diff --git a/Bugfix-Free-resources-if-certificate-cannot-be-found.patch b/Bugfix-Free-resources-if-certificate-cannot-be-found.patch new file mode 100644 index 0000000000000000000000000000000000000000..b128b2c83c0b47b1b4480cb3237f3bef1728db9c --- /dev/null +++ b/Bugfix-Free-resources-if-certificate-cannot-be-found.patch @@ -0,0 +1,39 @@ +From d8ea40d773dc1bcd90d8fc3b1f71ce49044ccef0 Mon Sep 17 00:00:00 2001 +From: Chenxi Mao +Date: Tue, 13 Dec 2022 22:12:29 +0800 +Subject: [PATCH 1/1] Free resources if certificate cannot be found + +In find_certificate_by_callback, function return -1 directly without +free resource if node is null, that will lead to nss shut down failed. + +The error message as below: +could not shut down NSS: NSS could not shutdown. Objects are still in use. + +To fix this issue, free all resources before function return -1. + +Signed-off-by: Chenxi Mao +--- + src/cms_common.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/cms_common.c b/src/cms_common.c +index 1c54c90..24576f2 100644 +--- a/src/cms_common.c ++++ b/src/cms_common.c +@@ -878,8 +878,12 @@ find_certificate_by_callback(cms_context *cms, + } + } + +- if (!node) ++ if (!node) { ++ PK11_DestroySlotListElement(slots, &psle); ++ PK11_FreeSlotList(slots); ++ CERT_DestroyCertList(certlist); + cnreterr(-1, cms, "Could not find certificate"); ++ } + + *cert = CERT_DupCertificate(node->cert); + +-- +2.33.0 + diff --git a/pesign.spec b/pesign.spec index 6e5ee8451b4a46f40972edc4a1a8ce7f1d9c3982..9de5142dab93f46434b24676eae021db69375689 100644 --- a/pesign.spec +++ b/pesign.spec @@ -2,7 +2,7 @@ Name: pesign Summary: Signing utility for UEFI binaries Version: 115 -Release: 2 +Release: 3 License: GPLv2 URL: https://github.com/rhboot/pesign Source0: https://github.com/rhboot/pesign/archive/refs/tags/115.tar.gz @@ -17,6 +17,7 @@ BuildRequires: nss-devel >= 3.13.6-1 efivar-devel >= 31-1 libuuid-devel tar xz BuildRequires: python3-rpm-macros python3 systemd python3-devel gcc mandoc Patch0001: Bugfix-cms_common-fix-cert-match-check.patch +Patch0002: Bugfix-Free-resources-if-certificate-cannot-be-found.patch # Feature: support SM2 and SM3 Patch9000: Feature-pesign-support-SM3-digest-algorithm.patch @@ -98,6 +99,9 @@ exit 0 %{_mandir}/man*/* %changelog +* Mon Dec 19 2022 Chenxi Mao - 115-3 +- Free resources if certification cannot be found. + * Sat Nov 12 2022 luhuaxin - 115-2 - fix certificate chain bug