Patch for CVE-2022-40320

d73777c2c3566fb2647727bb56d9a2295b81669b.patch

@@ -0,0 +1,25 @@
+--- src/confuse.c~	2020-06-21 15:53:26.000000000 -0500
++++ src/confuse.c	2022-09-12 08:41:44.448638314 -0500
+@@ -1865,16 +1865,19 @@
+ 		} else {
+ 			/* ~user or ~user/path */
+ 			char *user;
++                       size_t len;
+ 
+ 			file = strchr(filename, '/');
+ 			if (file == 0)
+ 				file = filename + strlen(filename);
+ 
+-			user = malloc(file - filename);
+-			if (!user)
++			len = file - filename - 1;
++                       user = malloc(len + 1);
++                       if (!user)
+ 				return NULL;
+ 
+-			strncpy(user, filename + 1, file - filename - 1);
++			strncpy(user, &filename[1], len);
++                       user[len] = 0;
+ 			passwd = getpwnam(user);
+ 			free(user);
+ 		}

libconfuse.spec

@@ -1,12 +1,14 @@
 Name:           libconfuse
 Version:        3.3
-Release:        6%{?dist}
+Release:        7%{?dist}
 Summary:        A configuration file parser library
 
 License:        ISC
 URL:            https://github.com/martinh/libconfuse
 Source0:	https://github.com/martinh/libconfuse/releases/download/v%{version}/confuse-%{version}.tar.gz
 
+Patch0:         d73777c2c3566fb2647727bb56d9a2295b81669b.patch
+
 BuildRequires:  gcc
 BuildRequires:  check-devel, pkgconfig
 BuildRequires:  perl-interpreter
@@ -39,6 +41,8 @@ Development files for %{name}.
 %setup -q -n confuse-%{version}
 perl -pi.orig -e 's|confuse.h|../src/confuse.h|g' tests/check_confuse.c
 
+%patch0 -p0
+
 %build
 %configure --enable-shared --disable-static
 make %{?_smp_mflags} AM_CFLAGS="-Wall -Wextra"
@@ -82,6 +86,9 @@ rm -rf $RPM_BUILD_ROOT%{_datadir}/doc/confuse
 
 
 %changelog
+* Mon Sep 12 2022 Gwyn Ciesla <gwync@protonmail.com> - 3.3-7
+- Patch for CVE-2022-40320
+
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 3.3-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild