libopkg: fix use-after-free with duplicate packages on the command line

[oweals/opkg-lede.git] / libopkg / opkg_download.c

diff --git a/libopkg/opkg_download.c b/libopkg/opkg_download.c
index 4a8b2a2b9d4c854fd2ea7a75fe20b19f83bf58d3..631bdabd4a3dee974fb54cdf3198a1f583bb4cdf 100644 (file)
--- a/libopkg/opkg_download.c
+++ b/libopkg/opkg_download.c
@@ -19,6 +19,7 @@
 
 #include "config.h"
 
 
 #include "config.h"
 

+#include <sys/wait.h>

 #include <stdio.h>
 #include <unistd.h>
 #include <libgen.h>
 #include <stdio.h>
 #include <unistd.h>
 #include <libgen.h>


@@ -334,7 +335,7 @@ opkg_prepare_url_for_install(const char *url, char **namep)
      hash_insert_pkg(pkg, 1);
 
      if (namep) {
      hash_insert_pkg(pkg, 1);
 
      if (namep) {

-         *namep = pkg->name;
+         *namep = xstrdup(pkg->name);

      }
      return 0;
 }
      }
      return 0;
 }


@@ -342,7 +343,28 @@ opkg_prepare_url_for_install(const char *url, char **namep)
 int
 opkg_verify_file (char *text_file, char *sig_file)
 {
 int
 opkg_verify_file (char *text_file, char *sig_file)
 {

-#if defined HAVE_GPGME
+#if defined HAVE_USIGN
+       int status = -1;
+       int pid;
+
+    if (conf->check_signature == 0 )
+        return 0;
+
+       pid = fork();
+       if (pid < 0)
+               return -1;
+
+       if (!pid) {
+               execl("/usr/sbin/opkg-key", "opkg-key", "verify", sig_file, text_file, NULL);
+               exit(255);
+       }
+
+       waitpid(pid, &status, 0);
+       if (!WIFEXITED(status) || WEXITSTATUS(status))
+               return -1;
+
+       return 0;
+#elif defined HAVE_GPGME

     if (conf->check_signature == 0 )
         return 0;
     int status = -1;
     if (conf->check_signature == 0 )
         return 0;
     int status = -1;