Hello community, here is the log from the commit of package rxvt-unicode for openSUSE:Factory checked in at 2020-11-29 12:27:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rxvt-unicode (Old) and /work/SRC/openSUSE:Factory/.rxvt-unicode.new.5913 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "rxvt-unicode" Sun Nov 29 12:27:47 2020 rev:36 rq:851138 version:9.22 Changes: -------- --- /work/SRC/openSUSE:Factory/rxvt-unicode/rxvt-unicode.changes 2018-04-13 12:50:25.178140643 +0200 +++ /work/SRC/openSUSE:Factory/.rxvt-unicode.new.5913/rxvt-unicode.changes 2020-11-29 12:27:49.885965958 +0100 @@ -1,0 +2,6 @@ +Thu Nov 26 14:25:58 UTC 2020 - Marcus Hüwe <suse-tux@gmx.de> + +- add rxvt-unicode-9.22-perl_environ_segfault.patch to avoid a + segfault when closing urxvt + +------------------------------------------------------------------- New: ---- rxvt-unicode-9.22-perl_environ_segfault.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rxvt-unicode.spec ++++++ --- /var/tmp/diff_new_pack.WsK5NA/_old 2020-11-29 12:27:50.517966598 +0100 +++ /var/tmp/diff_new_pack.WsK5NA/_new 2020-11-29 12:27:50.521966602 +0100 @@ -1,7 +1,7 @@ # # spec file for package rxvt-unicode # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -40,6 +40,7 @@ Patch3: rxvt-unicode-0001-Prefer-XDG_RUNTIME_DIR-over-the-HOME.patch Patch4: rxvt-unicode-hardening.patch Patch5: rxvt-unicode-secondarywheel.patch +Patch6: rxvt-unicode-9.22-perl_environ_segfault.patch BuildRequires: gcc-c++ BuildRequires: ncurses-devel BuildRequires: perl @@ -72,6 +73,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 find -type d -name CVS -print0 | xargs -r0 rm -r install -m 0644 %{SOURCE2} README.SUSE ++++++ rxvt-unicode-9.22-perl_environ_segfault.patch ++++++ Do not segfault when calling perl_destruct from the rxvt_perl_interp dtor When closing urxvt, a segfault happens: (gdb) run Starting program: /usr/bin/urxvt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". [Detaching after fork from child process 12209] Program received signal SIGSEGV, Segmentation fault. __GI_getenv (name=0x7ffff7a6daf8 "RL_DESTRUCT_LEVEL", name@entry=0x7ffff7a6daf6 "PERL_DESTRUCT_LEVEL") at getenv.c:84 84 if (name_start == ep_start && !strncmp (*ep + 2, name, len) (gdb) bt #0 __GI_getenv (name=0x7ffff7a6daf8 "RL_DESTRUCT_LEVEL", name@entry=0x7ffff7a6daf6 "PERL_DESTRUCT_LEVEL") at getenv.c:84 #1 0x00007ffff7912523 in Perl_mortal_getenv (str=0x7ffff7a6daf6 "PERL_DESTRUCT_LEVEL") at inline.h:2621 #2 perl_destruct (my_perl=0x5555556d1d60) at perl.c:616 #3 0x00005555555a7065 in rxvt_perl_interp::~rxvt_perl_interp (this=<optimized out>, this=<optimized out>) at ./rxvtperl.xs:379 #4 0x00007ffff76cf2c7 in __run_exit_handlers (status=0, listp=0x7ffff7853598 <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108 #5 0x00007ffff76cf470 in __GI_exit (status=<optimized out>) at exit.c:139 #6 0x00007ffff76b7159 in __libc_start_main (main=0x555555581f00 <main(int, char**)>, argc=1, argv=0x7fffffffe138, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:348 #7 0x000055555558624e in _start () at ../sysdeps/x86_64/start.S:120 (gdb) When closing urxvt, the rxvt_term::destroy_cb method is eventually called, which calls make_current() and afterwards destroys itself ("delete this;"). make_current indirectly assigns "env", which is a member of the rxvt_term struct, to "environ". When calling the rxvt_term::~rxvt_term destructor, the "env" member is explicitly destroyed ("delete [] env;"). Consequently, "environ" points to freed memory. Eventually, the rxvt_perl_interp::~rxvt_perl_interp dtor is called, which calls perl_destruct(...), which eventually calls getenv(...) (see the backtrace above). Since getenv dereferences "__environ"/"environ", a use after free happens. In order to fix this, we have to ensure that "environ" is not dangling. From a quick glance at the code, setting "environ" to the "perl_environ" seems to be a reasonable choice (that's what the other code in rxvtperl.xs also does). Version information: rxvt-unicode-9.22 perl-5.32.0 Signed-off-by: Marcus Huewe <suse-tux@gmx.de> Index: src/rxvtperl.xs =================================================================== --- src/rxvtperl.xs.orig +++ src/rxvtperl.xs @@ -376,6 +376,7 @@ rxvt_perl_interp::~rxvt_perl_interp () { if (perl) { + localise_env set_environ (perl_environ); perl_destruct (perl); perl_free (perl); PERL_SYS_TERM ();