From 8c3f1ed576a9cb7645b7d08115eafca0215ad34d Mon Sep 17 00:00:00 2001 From: Gleb Fotengauer-Malinovskiy Date: Fri, 29 May 2015 19:57:42 +0300 Subject: [PATCH] rpmpm.cc: fix use after free of temporary std::string object According to C++ standard (since C++89), this string is destroyed right after evaluation of .c_str(). In addition, gcc5 with c++11 ABI mode enabled cleans memory in basic_string destructor and reuses memory in *next* basic_string constructor. This led to the error: # apt-get install doxygen -o RPM::PM=external -o Dir::Bin::gpg=false -qq Executing RPM (/bin/rpm -U -v --oldpackage)... Could not exec / E: Sub-process /bin/rpm returned an error code (100) --- apt/apt-pkg/rpm/rpmpm.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apt/apt-pkg/rpm/rpmpm.cc b/apt/apt-pkg/rpm/rpmpm.cc index bcb0ff9..e6518f5 100644 --- a/apt/apt-pkg/rpm/rpmpm.cc +++ b/apt/apt-pkg/rpm/rpmpm.cc @@ -404,13 +404,14 @@ pkgRPMExtPM::~pkgRPMExtPM() bool pkgRPMExtPM::ExecRPM(Item::RPMOps op, vector &files) { - const char *Args[10000]; + const char *Args[10000]; const char *operation; unsigned int n = 0; bool Interactive = _config->FindB("RPM::Interactive",true); int quiet = _config->FindI("quiet",0); - - Args[n++] = _config->Find("Dir::Bin::rpm","rpm").c_str(); + + string rpmbinary = _config->Find("Dir::Bin::rpm","rpm"); + Args[n++] = rpmbinary.c_str(); bool nodeps = false;