From 8e2251484214d39bdb4872216239bd38eb7729ab Mon Sep 17 00:00:00 2001 From: David Bremner Date: Sun, 24 Nov 2019 22:31:34 -0400 Subject: [PATCH 1/6] lib: fix memory error in notmuch_config_list_value The documentation for notmuch_config_list_key warns that that the returned value will be destroyed by the next call to notmuch_config_list_key, but it neglected to mention that calling notmuch_config_list_value would also destroy it (by calling notmuch_config_list_key). This is surprising, and caused a use after free bug in _setup_user_query_fields (first noticed by an OpenBSD porter, so kudos to the OpenBSD malloc implementation). This change fixes that use-after-free bug. --- lib/config.cc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/config.cc b/lib/config.cc index da71c16e..a8bcdf83 100644 --- a/lib/config.cc +++ b/lib/config.cc @@ -150,13 +150,17 @@ notmuch_config_list_valid (notmuch_config_list_t *metadata) return true; } +static inline char * _key_from_iterator (notmuch_config_list_t *list) { + return talloc_strdup (list, (*list->iterator).c_str () + CONFIG_PREFIX.length ()); +} + const char * notmuch_config_list_key (notmuch_config_list_t *list) { if (list->current_key) talloc_free (list->current_key); - list->current_key = talloc_strdup (list, (*list->iterator).c_str () + CONFIG_PREFIX.length ()); + list->current_key = _key_from_iterator (list); return list->current_key; } @@ -166,7 +170,7 @@ notmuch_config_list_value (notmuch_config_list_t *list) { std::string strval; notmuch_status_t status; - const char *key = notmuch_config_list_key (list); + char *key = _key_from_iterator (list); /* TODO: better error reporting?? */ status = _metadata_value (list->notmuch, key, strval); @@ -177,6 +181,7 @@ notmuch_config_list_value (notmuch_config_list_t *list) talloc_free (list->current_val); list->current_val = talloc_strdup (list, strval.c_str ()); + talloc_free (key); return list->current_val; } From a11b2f0f2d984b7f5974aff01c9fa80718449766 Mon Sep 17 00:00:00 2001 From: Ralph Seichter Date: Tue, 23 Jul 2019 22:48:23 +0200 Subject: [PATCH 2/6] notmuch-dump.c: Fix output file being closed twice Fixed: If the output file for a dump was non-writeable, gzclose_w() was called twice on the output file handle, resulting in SIGABRT. (cherry picked from commit 17806ecc955ce0375146ea1df51eae061a72bef8) --- notmuch-dump.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/notmuch-dump.c b/notmuch-dump.c index ef2f02df..70cdb0c2 100644 --- a/notmuch-dump.c +++ b/notmuch-dump.c @@ -329,13 +329,15 @@ notmuch_database_dump (notmuch_database_t *notmuch, } } - if (gzclose_w (output) != Z_OK) { + ret = gzclose_w (output); + if (ret) { fprintf (stderr, "Error closing %s: %s\n", name_for_error, gzerror (output, NULL)); ret = EXIT_FAILURE; output = NULL; goto DONE; - } + } else + output = NULL; if (output_file_name) { ret = rename (tempname, output_file_name); From 9024b2f5f6094d145e06883027b08ad0011023ff Mon Sep 17 00:00:00 2001 From: David Bremner Date: Wed, 27 Nov 2019 08:06:15 -0400 Subject: [PATCH 3/6] NEWS for 0.29.3 --- NEWS | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/NEWS b/NEWS index c416a373..722a352e 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,13 @@ +Notmuch 0.29.3 (2019-11-27) +=========================== + +General +------- + +Fix for use-after-free in notmuch_config_list_{key,val}. + +Fix for double close of file in notmuch-dump. + Notmuch 0.29.2 (2019-10-19) =========================== From 3efa2ad72c8ffd8183fab2cd6592f35e72fbb7d7 Mon Sep 17 00:00:00 2001 From: David Bremner Date: Wed, 27 Nov 2019 08:06:59 -0400 Subject: [PATCH 4/6] version: bump to 0.29.3 --- bindings/python/notmuch/version.py | 2 +- version | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/bindings/python/notmuch/version.py b/bindings/python/notmuch/version.py index 1bde97e5..e688b565 100644 --- a/bindings/python/notmuch/version.py +++ b/bindings/python/notmuch/version.py @@ -1,3 +1,3 @@ # this file should be kept in sync with ../../../version -__VERSION__ = '0.29.2' +__VERSION__ = '0.29.3' SOVERSION = '5' diff --git a/version b/version index 20f06870..5540b6e0 100644 --- a/version +++ b/version @@ -1 +1 @@ -0.29.2 +0.29.3 From e5437dc4c2f1b93f94e5e9b5661b5e57244e3f96 Mon Sep 17 00:00:00 2001 From: David Bremner Date: Wed, 27 Nov 2019 08:11:53 -0400 Subject: [PATCH 5/6] mention python 2 changes --- NEWS | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 722a352e..66bb69f1 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,11 @@ Fix for use-after-free in notmuch_config_list_{key,val}. Fix for double close of file in notmuch-dump. +Debian +------ + +Drop python2 support from shipped debian packaging. + Notmuch 0.29.2 (2019-10-19) =========================== From a59ef7d02cb229c2ec3569024918024003568aea Mon Sep 17 00:00:00 2001 From: David Bremner Date: Wed, 27 Nov 2019 08:20:31 -0400 Subject: [PATCH 6/6] debian: changelog for 0.29.3 --- debian/changelog | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/changelog b/debian/changelog index 92b97449..4f7457cd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +notmuch (0.29.3-1) unstable; urgency=medium + + * New upstream bugfix release. + - fix use-after-free bug in libnotmuch + - fix double close of file in "notmuch dump" + + -- David Bremner Wed, 27 Nov 2019 08:19:57 -0400 + notmuch (0.29.2-2) experimental; urgency=medium * Drop python-notmuch binary package.