From cb9ee701ef46c1819eed4e2a4dc181682bdfc176 Mon Sep 17 00:00:00 2001 From: Philip Withnall Date: Wed, 10 Feb 2021 21:16:39 +0000 Subject: [PATCH 1/3] gkeyfilesettingsbackend: Fix basename handling when group is unset Fix an effective regression in commit 7781a9cbd2fd0aa84bee0f4eee88470640ff6706, which happens when `convert_path()` is called with a `key` which contains no slashes. In that case, the `key` is entirely the `basename`. Prior to commit 7781a9cb, the code worked through a fluke of `i == -1` cancelling out with the various additions in the `g_memdup()` call, and effectively resulting in `g_strdup (key)`. Spotted by Guido Berhoerster. Signed-off-by: Philip Withnall Upstream-Status: Backport [https://mirrors.ocf.berkeley.edu/ubuntu/pool/main/g/glib2.0/glib2.0_2.64.6-1~ubuntu20.04.3.debian.tar.xz] CVE: CVE-2021-27219 Signed-off-by: Ranjitsinh Rathod --- gio/gkeyfilesettingsbackend.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c index 25b057672..861c3a661 100644 --- a/gio/gkeyfilesettingsbackend.c +++ b/gio/gkeyfilesettingsbackend.c @@ -185,7 +185,12 @@ convert_path (GKeyfileSettingsBackend *kfsb, } if (basename) - *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); + { + if (last_slash != NULL) + *basename = g_memdup2 (last_slash + 1, key_len - (last_slash - key)); + else + *basename = g_strdup (key); + } return TRUE; } -- GitLab