From: Alexander Larsson <alexl@redhat.com>
Date: Fri, 26 Sep 2025 13:12:16 +0000 (+0200)
Subject: ostree-sign.ed25519/spki: Fix double free in set_sk()
X-Git-Tag: archive/raspbian/2025.7-2+rpi1^2^2~6^2^2~10^2~3
X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/cgi/%22https://%22%22/%22http:/www.example.com/cgi/%22https:/%22%22?a=commitdiff_plain;h=4e42790818d811c80b64fcdc5608755d5dcac43e;p=ostree.git

ostree-sign.ed25519/spki: Fix double free in set_sk()

When the gvariant is G_VARIANT_TYPE_BYTESTRING we need to duplicate
the data we get from g_variant_get_fixed_array(), otherwise we will
double-free it when we later free sign->secret_key.
---

diff --git a/src/libostree/ostree-sign-ed25519.c b/src/libostree/ostree-sign-ed25519.c
index b7718880..e5108098 100644
--- a/src/libostree/ostree-sign-ed25519.c
+++ b/src/libostree/ostree-sign-ed25519.c
@@ -367,8 +367,8 @@ ostree_sign_ed25519_set_sk (OstreeSign *self, GVariant *secret_key, GError **err
     }
   else if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_BYTESTRING))
     {
-      secret_key_buf
-          = (guchar *)g_variant_get_fixed_array (secret_key, &n_elements, sizeof (guchar));
+      const guchar *data = g_variant_get_fixed_array (secret_key, &n_elements, sizeof (guchar));
+      secret_key_buf = g_memdup (data, n_elements);
     }
   else
     {
diff --git a/src/libostree/ostree-sign-spki.c b/src/libostree/ostree-sign-spki.c
index 5ad81da3..9a268325 100644
--- a/src/libostree/ostree-sign-spki.c
+++ b/src/libostree/ostree-sign-spki.c
@@ -343,8 +343,8 @@ ostree_sign_spki_set_sk (OstreeSign *self, GVariant *secret_key, GError **error)
     }
   else if (g_variant_is_of_type (secret_key, G_VARIANT_TYPE_BYTESTRING))
     {
-      secret_key_buf
-          = (guchar *)g_variant_get_fixed_array (secret_key, &n_elements, sizeof (guchar));
+      const guchar *data = g_variant_get_fixed_array (secret_key, &n_elements, sizeof (guchar));
+      secret_key_buf = g_memdup (data, n_elements);
     }
   else
     {