grub2/0195-blscfg-add-a-space-char-when-appending-fields-for-va.patch
Peter Jones 3b94406a9e "Minor" bug fixes
CVE-2020-10713
  CVE-2020-14308
  CVE-2020-14309
  CVE-2020-14310
  CVE-2020-14311
  CVE-2020-15705
  CVE-2020-15706
  CVE-2020-15707

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-29 13:39:24 -04:00

79 lines
2.2 KiB
Diff

From 983aeec4df983df6d02f71e9d26f36571382d0b6 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Tue, 26 Nov 2019 09:51:41 +0100
Subject: [PATCH 195/237] blscfg: add a space char when appending fields for
variable expansion
The GRUB variables are expanded and replaced by their values before adding
menu entries, but they didn't include space characters after the values so
the result was not correct.
For the common case this wasn't a problem but it is if there are variables
that are part of the values of other variables.
Resolves: rhbz#1669252
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
---
grub-core/commands/blscfg.c | 31 ++++++++++++++++++-------------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
index f2c1fd0733d..1504be30e8e 100644
--- a/grub-core/commands/blscfg.c
+++ b/grub-core/commands/blscfg.c
@@ -593,26 +593,29 @@ static char **bls_make_list (struct bls_entry *entry, const char *key, int *num)
static char *field_append(bool is_var, char *buffer, char *start, char *end)
{
- char *temp = grub_strndup(start, end - start + 1);
- const char *field = temp;
+ char *tmp = grub_strndup(start, end - start + 1);
+ const char *field = tmp;
+ int term = is_var ? 2 : 1;
if (is_var) {
- field = grub_env_get (temp);
+ field = grub_env_get (tmp);
if (!field)
return buffer;
}
- if (!buffer) {
- buffer = grub_strdup(field);
- if (!buffer)
- return NULL;
- } else {
- buffer = grub_realloc (buffer, grub_strlen(buffer) + grub_strlen(field));
- if (!buffer)
- return NULL;
+ if (!buffer)
+ buffer = grub_zalloc (grub_strlen(field) + term);
+ else
+ buffer = grub_realloc (buffer, grub_strlen(buffer) + grub_strlen(field) + term);
- grub_stpcpy (buffer + grub_strlen(buffer), field);
- }
+ if (!buffer)
+ return NULL;
+
+ tmp = buffer + grub_strlen(buffer);
+ tmp = grub_stpcpy (tmp, field);
+
+ if (is_var)
+ tmp = grub_stpcpy (tmp, " ");
return buffer;
}
@@ -642,6 +645,8 @@ static char *expand_val(char *value)
buffer = field_append(is_var, buffer, start, end);
is_var = false;
start = value;
+ if (*start == ' ')
+ start++;
}
}
--
2.26.2