[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

r4320 - in glibc-package/branches/glibc-branch-lenny/debian: . patches patches/any



Author: aurel32
Date: 2010-06-04 16:15:12 +0000 (Fri, 04 Jun 2010)
New Revision: 4320

Added:
   glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
Modified:
   glibc-package/branches/glibc-branch-lenny/debian/changelog
   glibc-package/branches/glibc-branch-lenny/debian/patches/series
Log:
  * patches/any/cvs-strfmon.diff: fix integer overflows in the strfmon.
    (CVE-2009-4880).



Modified: glibc-package/branches/glibc-branch-lenny/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/changelog	2010-06-04 16:09:56 UTC (rev 4319)
+++ glibc-package/branches/glibc-branch-lenny/debian/changelog	2010-06-04 16:15:12 UTC (rev 4320)
@@ -1,11 +1,13 @@
 glibc (2.7-18lenny3) UNRELEASED; urgency=low
 
+  * patches/any/cvs-strfmon.diff: fix integer overflows in the strfmon.
+    (CVE-2009-4880).
   * patches/any/cvs-mntent.diff: fix mntent newline processing error 
     (CVE-2010-0296).  Closes: bug#583908.
   * patches/any/cvs-ld-elf.diff: fix integer signedness error in ld.so
     (CVE-2010-0830).
 
- -- Aurelien Jarno <aurel32@debian.org>  Thu, 03 Jun 2010 09:32:40 +0200
+ -- Aurelien Jarno <aurel32@debian.org>  Fri, 04 Jun 2010 18:14:08 +0200
 
 glibc (2.7-18lenny2) stable-security; urgency=low
 

Added: glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff	                        (rev 0)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff	2010-06-04 16:15:12 UTC (rev 4320)
@@ -0,0 +1,71 @@
+2009-04-18  Ulrich Drepper  <drepper@redhat.com>
+ 
+	* stdlib/strfmon_l.c (__vstrfmon_l): Don't wrap when computing width.
+	Numerically stable check for valid width.
+
+diff --git a/stdlib/strfmon_l.c b/stdlib/strfmon_l.c
+index c9f3a47..8e63d45 100644
+--- a/stdlib/strfmon_l.c
++++ b/stdlib/strfmon_l.c
+@@ -1,5 +1,5 @@
+ /* Formatting a monetary value according to the given locale.
+-   Copyright (C) 1996, 1997, 2002, 2004, 2006 Free Software Foundation, Inc.
++   Copyright (C) 1996,1997,2002,2004,2006,2009 Free Software Foundation, Inc.
+    This file is part of the GNU C Library.
+    Contributed by Ulrich Drepper <drepper@cygnus.com>, 1996.
+ 
+@@ -133,7 +133,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+       int done;
+       const char *currency_symbol;
+       size_t currency_symbol_len;
+-      int width;
++      long int width;
+       char *startp;
+       const void *ptr;
+       char space_char;
+@@ -221,13 +221,21 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+ 
+ 	  while (isdigit (*++fmt))
+ 	    {
+-	      width *= 10;
+-	      width += to_digit (*fmt);
++	      int val = to_digit (*fmt);
++
++	      if (width > LONG_MAX / 10
++		  || (width == LONG_MAX && val > LONG_MAX % 10))
++		{
++		  __set_errno (E2BIG);
++		  return -1;
++		}
++
++	      width = width * 10 + val;
+ 	    }
+ 
+ 	  /* If we don't have enough room for the demanded width we
+ 	     can stop now and return an error.  */
+-	  if (dest + width >= s + maxsize)
++	  if (width >= maxsize - (dest - s))
+ 	    {
+ 	      __set_errno (E2BIG);
+ 	      return -1;
+@@ -560,7 +568,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+ 		out_char (space_char);
+ 	      out_nstring (currency_symbol, currency_symbol_len);
+ 	    }
+-	    
++
+ 	  if (sign_posn == 4)
+ 	    {
+ 	      if (sep_by_space == 2)
+@@ -589,9 +597,8 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, const char *format,
+ 	    while (dest - startp < width);
+ 	  else
+ 	    {
+-	      int dist = width - (dest - startp);
+-	      char *cp;
+-	      for (cp = dest - 1; cp >= startp; --cp)
++	      long int dist = width - (dest - startp);
++	      for (char *cp = dest - 1; cp >= startp; --cp)
+ 		cp[dist] = cp[0];
+ 
+ 	      dest += dist;

Modified: glibc-package/branches/glibc-branch-lenny/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/series	2010-06-04 16:09:56 UTC (rev 4319)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/series	2010-06-04 16:15:12 UTC (rev 4320)
@@ -235,3 +235,4 @@
 any/submitted-nis-shadow.diff -p1
 any/cvs-mntent.diff -p1
 any/cvs-ld-elf.diff -p1
+any/cvs-strfmon.diff -p1


Reply to: