new file mode 100644

@@ -0,0 +1,348 @@

+From c5883b20b7b021ee94111cb72777ab3ba3f50950 Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Fri, 7 Dec 2018 07:05:10 +0100

+Subject: [PATCH 1/7] Fix: Dereference of null pointer

+

+---

+ ext/repo_repomdxml.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/ext/repo_repomdxml.c b/ext/repo_repomdxml.c

+index fd46272b..46d83615 100644

+--- a/ext/repo_repomdxml.c

+@@ -181,7 +181,7 @@ startElement(struct solv_xmlparser *xmlp, int state, const char *name, const cha

+             while (value)

+ 	      {

+ 		char *p = strchr(value, ',');

+-		if (*p)

++		if (p)

+ 		  *p++ = 0;

+ 		if (*value)

+ 		  repodata_add_poolstr_array(pd->data, SOLVID_META, REPOSITORY_UPDATES, value);

+

+From 8e1dba061d7962441f7e06b9a94d0ff24b158c6a Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Tue, 11 Dec 2018 09:50:06 +0100

+Subject: [PATCH 2/7] Fix: Add va_end() before return

+

+The va_end() performs cleanup.

+If va_end() is not called before a function that calls va_start() returns,

+the behavior is undefined.

+---

+ src/pool.c | 1 +

+ 1 file changed, 1 insertion(+)

+

+diff --git a/src/pool.c b/src/pool.c

+index 383edb2a..be6a4193 100644

+--- a/src/pool.c

+@@ -1536,6 +1536,7 @@ pool_debug(Pool *pool, int type, const char *format, ...)

+         vprintf(format, args);

+       else

+         vfprintf(stderr, format, args);

++      va_end(args);

+       return;

+     }

+   vsnprintf(buf, sizeof(buf), format, args);

+

+From 98a75959e13699e2ef35b0b011a88a6d224f227e Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Tue, 11 Dec 2018 10:14:04 +0100

+Subject: [PATCH 3/7] Fix: Memory leaks

+

+---

+ ext/repo_rpmdb.c  | 16 ++++++++++++++++

+ ext/testcase.c    |  4 ++++

+ tools/repo2solv.c |  1 +

+ 3 files changed, 21 insertions(+)

+

+diff --git a/ext/repo_rpmdb.c b/ext/repo_rpmdb.c

+index 9acb4006..0d648208 100644

+--- a/ext/repo_rpmdb.c

+@@ -1896,6 +1896,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+   if (fread(lead, 96 + 16, 1, fp) != 1 || getu32(lead) != 0xedabeedb)

+     {

+       pool_error(pool, -1, "%s: not a rpm", rpm);

++      solv_chksum_free(leadsigchksumh, NULL);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+@@ -1908,12 +1910,16 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+   if (lead[78] != 0 || lead[79] != 5)

+     {

+       pool_error(pool, -1, "%s: not a rpm v5 header", rpm);

++      solv_chksum_free(leadsigchksumh, NULL);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+   if (getu32(lead + 96) != 0x8eade801)

+     {

+       pool_error(pool, -1, "%s: bad signature header", rpm);

++      solv_chksum_free(leadsigchksumh, NULL);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+@@ -1922,6 +1928,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+   if (sigcnt >= MAX_SIG_CNT || sigdsize >= MAX_SIG_DSIZE)

+     {

+       pool_error(pool, -1, "%s: bad signature header", rpm);

++      solv_chksum_free(leadsigchksumh, NULL);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+@@ -1971,6 +1981,8 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+ 	  if (fread(lead, l, 1, fp) != 1)

+ 	    {

+ 	      pool_error(pool, -1, "%s: unexpected EOF", rpm);

++          solv_chksum_free(leadsigchksumh, NULL);

++          solv_chksum_free(chksumh, NULL);

+ 	      fclose(fp);

+ 	      return 0;

+ 	    }

+@@ -1991,6 +2003,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+   if (fread(lead, 16, 1, fp) != 1)

+     {

+       pool_error(pool, -1, "%s: unexpected EOF", rpm);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+@@ -1999,6 +2012,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+   if (getu32(lead) != 0x8eade801)

+     {

+       pool_error(pool, -1, "%s: bad header", rpm);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+@@ -2007,6 +2021,7 @@ repo_add_rpm(Repo *repo, const char *rpm, int flags)

+   if (sigcnt >= MAX_HDR_CNT || sigdsize >= MAX_HDR_DSIZE)

+     {

+       pool_error(pool, -1, "%s: bad header", rpm);

++      solv_chksum_free(chksumh, NULL);

+       fclose(fp);

+       return 0;

+     }

+diff --git a/ext/testcase.c b/ext/testcase.c

+index b815c563..33998d47 100644

+--- a/ext/testcase.c

+@@ -2311,6 +2311,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha

+ 	  if (fclose(fp))

+ 	    {

+ 	      pool_debug(solv->pool, SOLV_ERROR, "testcase_write: write error\n");

++              solv_free(result);

+ 	      strqueue_free(&sq);

+ 	      return 0;

+ 	    }

+@@ -2323,12 +2324,14 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha

+   if (!(fp = fopen(out, "w")))

+     {

+       pool_debug(solv->pool, SOLV_ERROR, "testcase_write: could not open '%s' for writing\n", out);

++      solv_free(cmd);

+       strqueue_free(&sq);

+       return 0;

+     }

+   if (*cmd && fwrite(cmd, strlen(cmd), 1, fp) != 1)

+     {

+       pool_debug(solv->pool, SOLV_ERROR, "testcase_write: write error\n");

++      solv_free(cmd);

+       strqueue_free(&sq);

+       fclose(fp);

+       return 0;

+@@ -2336,6 +2339,7 @@ testcase_write_mangled(Solver *solv, const char *dir, int resultflags, const cha

+   if (fclose(fp))

+     {

+       pool_debug(solv->pool, SOLV_ERROR, "testcase_write: write error\n");

++      solv_free(cmd);

+       strqueue_free(&sq);

+       return 0;

+     }

+From 95c3d1b3aad7a003d129b957cf449d11edaca67b Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Tue, 11 Dec 2018 10:22:09 +0100

+Subject: [PATCH 4/7] Fix: testsolv segfault

+

+ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fab0e11bf2b bp 0x7ffdfc044b70 sp 0x7ffdfc044a90 T0)

+0 0x7fab0e11bf2a in testcase_str2dep_complex /home/company/real_sanitize/libsolv-master/ext/testcase.c:577

+1 0x7fab0e11c80f in testcase_str2dep /home/company/real_sanitize/libsolv-master/ext/testcase.c:656

+2 0x7fab0e12e64a in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2952

+3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148

+4 0x7fab0d9d2a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

+5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)

+---

+ ext/testcase.c | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/ext/testcase.c b/ext/testcase.c

+index 33998d47..fe2636cb 100644

+--- a/ext/testcase.c

+@@ -576,6 +576,8 @@ testcase_str2dep_complex(Pool *pool, const char **sp, int relop)

+   Id flags, id, id2, namespaceid = 0;

+   struct oplist *op;

+ 

++  if (!s)

++    return 0;

+   while (*s == ' ' || *s == '\t')

+     s++;

+   if (!strncmp(s, "namespace:", 10))

+

+From 6de825c4d27022e48570824f0be77132c5b6d45a Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Tue, 11 Dec 2018 10:27:15 +0100

+Subject: [PATCH 5/7] Fix: testsolv segfaults

+

+ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002f0 (pc 0x7f31501d3bd2 bp 0x7ffcfe4d4a50 sp 0x7ffcfe4d4a30 T0)

+0 0x7f31501d3bd1 in pool_whatprovides /home/company/real_sanitize/libsolv-master/src/pool.h:331

+1 0x7f31501d895e in testcase_str2solvid /home/company/real_sanitize/libsolv-master/ext/testcase.c:793

+2 0x7f31501e8388 in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2807

+3 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148

+4 0x7f314fa8da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

+5 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)

+

+ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5af9e7815f bp 0x7ffc4c843a40 sp 0x7ffc4c8436c0 T0)

+0 0x7f5af9e7815e in testcase_read /home/company/real_sanitize/libsolv-master/ext/testcase.c:2799

+1 0x402aa5 in main /home/company/real_sanitize/libsolv-master/tools/testsolv.c:148

+2 0x7f5af971da3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)

+3 0x401bb8 in _start (/home/company/real_sanitize/libsolv-master/build/install/bin/testsolv+0x401bb8)

+---

+ ext/testcase.c | 2 +-

+ 1 file changed, 1 insertion(+), 1 deletion(-)

+

+diff --git a/ext/testcase.c b/ext/testcase.c

+index fe2636cb..c8dd14ee 100644

+--- a/ext/testcase.c

+@@ -2718,7 +2718,7 @@ testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **res

+ 	{

+ 	  int i = strlen(pieces[1]);

+ 	  s = strchr(pieces[1], '(');

+-	  if (!s && pieces[1][i - 1] != ')')

++	  if (!s || pieces[1][i - 1] != ')')

+ 	    {

+ 	      pool_debug(pool, SOLV_ERROR, "testcase_read: bad namespace '%s'\n", pieces[1]);

+ 	    }

+From bbfce7d10015fd7f72bcd5dbbca6c30f02cd7f4d Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Tue, 11 Dec 2018 12:40:42 +0100

+Subject: [PATCH 6/7] Fix: Be sure that NONBLOCK is set

+

+---

+ examples/solv/fastestmirror.c | 6 +++++-

+ 1 file changed, 5 insertions(+), 1 deletion(-)

+

+diff --git a/examples/solv/fastestmirror.c b/examples/solv/fastestmirror.c

+index d2ebd97a..0ee4e73b 100644

+--- a/examples/solv/fastestmirror.c

+@@ -68,7 +68,11 @@ findfastest(char **urls, int nurls)

+ 	  socks[i] = socket(result->ai_family, result->ai_socktype, result->ai_protocol);

+ 	  if (socks[i] >= 0)

+ 	    {

+-	      fcntl(socks[i], F_SETFL, O_NONBLOCK);

++	      if (fcntl(socks[i], F_SETFL, O_NONBLOCK) == -1)

++            {

++		      close(socks[i]);

++		      socks[i] = -1;

++            }

+ 	      if (connect(socks[i], result->ai_addr, result->ai_addrlen) == -1)

+ 		{

+ 		  if (errno != EINPROGRESS)

+

+From 2d7b115fbbe6b2f2894221e010cd75638a8eaa37 Mon Sep 17 00:00:00 2001

+From: Jaroslav Rohel <jrohel@redhat.com>

+Date: Tue, 11 Dec 2018 12:58:34 +0100

+Subject: [PATCH 7/7] Don't set values that are never read

+

+---

+ ext/pool_fileconflicts.c | 1 -

+ ext/repo_appdata.c       | 2 +-

+ ext/repo_comps.c         | 2 +-

+ src/cleandeps.c          | 1 -

+ src/dirpool.c            | 2 +-

+ src/order.c              | 1 -

+ src/repopage.c           | 1 -

+ 7 files changed, 3 insertions(+), 7 deletions(-)

+

+diff --git a/ext/pool_fileconflicts.c b/ext/pool_fileconflicts.c

+index eaeb52b2..2fd3d540 100644

+--- a/ext/pool_fileconflicts.c

+@@ -590,7 +590,6 @@ findfileconflicts_alias_cb(void *cbdatav, const char *fn, struct filelistinfo *i

+ 

+   if (!info->dirlen)

+     return;

+-  dp = fn + info->dirlen;

+   if (info->diridx != cbdata->lastdiridx)

+     {

+       cbdata->lastdiridx = info->diridx;

+diff --git a/ext/repo_appdata.c b/ext/repo_appdata.c

+index 31749686..b798af4c 100644

+--- a/ext/repo_appdata.c

+@@ -129,7 +129,7 @@ startElement(void *userData, const char *name, const char **atts)

+ {

+   struct parsedata *pd = userData;

+   Pool *pool = pd->pool;

+-  Solvable *s = pd->solvable;

++  Solvable *s;

+   struct stateswitch *sw;

+   const char *type;

+ 

+diff --git a/ext/repo_comps.c b/ext/repo_comps.c

+index 9400e1ea..69916567 100644

+--- a/ext/repo_comps.c

+@@ -150,7 +150,7 @@ startElement(void *userData, const char *name, const char **atts)

+ {

+   struct parsedata *pd = userData;

+   Pool *pool = pd->pool;

+-  Solvable *s = pd->solvable;

++  Solvable *s;

+   struct stateswitch *sw;

+ 

+ #if 0

+diff --git a/src/dirpool.c b/src/dirpool.c

+index afb26ea5..bed9435e 100644

+--- a/src/dirpool.c

+@@ -85,7 +85,7 @@ dirpool_make_dirtraverse(Dirpool *dp)

+     return;

+   dp->dirs = solv_extend_resize(dp->dirs, dp->ndirs, sizeof(Id), DIR_BLOCK);

+   dirtraverse = solv_calloc_block(dp->ndirs, sizeof(Id), DIR_BLOCK);

+-  for (parent = 0, i = 0; i < dp->ndirs; i++)

++  for (i = 0; i < dp->ndirs; i++)

+     {

+       if (dp->dirs[i] > 0)

+ 	continue;

+diff --git a/src/order.c b/src/order.c

+index c0cc07f4..c45a9a22 100644

+--- a/src/order.c

+@@ -1008,7 +1008,6 @@ transaction_order(Transaction *trans, int flags)

+ #if 0

+ printf("do %s [%d]\n", pool_solvid2str(pool, te->p), temedianr[i]);

+ #endif

+-      s = pool->solvables + te->p;

+       for (j = te->edges; od.invedgedata[j]; j++)

+ 	{

+ 	  struct _TransactionElement *te2 = od.tes + od.invedgedata[j];

+diff --git a/src/repopage.c b/src/repopage.c

+index 2b7a863b..85d53eb9 100644

+--- a/src/repopage.c

+@@ -399,7 +399,6 @@ compress_buf(const unsigned char *in, unsigned int in_len,

+ 	      litlen -= 32;

+ 	    }

+ 	}

+-      litofs = 0;

+     }

+   return oo;

+ }

@@ -1,11 +1,12 @@

 Summary:        Libsolv-0.6.19

 Name:           libsolv

 Version:        0.6.26

-Release:        3%{?dist}

+Release:        4%{?dist}

 License:        BSD

 URL:            https://github.com/openSUSE/libsolv

 Source0:        https://github.com/openSUSE/libsolv/archive/%{name}-%{version}.tar.gz

 %define sha1    libsolv=7699af00e648bf3e631246559c48ceb7f3f544b9

+Patch0:         CVE-2018-20532-20533-20534.patch

 Group:          Development/Tools

 Vendor:         VMware, Inc.

 Distribution:   Photon

@@ -29,6 +30,7 @@ for developing applications that use libsolv.

 %prep

 %setup -q

+%patch0 -p1

 %build

 cmake \

     -DCMAKE_INSTALL_PREFIX=%{_prefix} \

@@ -61,6 +63,8 @@ make %{?_smp_mflags} test

 %{_mandir}/man3/*

 %changelog

+*   Thu Feb 14 2019 Keerthana K <keerthanak@vmware.com> 0.6.26-4

+-   Fix for CVE-2018-20532, CVE-2018-20533, CVE-2018-20534.

 *   Fri Apr 21 2017 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 0.6.26-3

 -   update libdb make config

 *   Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com> 0.6.26-2