colord: fix CVE-2021-42523 (#3675)

hbeberman · anphel31 · commit aab2d1b1b65d · 2022-09-08T23:03:21.000Z
diff --git a/SPECS/colord/CVE-2021-42523.patch b/SPECS/colord/CVE-2021-42523.patch
@@ -0,0 +1,24 @@
+diff -Naur a/src/cd-device-db.c b/src/cd-device-db.c
+--- a/src/cd-device-db.c	2019-03-08 04:43:10.000000000 -0800
++++ b/src/cd-device-db.c	2022-09-01 17:19:29.006382333 -0700
+@@ -91,7 +91,7 @@
+ 
+ 	/* check properties version 2 */
+ 	rc = sqlite3_exec (priv->db, "SELECT * FROM properties_v2 LIMIT 1",
+-			   NULL, NULL, &error_msg);
++			   NULL, NULL, NULL);
+ 	if (rc != SQLITE_OK) {
+ 		statement = "CREATE TABLE properties_v2 ("
+ 			    "device_id TEXT,"
+diff -Naur a/src/cd-profile-db.c b/src/cd-profile-db.c
+--- a/src/cd-profile-db.c	2019-03-08 04:43:11.000000000 -0800
++++ b/src/cd-profile-db.c	2022-09-01 17:21:45.006213393 -0700
+@@ -79,7 +79,7 @@
+ 
+ 	/* check schema */
+ 	rc = sqlite3_exec (priv->db, "SELECT * FROM properties_pu LIMIT 1",
+-			   NULL, NULL, &error_msg);
++			   NULL, NULL, NULL);
+ 	if (rc != SQLITE_OK) {
+ 		statement = "CREATE TABLE properties_pu ("
+ 			    "profile_id TEXT,"
diff --git a/SPECS/colord/colord.spec b/SPECS/colord/colord.spec
@@ -7,13 +7,14 @@
 Summary:        Color daemon
 Name:           colord
 Version:        1.4.4
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        GPLv2+ and LGPLv2+
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
 URL:            https://www.freedesktop.org/software/colord/
 Source0:        https://www.freedesktop.org/software/colord/releases/%{name}-%{version}.tar.xz
 Source1:        %{name}-LGPLv2.txt
+Patch0:         CVE-2021-42523.patch
 BuildRequires:  bash-completion
 BuildRequires:  color-filesystem
 BuildRequires:  dbus-devel
@@ -87,7 +88,7 @@ Summary:        Data files for installed tests
 Data files for installed tests.
 
 %prep
-%setup -q
+%autosetup -p1
 cp %{SOURCE1} COPYING-LGPLv2.txt
 
 %build
@@ -233,6 +234,9 @@ exit 0
 %{_datadir}/installed-tests/colord/*
 
 %changelog
+* Thu Sep 01 2022 Henry Beberman <henry.beberman@microsoft.com> - 1.4.4-9
+- Patch CVE-2021-42523 to remove unused error_msg pointers.
+
 * Wed Dec 08 2021 Thomas Crain <thcrain@microsoft.com> - 1.4.4-8
 - License verified, added LGPLv2 license text
 - Lint spec
