From 930920d5106e01d511dc339171ec3254e3d8771e Mon Sep 17 00:00:00 2001 From: Tomi Ollila Date: Sat, 18 Mar 2017 00:28:48 +0200 Subject: [PATCH 1/2] lib/message.cc: fix Coverity finding (use after free) The object where pointer to `data` was received was deleted before it was used in _notmuch_string_list_append(). Relevant Coverity messages follow: 3: extract Assigning: data = std::__cxx11::string(message->doc.()).c_str(), which extracts wrapped state from temporary of type std::__cxx11::string. 4: dtor_free The internal representation of temporary of type std::__cxx11::string is freed by its destructor. 5: use after free: Wrapper object use after free (WRAPPER_ESCAPE) Using internal representation of destroyed object local data. (cherry picked from commit 06adc276682d1d5f73d78df2e898ad4191eb4499) --- lib/message.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/message.cc b/lib/message.cc index 9d3e8071..a91e69e0 100644 --- a/lib/message.cc +++ b/lib/message.cc @@ -849,9 +849,9 @@ _notmuch_message_ensure_filename_list (notmuch_message_t *message) * * It would be nice to do the upgrade of the document directly * here, but the database is likely open in read-only mode. */ - const char *data; - data = message->doc.get_data ().c_str (); + std::string datastr = message->doc.get_data (); + const char *data = datastr.c_str (); if (data == NULL) INTERNAL_ERROR ("message with no filename"); From 8ef0d05ad77db68044e437e939c60bed07e169f1 Mon Sep 17 00:00:00 2001 From: David Bremner Date: Sun, 19 Mar 2017 09:39:06 -0300 Subject: [PATCH 2/2] debian: changelog stanza for 0.23.7-2 --- debian/changelog | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index f3167549..8b05d602 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +notmuch (0.23.7-2) unstable; urgency=medium + + * Cherry pick 06adc276, fix use after free in libnotmuch4 + + -- David Bremner Sun, 19 Mar 2017 09:38:17 -0300 + notmuch (0.23.7-1) unstable; urgency=medium * Move test suite $GNUPGHOME to /tmp to avoid problems with long build paths.