r4321 - in glibc-package/branches/glibc-branch-lenny/debian: . patches patches/any
Author: aurel32
Date: 2010-06-04 16:32:49 +0000 (Fri, 04 Jun 2010)
New Revision: 4321
Added:
glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon_l.diff
Removed:
glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
Modified:
glibc-package/branches/glibc-branch-lenny/debian/changelog
glibc-package/branches/glibc-branch-lenny/debian/patches/series
Log:
* patches/any/cvs-strfmon.diff: fix integer overflows in the
strfmon implementation (CVE-2009-4880).
Modified: glibc-package/branches/glibc-branch-lenny/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/changelog 2010-06-04 16:15:12 UTC (rev 4320)
+++ glibc-package/branches/glibc-branch-lenny/debian/changelog 2010-06-04 16:32:49 UTC (rev 4321)
@@ -1,13 +1,16 @@
glibc (2.7-18lenny3) UNRELEASED; urgency=low
- * patches/any/cvs-strfmon.diff: fix integer overflows in the strfmon.
- (CVE-2009-4880).
+ * patches/any/cvs-strfmon.diff: fix integer overflows in the
+ strfmon implementation (CVE-2009-4880).
+ * patches/any/cvs-strfmon_l.diff: fix integer overflows in the
+ strfmon_l implementation (CVE-2009-4881).
* patches/any/cvs-mntent.diff: fix mntent newline processing error
(CVE-2010-0296). Closes: bug#583908.
* patches/any/cvs-ld-elf.diff: fix integer signedness error in ld.so
(CVE-2010-0830).
+ * patches/any/
- -- Aurelien Jarno <aurel32@debian.org> Fri, 04 Jun 2010 18:14:08 +0200
+ -- Aurelien Jarno <aurel32@debian.org> Fri, 04 Jun 2010 18:29:56 +0200
glibc (2.7-18lenny2) stable-security; urgency=low
Deleted: glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff 2010-06-04 16:15:12 UTC (rev 4320)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff 2010-06-04 16:32:49 UTC (rev 4321)
@@ -1,71 +0,0 @@
-2009-04-18 Ulrich Drepper <drepper@redhat.com>
-
- * stdlib/strfmon_l.c (__vstrfmon_l): Don't wrap when computing width.
- Numerically stable check for valid width.
-
-diff --git a/stdlib/strfmon_l.c b/stdlib/strfmon_l.c
-index c9f3a47..8e63d45 100644
---- a/stdlib/strfmon_l.c
-+++ b/stdlib/strfmon_l.c
-@@ -1,5 +1,5 @@
- /* Formatting a monetary value according to the given locale.
-- Copyright (C) 1996, 1997, 2002, 2004, 2006 Free Software Foundation, Inc.
-+ Copyright (C) 1996,1997,2002,2004,2006,2009 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
- Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
-
-@@ -133,7 +133,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
- int done;
- const char *currency_symbol;
- size_t currency_symbol_len;
-- int width;
-+ long int width;
- char *startp;
- const void *ptr;
- char space_char;
-@@ -221,13 +221,21 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
-
- while (isdigit (*++fmt))
- {
-- width *= 10;
-- width += to_digit (*fmt);
-+ int val = to_digit (*fmt);
-+
-+ if (width > LONG_MAX / 10
-+ || (width == LONG_MAX && val > LONG_MAX % 10))
-+ {
-+ __set_errno (E2BIG);
-+ return -1;
-+ }
-+
-+ width = width * 10 + val;
- }
-
- /* If we don't have enough room for the demanded width we
- can stop now and return an error. */
-- if (dest + width >= s + maxsize)
-+ if (width >= maxsize - (dest - s))
- {
- __set_errno (E2BIG);
- return -1;
-@@ -560,7 +568,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
- out_char (space_char);
- out_nstring (currency_symbol, currency_symbol_len);
- }
--
-+
- if (sign_posn == 4)
- {
- if (sep_by_space == 2)
-@@ -589,9 +597,8 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
- while (dest - startp < width);
- else
- {
-- int dist = width - (dest - startp);
-- char *cp;
-- for (cp = dest - 1; cp >= startp; --cp)
-+ long int dist = width - (dest - startp);
-+ for (char *cp = dest - 1; cp >= startp; --cp)
- cp[dist] = cp[0];
-
- dest += dist;
Added: glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff (rev 0)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff 2010-06-04 16:32:49 UTC (rev 4321)
@@ -0,0 +1,148 @@
+2009-09-28 Andreas Schwab <schwab@redhat.com>
+
+ * stdio-common/printf_fp.c: Check for and avoid integer overflows.
+ * stdio-common/vfprintf.c: Likewise.
+
+diff --git a/stdio-common/printf_fp.c b/stdio-common/printf_fp.c
+index cd3ada6..b60ddec 100644
+--- a/stdio-common/printf_fp.c
++++ b/stdio-common/printf_fp.c
+@@ -888,16 +888,24 @@
+ it is possible that we need two more characters in front of all the
+ other output. If the amount of memory we have to allocate is too
+ large use `malloc' instead of `alloca'. */
+- buffer_malloced = ! __libc_use_alloca (chars_needed * 2 * sizeof (wchar_t));
++ if (__builtin_expect (chars_needed >= (size_t) -1 / sizeof (wchar_t) - 2
++ || chars_needed < fracdig_max, 0))
++ {
++ /* Some overflow occurred. */
++ __set_errno (ERANGE);
++ return -1;
++ }
++ size_t wbuffer_to_alloc = (2 + chars_needed) * sizeof (wchar_t);
++ buffer_malloced = ! __libc_use_alloca (wbuffer_to_alloc);
+ if (__builtin_expect (buffer_malloced, 0))
+ {
+- wbuffer = (wchar_t *) malloc ((2 + chars_needed) * sizeof (wchar_t));
++ wbuffer = (wchar_t *) malloc (wbuffer_to_alloc);
+ if (wbuffer == NULL)
+ /* Signal an error to the caller. */
+ return -1;
+ }
+ else
+- wbuffer = (wchar_t *) alloca ((2 + chars_needed) * sizeof (wchar_t));
++ wbuffer = (wchar_t *) alloca (wbuffer_to_alloc);
+ wcp = wstartp = wbuffer + 2; /* Let room for rounding. */
+
+ /* Do the real work: put digits in allocated buffer. */
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 38ba8ff..6e0e85c 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1426,23 +1426,29 @@
+ left = 1;
+ }
+
+- if (width + 32 >= (int) (sizeof (work_buffer)
+- / sizeof (work_buffer[0])))
++ if (__builtin_expect (width >= (size_t) -1 / sizeof (CHAR_T) - 32, 0))
++ {
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
++ }
++
++ if (width >= sizeof (work_buffer) / sizeof (work_buffer[0]) - 32)
+ {
+ /* We have to use a special buffer. The "32" is just a safe
+ bet for all the output which is not counted in the width. */
+- if (__libc_use_alloca ((width + 32) * sizeof (CHAR_T)))
+- workend = ((CHAR_T *) alloca ((width + 32) * sizeof (CHAR_T))
+- + (width + 32));
++ size_t needed = ((size_t) width + 32) * sizeof (CHAR_T);
++ if (__libc_use_alloca (needed))
++ workend = (CHAR_T *) alloca (needed) + width + 32;
+ else
+ {
+- workstart = (CHAR_T *) malloc ((width + 32) * sizeof (CHAR_T));
++ workstart = (CHAR_T *) malloc (needed);
+ if (workstart == NULL)
+ {
+ done = -1;
+ goto all_done;
+ }
+- workend = workstart + (width + 32);
++ workend = workstart + width + 32;
+ }
+ }
+ }
+@@ -1452,22 +1458,29 @@
+ LABEL (width):
+ width = read_int (&f);
+
+- if (width + 32 >= (int) (sizeof (work_buffer) / sizeof (work_buffer[0])))
++ if (__builtin_expect (width >= (size_t) -1 / sizeof (CHAR_T) - 32, 0))
++ {
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
++ }
++
++ if (width >= sizeof (work_buffer) / sizeof (work_buffer[0]) - 32)
+ {
+ /* We have to use a special buffer. The "32" is just a safe
+ bet for all the output which is not counted in the width. */
+- if (__libc_use_alloca ((width + 32) * sizeof (CHAR_T)))
+- workend = ((CHAR_T *) alloca ((width + 32) * sizeof (CHAR_T))
+- + (width + 32));
++ size_t needed = ((size_t) width + 32) * sizeof (CHAR_T);
++ if (__libc_use_alloca (needed))
++ workend = (CHAR_T *) alloca (needed) + width + 32;
+ else
+ {
+- workstart = (CHAR_T *) malloc ((width + 32) * sizeof (CHAR_T));
++ workstart = (CHAR_T *) malloc (needed);
+ if (workstart == NULL)
+ {
+ done = -1;
+ goto all_done;
+ }
+- workend = workstart + (width + 32);
++ workend = workstart + width + 32;
+ }
+ }
+ if (*f == L_('$'))
+@@ -1497,20 +1510,27 @@
+ else
+ prec = 0;
+ if (prec > width
+- && prec + 32 > (int)(sizeof (work_buffer) / sizeof (work_buffer[0])))
++ && prec > sizeof (work_buffer) / sizeof (work_buffer[0]) - 32)
+ {
+- if (__libc_use_alloca ((prec + 32) * sizeof (CHAR_T)))
+- workend = ((CHAR_T *) alloca ((prec + 32) * sizeof (CHAR_T)))
+- + (prec + 32);
++ if (__builtin_expect (prec >= (size_t) -1 / sizeof (CHAR_T) - 32, 0))
++ {
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
++ }
++ size_t needed = ((size_t) prec + 32) * sizeof (CHAR_T);
++
++ if (__libc_use_alloca (needed))
++ workend = (CHAR_T *) alloca (needed) + prec + 32;
+ else
+ {
+- workstart = (CHAR_T *) malloc ((prec + 32) * sizeof (CHAR_T));
++ workstart = (CHAR_T *) malloc (needed);
+ if (workstart == NULL)
+ {
+ done = -1;
+ goto all_done;
+ }
+- workend = workstart + (prec + 32);
++ workend = workstart + prec + 32;
+ }
+ }
+ JUMP (*f, step2_jumps);
Copied: glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon_l.diff (from rev 4320, glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff)
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon_l.diff (rev 0)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon_l.diff 2010-06-04 16:32:49 UTC (rev 4321)
@@ -0,0 +1,71 @@
+2009-04-18 Ulrich Drepper <drepper@redhat.com>
+
+ * stdlib/strfmon_l.c (__vstrfmon_l): Don't wrap when computing width.
+ Numerically stable check for valid width.
+
+diff --git a/stdlib/strfmon_l.c b/stdlib/strfmon_l.c
+index c9f3a47..8e63d45 100644
+--- a/stdlib/strfmon_l.c
++++ b/stdlib/strfmon_l.c
+@@ -1,5 +1,5 @@
+ /* Formatting a monetary value according to the given locale.
+- Copyright (C) 1996, 1997, 2002, 2004, 2006 Free Software Foundation, Inc.
++ Copyright (C) 1996,1997,2002,2004,2006,2009 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+ Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
+
+@@ -133,7 +133,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+ int done;
+ const char *currency_symbol;
+ size_t currency_symbol_len;
+- int width;
++ long int width;
+ char *startp;
+ const void *ptr;
+ char space_char;
+@@ -221,13 +221,21 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+
+ while (isdigit (*++fmt))
+ {
+- width *= 10;
+- width += to_digit (*fmt);
++ int val = to_digit (*fmt);
++
++ if (width > LONG_MAX / 10
++ || (width == LONG_MAX && val > LONG_MAX % 10))
++ {
++ __set_errno (E2BIG);
++ return -1;
++ }
++
++ width = width * 10 + val;
+ }
+
+ /* If we don't have enough room for the demanded width we
+ can stop now and return an error. */
+- if (dest + width >= s + maxsize)
++ if (width >= maxsize - (dest - s))
+ {
+ __set_errno (E2BIG);
+ return -1;
+@@ -560,7 +568,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+ out_char (space_char);
+ out_nstring (currency_symbol, currency_symbol_len);
+ }
+-
++
+ if (sign_posn == 4)
+ {
+ if (sep_by_space == 2)
+@@ -589,9 +597,8 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+ while (dest - startp < width);
+ else
+ {
+- int dist = width - (dest - startp);
+- char *cp;
+- for (cp = dest - 1; cp >= startp; --cp)
++ long int dist = width - (dest - startp);
++ for (char *cp = dest - 1; cp >= startp; --cp)
+ cp[dist] = cp[0];
+
+ dest += dist;
Modified: glibc-package/branches/glibc-branch-lenny/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/series 2010-06-04 16:15:12 UTC (rev 4320)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/series 2010-06-04 16:32:49 UTC (rev 4321)
@@ -236,3 +236,4 @@
any/cvs-mntent.diff -p1
any/cvs-ld-elf.diff -p1
any/cvs-strfmon.diff -p1
+any/cvs-strfmon_l.diff -p1
Reply to: