Bug#167902: marked as done (libc6 security patch)

To: Wichert Akkerman <wichert@wiggy.net>
Cc: GNU Libc Maintainers <debian-glibc@lists.debian.org>, glibc@packages.qa.debian.org
Subject: Bug#167902: marked as done (libc6 security patch)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Tue, 05 Nov 2002 12:04:47 -0600
Message-id: <[🔎] handler.167902.D167902.103651925423127.ackdone@bugs.debian.org>
In-reply-to: <20021105180052.GN11778@wiggy.net>
References: <20021105180052.GN11778@wiggy.net> <[🔎] 20021105161643.GD11128@wiggy.net>

Your message dated Tue, 5 Nov 2002 19:00:52 +0100
with message-id <20021105180052.GN11778@wiggy.net>
and subject line Bug#167902: Acknowledgement (libc6 security patch)
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Nov 2002 16:16:47 +0000
>From wichert@wiggy.net Tue Nov 05 10:16:46 2002
Return-path: <wichert@wiggy.net>
Received: from cabal.xs4all.nl (mx1.wiggy.net) [213.84.101.140] ([qil5Ug4LljVbMGHrXiGfPWbk/rcLEaSi])
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 1896Ni-0003Re-00; Tue, 05 Nov 2002 10:16:46 -0600
Received: from wichert by mx1.wiggy.net with local (Exim 3.35 #1 (Debian))
	id 1896Nf-0003hJ-00
	for <submit@bugs.debian.org>; Tue, 05 Nov 2002 17:16:43 +0100
Date: Tue, 5 Nov 2002 17:16:43 +0100
From: Wichert Akkerman <wichert@wiggy.net>
To: submit@bugs.debian.org
Subject: libc6 security patch
Message-ID: <[🔎] 20021105161643.GD11128@wiggy.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: submit@bugs.debian.org
X-Spam-Status: No, hits=-7.8 required=5.0
	tests=PATCH_UNIFIED_DIFF,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,
	      USER_AGENT,USER_AGENT_MUTT
	version=2.41
X-Spam-Level: 

Package: libc6
Severity: grave
Tags: woody, patch

This patch from august is still not applied to our libc6.

Wichert.

----- Forwarded message from Solar Designer <solar@openwall.com> -----

From: Solar Designer <solar@openwall.com>
Subject: glibc xdr_array and calloc patches
Date: Thu, 1 Aug 2002 10:32:07 +0400
Message-ID: <20020801103207.A25631@openwall.com>
X-Spam-Level: 

Attached are the two patches against glibc 2.1.3.  Whoever first ports
them to the CVS version or 2.2.5 please post here for others to use
and also provide them to the glibc maintainers.  It should be trivial
to port (the xdr_array applies with exception for the added #include
and the calloc will need some obvious manual editing).

Both problems were still not fixed in the glibc CVS as of a few hours
ago.

-- 
/sd

diff -ur glibc-2.1.3.orig/sunrpc/rpc/types.h glibc-2.1.3/sunrpc/rpc/types.h
--- glibc-2.1.3.orig/sunrpc/rpc/types.h	Fri Oct 16 13:43:49 1998
+++ glibc-2.1.3/sunrpc/rpc/types.h	Thu Aug  1 09:06:38 2002
@@ -55,6 +55,10 @@
 
 #include <stdlib.h>		/* For malloc decl.  */
 #define mem_alloc(bsize)	malloc(bsize)
+/*
+ * XXX: This must not use the second argument, or code in xdr_array.c needs
+ * to be modified.
+ */
 #define mem_free(ptr, bsize)	free(ptr)
 
 #ifndef makedev /* ie, we haven't already included it */
diff -ur glibc-2.1.3.orig/sunrpc/xdr_array.c glibc-2.1.3/sunrpc/xdr_array.c
--- glibc-2.1.3.orig/sunrpc/xdr_array.c	Thu Jul 16 15:23:51 1998
+++ glibc-2.1.3/sunrpc/xdr_array.c	Thu Aug  1 09:07:45 2002
@@ -44,6 +44,7 @@
 #include <string.h>
 #include <rpc/types.h>
 #include <rpc/xdr.h>
+#include <limits.h>
 
 #define LASTUNSIGNED	((u_int)0-1)
 
@@ -76,7 +77,11 @@
       return FALSE;
     }
   c = *sizep;
-  if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+  /*
+   * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+   * doesn't actually use its second argument anyway.
+   */
+  if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
     {
       return FALSE;
     }

diff -ur glibc-2.1.3.orig/malloc/malloc.c glibc-2.1.3/malloc/malloc.c
--- glibc-2.1.3.orig/malloc/malloc.c	Wed Feb 23 10:02:55 2000
+++ glibc-2.1.3/malloc/malloc.c	Thu Aug  1 09:24:10 2002
@@ -3656,12 +3656,20 @@
 {
   arena *ar_ptr;
   mchunkptr p, oldtop;
-  INTERNAL_SIZE_T sz, csz, oldtopsize;
+  INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
   Void_t* mem;
 
+  /* size_t is unsigned so the behavior on overflow is defined;
+   * request2size() uses similar post-checks anyway. */
+  bytes = n * elem_size;
+  if (bytes / elem_size != n) {
+    __set_errno (ENOMEM);
+    return 0;
+  }
+
 #if defined _LIBC || defined MALLOC_HOOKS
   if (__malloc_hook != NULL) {
-    sz = n * elem_size;
+    sz = bytes;
 #if defined __GNUC__ && __GNUC__ >= 2
     mem = (*__malloc_hook)(sz, __builtin_return_address (0));
 #else
@@ -3678,7 +3686,7 @@
   }
 #endif
 
-  if(request2size(n * elem_size, sz))
+  if(request2size(bytes, sz))
     return 0;
   arena_get(ar_ptr, sz);
   if(!ar_ptr)


----- End forwarded message -----

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org                    http://www.wiggy.net/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

---------------------------------------
Received: (at 167902-done) by bugs.debian.org; 5 Nov 2002 18:00:54 +0000
>From wichert@wiggy.net Tue Nov 05 12:00:54 2002
Return-path: <wichert@wiggy.net>
Received: from cabal.xs4all.nl (mx1.wiggy.net) [213.84.101.140] ([yjZts0t9RyU2DKBLbA3tI6U5mdt7Ga5G])
	by master.debian.org with esmtp (Exim 3.12 1 (Debian))
	id 18980T-00060a-00; Tue, 05 Nov 2002 12:00:54 -0600
Received: from wichert by mx1.wiggy.net with local (Exim 3.35 #1 (Debian))
	id 18980S-0004hl-00
	for <167902-done@bugs.debian.org>; Tue, 05 Nov 2002 19:00:52 +0100
Date: Tue, 5 Nov 2002 19:00:52 +0100
From: Wichert Akkerman <wichert@wiggy.net>
To: 167902-done@bugs.debian.org
Subject: Re: Bug#167902: Acknowledgement (libc6 security patch)
Message-ID: <20021105180052.GN11778@wiggy.net>
References: <[🔎] 20021105161643.GD11128@wiggy.net> <handler.167902.B.103651300713273.ack@bugs.debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <handler.167902.B.103651300713273.ack@bugs.debian.org>
User-Agent: Mutt/1.3.28i
Delivered-To: 167902-done@bugs.debian.org
X-Spam-Status: No, hits=-12.5 required=5.0
	tests=IN_REP_TO,REFERENCES,SIGNATURE_SHORT_DENSE,
	      SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT
	version=2.41
X-Spam-Level: 

Guess I should have add a deb-src entry for security.d.o :(

Wichert.

-- 
  _________________________________________________________________
 /wichert@wiggy.net         This space intentionally left occupied \
| wichert@deephackmode.org                    http://www.wiggy.net/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |

Reply to:

References:
- Bug#167902: libc6 security patch
  - From: Wichert Akkerman <wichert@wiggy.net>

Prev by Date: Bug#167902: libc6 security patch
Next by Date: Bug#167909: Patch for s390 build problems
Previous by thread: Bug#167902: libc6 security patch
Next by thread: Bug#167909: Patch for s390 build problems
Index(es):
- Date
- Thread