enhancement
 - ID:NA
--- a/colord.yaml
+++ b/colord.yaml
@ -1,4 +1,4 @@
 version_control: github
 src_repo: hughsize/colord
 tag_prefix:
-seperator: "."
+separator: "."
Author	SHA1	Message	Date
openeuler-ci-bot	04ac64820b	!26 [sync] PR-23: fix CVE-2021-42523 From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng	2022-09-07 09:28:09 +00:00
wangkerong	32835fda83	fix CVE-2021-42523 (cherry picked from commit 90a33611c1cade02b5bccb8f8f11a7c58f04edee)	2022-09-07 16:53:51 +08:00
openeuler-ci-bot	9512673c0b	!21 [sync] PR-17: fix CVE-2021-42523 From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng	2022-08-29 07:41:34 +00:00
wangkerong	83dfe4789e	fix CVE-2021-42523 (cherry picked from commit 5d9b12b903023d9dfc69df4af391289c76623719)	2022-08-29 14:29:40 +08:00
openeuler-ci-bot	f815f4a5f0	!16 [sync] PR-14: enable test case From: @openeuler-sync-bot Reviewed-by: @t_feng Signed-off-by: @t_feng	2022-03-29 06:55:48 +00:00
wangkerong	10f3a846b4	enable test (cherry picked from commit 9848ca6a5588f812eabd38d43046cc40e67f2d7c)	2022-03-29 10:52:02 +08:00
openeuler-ci-bot	34125d556f	!13 Version upgrade to colord-1.4.5 From: @yangl777 Reviewed-by: @orange-snn Signed-off-by: @orange-snn	2021-01-30 15:06:45 +08:00
renmingshuai	909281715e	upgrade version to 1.4.5	2021-01-30 10:27:40 +08:00
openeuler-ci-bot	a2b6065f8f	!12 update yaml file to package From: @zzm_567 Reviewed-by: @orange-snn Signed-off-by: @orange-snn	2020-10-16 14:10:37 +08:00
zhanzhimin	74218047e9	update yaml file	2020-10-16 11:44:50 +08:00