[AUTO-CHERRYPICK] Patch apparmor for CVE-2024-31755 - branch main (#9302)

CBL-Mariner-Bot · Sumynwa · web-flow · commit ec2c66e0fad8 · 2024-06-05T11:57:29.000+05:30
Co-authored-by: Sumynwa &lt;sumsharma@microsoft.com&gt;
diff --git a/SPECS/apparmor/CVE-2024-31755.patch b/SPECS/apparmor/CVE-2024-31755.patch
@@ -0,0 +1,40 @@
+commit 7e4d5dabe7a9b754c601f214e65b544e67ba9f59
+Author: Up-wind <lj.upwind@gmail.com>
+Date:   Mon Mar 25 20:07:11 2024 +0800
+
+    Add NULL check to cJSON_SetValuestring()
+    
+    If the valuestring passed to cJSON_SetValuestring is NULL, a null pointer dereference will happen.
+    
+    This commit adds the NULL check of valuestring before it is dereferenced.
+
+---
+ binutils/cJSON.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/binutils/cJSON.c b/binutils/cJSON.c
+index 541934c..e85ac11 100644
+--- a/binutils/cJSON.c
++++ b/binutils/cJSON.c
+@@ -393,6 +393,7 @@ CJSON_PUBLIC(double) cJSON_SetNumberHelper(cJSON *object, double number)
+     return object->valuedouble = number;
+ }
+ 
++/* Note: when passing a NULL valuestring, cJSON_SetValuestring treats this as an error and return NULL */
+ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+ {
+     char *copy = NULL;
+@@ -401,8 +402,8 @@ CJSON_PUBLIC(char*) cJSON_SetValuestring(cJSON *object, const char *valuestring)
+     {
+         return NULL;
+     }
+-    /* return NULL if the object is corrupted */
+-    if (object->valuestring == NULL)
++    /* return NULL if the object is corrupted or valuestring is NULL */
++    if (object->valuestring == NULL || valuestring == NULL)
+     {
+         return NULL;
+     }
+-- 
+2.25.1
+
diff --git a/SPECS/apparmor/apparmor.spec b/SPECS/apparmor/apparmor.spec
@@ -1,7 +1,7 @@
 Summary:        AppArmor is an effective and easy-to-use Linux application security system.
 Name:           apparmor
 Version:        3.0.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -10,6 +10,7 @@ URL:            https://launchpad.net/apparmor
 Source0:        https://launchpad.net/apparmor/3.0/3.0.4/+download/%{name}-%{version}.tar.gz
 Patch1:         apparmor-service-start-fix.patch
 Patch2:         CVE-2023-50471.patch
+Patch3:         CVE-2024-31755.patch
 # CVE-2016-1585 has no upstream fix as of 2020/09/28
 Patch100:       CVE-2016-1585.nopatch
 BuildRequires:  apr
@@ -354,6 +355,9 @@ make DESTDIR=%{buildroot} install
 %exclude %{perl_archlib}/perllocal.pod
 
 %changelog
+* Thu May 30 2024 Sumedh Sharma <sumsharma@microsoft.com> - 3.0.4-4
+- Add patch for CVE-2024-31755
+
 * Wed Dec 27 2023 Dallas Delaney <dadelan@microsoft.com> - 3.0.4-3
 - Add patch for CVE-2023-50471 and CVE-2023-50472
 
