From d9b53bd182bd5fc0cd45e39bc17d08a8ae94b6c0 Mon Sep 17 00:00:00 2001
From: Matěj Grabovský <mgrabovs@redhat.com>
Date: Nov 03 2020 15:36:34 +0000
Subject: Add patch for #1893595


---

diff --git a/0008-rhbz-Fix-a-double-free-condition.patch b/0008-rhbz-Fix-a-double-free-condition.patch
new file mode 100644
index 0000000..a25b684
--- /dev/null
+++ b/0008-rhbz-Fix-a-double-free-condition.patch
@@ -0,0 +1,48 @@
+From 6cd4fa7749b2de7a39b6bf22373b56d1c1be91d1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= <mgrabovs@redhat.com>
+Date: Mon, 2 Nov 2020 11:45:23 +0100
+Subject: [PATCH 1/2] rhbz: Fix a double-free condition
+
+The `cc` string must not be freed after the variable goes out of scope
+since it's appended to `cc_list`. (`g_list_append()` does not copy its
+input.) We only need to free the last string in the loop, which is an
+empty string.
+
+The bug was introduced in 7aba6e53.
+
+Resolves rhbz#1893595
+---
+ src/plugins/rhbz.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/plugins/rhbz.c b/src/plugins/rhbz.c
+index 25d30207..c2855a70 100644
+--- a/src/plugins/rhbz.c
++++ b/src/plugins/rhbz.c
+@@ -407,18 +407,20 @@ GList *rhbz_bug_cc(xmlrpc_value* result_xml)
+         if (!item)
+             continue;
+ 
+-        const char* cc = NULL;
+-        xmlrpc_read_string(&env, item, &cc);
++        char *cc = NULL;
++        xmlrpc_read_string(&env, item, (const char **)&cc);
+         xmlrpc_DECREF(item);
+         if (env.fault_occurred)
+             abrt_xmlrpc_die(&env);
+ 
+         if (*cc != '\0')
+         {
+-            cc_list = g_list_append(cc_list, (char*)cc);
++            cc_list = g_list_append(cc_list, cc);
+             log_debug("member on cc is %s", cc);
+             continue;
+         }
++
++        free(cc);
+     }
+     xmlrpc_DECREF(cc_member);
+     return cc_list;
+-- 
+2.26.2
+
diff --git a/libreport.spec b/libreport.spec
index f17e39f..d233c98 100644
--- a/libreport.spec
+++ b/libreport.spec
@@ -15,7 +15,7 @@
 Summary: Generic library for reporting various problems
 Name: libreport
 Version: 2.14.0
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 URL: https://abrt.readthedocs.org/
 Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
@@ -27,6 +27,7 @@ Patch3: 0004-gui-wizard-gtk-Fix-a-segfault-and-memory-leak.patch
 Patch4: 0005-gui-wizard-gtk-Fix-segfault.patch
 Patch5: 0006-event_config-Null-autofree-pointers-before-returning.patch
 Patch6: 0007-gui-wizard-gtk-Don-t-autofree-URL-string.patch
+Patch7: 0008-rhbz-Fix-a-double-free-condition.patch
 
 BuildRequires: %{dbus_devel}
 BuildRequires: gtk3-devel
@@ -667,6 +668,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Tue Nov 3 2020 Matěj Grabovský <mgrabovs@redhat.com> - 2.14.0-12
+- Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1893595
+
 * Fri Oct 09 2020 Matěj Grabovský <mgrabovs@redhat.com> - 2.14.0-11
 - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1882328