Submitted here: https://github.com/freebsd/atf/pull/57

From 098b66269b1cf1d944b8b214ceb7ce9febde3682 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@gmail.com>
Date: Mon, 29 Jan 2024 22:35:49 -0500
Subject: [PATCH] Fix use after free in execute_with_shell.

The temporary string returned by atf::env::get would be used outside
its statement, which is invalid and cause undefined behavior.  Copy it
to a local variable to avoid the issue.

Fixes: https://github.com/freebsd/atf/issues/26
Fixes: https://github.com/freebsd/kyua/issues/223

Reported-by: Ruslan Bukin <br@bsdpad.com>
---
 atf-sh/atf-check.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/atf-sh/atf-check.cpp b/atf-sh/atf-check.cpp
index 41f0b13..9d6f7a8 100644
--- a/atf-sh/atf-check.cpp
+++ b/atf-sh/atf-check.cpp
@@ -436,7 +436,9 @@ execute_with_shell(char* const* argv)
     const std::string cmd = flatten_argv(argv);
 
     const char* sh_argv[4];
-    sh_argv[0] = atf::env::get("ATF_SHELL", ATF_SHELL).c_str();
+    const std::string shell = atf::env::get("ATF_SHELL", ATF_SHELL);
+
+    sh_argv[0] = shell.c_str();
     sh_argv[1] = "-c";
     sh_argv[2] = cmd.c_str();
     sh_argv[3] = NULL;

base-commit: 18eb8168b70a0f934b4824b6391b55ac0b2f4fdf
-- 
2.41.0

ref='/guix/commit/etc/init.d?id=b25f44b636dcf4ab43da83b95497b7078e03393c'>commit</a><a href='/guix/diff/etc/init.d?id=b25f44b636dcf4ab43da83b95497b7078e03393c'>diff</a></td><td class='form'><form class='right' method='get' action='/guix/log/etc/init.d'>
<input type='hidden' name='id' value='b25f44b636dcf4ab43da83b95497b7078e03393c'/><select name='qt'>
<option value='grep'>log msg</option>
<option value='author'>author</option>
<option value='committer'>committer</option>
<option value='range'>range</option>
</select>
<input class='txt' type='search' size='10' name='q' value=''/>
<input type='submit' value='search'/>
</form>
</td></tr></table>
<div class='path'>path: <a href='/guix/log/?id=b25f44b636dcf4ab43da83b95497b7078e03393c'>root</a>/<a href='/guix/log/etc?id=b25f44b636dcf4ab43da83b95497b7078e03393c'>etc</a>/<a href='/guix/log/etc/init.d?id=b25f44b636dcf4ab43da83b95497b7078e03393c'>init.d</a></div><div class='content'><table class='list nowrap'><tr class='nohover'><th class='left'>Age</th><th class='left'>Commit message (<a href='/guix/log/etc/init.d?id=b25f44b636dcf4ab43da83b95497b7078e03393c&amp;showmsg=1'>Expand</a>)</th><th class='left'>Author</th></tr>
<tr><td><span title='2024-06-26 22:59:55 +0200'>2024-06-26</span></td><td><a href='/guix/commit/etc/init.d?id=d11b96eb5493231a5a35045505ff8ae8aa746b8e'>etc: Add explicit ‘--substitute-urls’ in guix-daemon service files.</a><span class='msg-avail'>...<span class='msg-tooltip'>Having substitute URLs explicitly listed in the service startup file
makes it clearer what should be modified to permanently change the list
of substitute URLs.

* config-daemon.ac: Rename ‘guix_substitute_urls’ to
‘GUIX_SUBSTITUTE_URLS’ and substitute it.
* nix/local.mk (etc/guix-%.service, etc/init.d/guix-daemon)
(etc/guix-%.conf): Substitute it.
* etc/guix-daemon.conf.in, etc/guix-daemon.service.in,
etc/init.d/guix-daemon.in: Add an explicit ‘--substitute-urls’ option.

Change-Id: Ie491b7fab5c42e54dca582801c03805a85de2bf9
</span></span></td><td>Ludovic Courtès</td></tr>