* gnu/pacakges/patches/libconfuse-CVE-2022-40320.patch: Add file.
* gnu/packages/textutils.scm (libconfuse)[source]: Record patch.
* gnu/local.mk: Record patch.
---
gnu/local.mk | 1 +
.../patches/libconfuse-CVE-2022-40320.patch | 38 +++++++++++++++++++
gnu/packages/textutils.scm | 4 +-
3 files changed, 42 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/libconfuse-CVE-2022-40320.patch
@@ -1656,6 +1656,7 @@ dist_patch_DATA = \
%D%/packages/patches/julia-Use-MPFR-4.2.patch \
%D%/packages/patches/libcall-ui-make-it-installable.patch \
%D%/packages/patches/libcamera-ipa_manager-disable-signature-verification.patch \
+ %D%/packages/patches/libconfuse-CVE-2022-40320.patch \
%D%/packages/patches/libcss-check-format.patch \
%D%/packages/patches/libextractor-tidy-support.patch \
%D%/packages/patches/libftdi-fix-paths-when-FTDIPP-set.patch \
new file mode 100644
@@ -0,0 +1,38 @@
+[PATCH] Fix #163: unterminated username used with getpwnam()
+Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
+---
+ src/confuse.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/src/confuse.c b/src/confuse.c
+index ce4fca8..060fae2 100644
+--- a/src/confuse.c
++++ b/src/confuse.c
+@@ -1863,18 +1863,20 @@ DLLIMPORT char *cfg_tilde_expand(const char *filename)
+ passwd = getpwuid(geteuid());
+ file = filename + 1;
+ } else {
+- /* ~user or ~user/path */
+- char *user;
++ char *user; /* ~user or ~user/path */
++ size_t len;
+
+ file = strchr(filename, '/');
+ if (file == 0)
+ file = filename + strlen(filename);
+
+- user = malloc(file - filename);
++ len = file - filename - 1;
++ user = malloc(len + 1);
+ if (!user)
+ return NULL;
+
+- strncpy(user, filename + 1, file - filename - 1);
++ strncpy(user, &filename[1], len);
++ user[len] = 0;
+ passwd = getpwnam(user);
+ free(user);
+ }
+--
+2.48.1
+
@@ -280,7 +280,9 @@ (define-public libconfuse
"releases/download/v" version
"/confuse-" version ".tar.xz"))
(sha256
- (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x"))))
+ (base32 "043hqqykpprgrkw9s2hbdlxr308a7yxwsgxj4m8aadg1401hmm8x"))
+ (patches
+ (search-patches "libconfuse-CVE-2022-40320.patch"))))
(build-system gnu-build-system)
(arguments
'(#:configure-flags '("--disable-static")))