Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: rhel-9.5
Affects Version/s: rhel-9.5
Component/s: rpm
Labels:
- dev+
- patch+
- qe+

Fixed in Build:
rpm-4.16.1.3-31.el9
Regression:
None
Severity:
Moderate

Pool Team:

sst_cs_software_management
Sub-System Group:

ssg_core_services

Dev Target Milestone:
20
Internal Target Milestone:
22
Story Points:
None
Target Version:

rhel-9.5
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
None

Acceptance Criteria:
Hide

AC: Issue from the OpenScanHub mentioned in the description is fixed.

Test: Manual verification

Find the build here: https://cov01.lab.eng.brq2.redhat.com/osh/task/

Compare the results with old build (in this case here: https://cov01.lab.eng.brq2.redhat.com/osh/task/412838/log/rpm-4.16.1.3-25.el9/scan-results.err)

Verify that the Error from description is in the old OpenScanHub run, but not the new one.
Show
AC: Issue from the OpenScanHub mentioned in the description is fixed. Test: Manual verification Find the build here: https://cov01.lab.eng.brq2.redhat.com/osh/task/ Compare the results with old build (in this case here: https://cov01.lab.eng.brq2.redhat.com/osh/task/412838/log/rpm-4.16.1.3-25.el9/scan-results.err ) Verify that the Error from description is in the old OpenScanHub run, but not the new one.
Preliminary Testing:
Pass
Errata Link:
https://errata.engineering.redhat.com/advisory/133184
Test Coverage:

Manual

Release Note Type:
Release Note Not Required

Experience:
Architecture:

All

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Findings from https://issues.redhat.com/browse/RHEL-22390:

Error: UNINIT (CWE-457):
rpm-4.16.1.3/lib/rpmscript.c:274: var_decl: Declaring variable "inpipe" without initializer.
rpm-4.16.1.3/lib/rpmscript.c:398: uninit_use: Using uninitialized value "inpipe[0]".

396| fclose(in);
397|
398|-> if (inpipe[0])
399| close(inpipe[0]);
400|

inpipe can be uninitialized in the case writing the to-be-executed scriptlet to the disk failed. Closing a random file descriptor could have weird effects of course.

is cloned by

RHEL-54012 Potential use of unitialized variable in scriptlet execution

Release Pending

links to

RHBA-2024:133184 rpm bug fix and enhancement update

Assignee:: Michal Domonkos

Reporter:: Panu Matilainen

Developer:: packaging-team-maint

QA Contact:: Tomas Bajer

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/01/24 10:42 AM

Updated:: 2024/09/23 5:27 PM

Dev Target end:: 2024/07/15

Target end:: 2024/07/29

Details

Description

Attachments

Issue Links

Activity

People

Dates