r5305 - in glibc-package/trunk/debian: . patches patches/any

To: debian-glibc@lists.debian.org
Subject: r5305 - in glibc-package/trunk/debian: . patches patches/any
From: Aurelien Jarno <aurel32@alioth.debian.org>
Date: Tue, 17 Jul 2012 14:12:04 +0000
Message-id: <[🔎] E1Sr8VQ-000266-Q3@vasks.debian.org>

Author: aurel32
Date: 2012-07-17 14:12:04 +0000 (Tue, 17 Jul 2012)
New Revision: 5305

Added:
   glibc-package/trunk/debian/patches/any/cvs-vfprintf-many-format-strings.diff
   glibc-package/trunk/debian/patches/any/cvs-vfprintf-positional.diff
Modified:
   glibc-package/trunk/debian/changelog
   glibc-package/trunk/debian/patches/series
Log:
  * patches/any/cvs-vfprintf-positional.diff: new patch from upstream to
    fix a stack corruption in vfprintf with positional parameters 
    (CVE-2012-3404). patches/any/cvs-vfprintf-many-format-strings.diff: new
    patch from upstream to fix a FORTIFY_SOURCE format string protection
    bypass (CVE-2012-3405).  Closes: #681473.




Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog	2012-07-17 09:11:48 UTC (rev 5304)
+++ glibc-package/trunk/debian/changelog	2012-07-17 14:12:04 UTC (rev 5305)
@@ -6,6 +6,11 @@
   * Update Czech debconf translation, by Miroslav Kure.  Closes: #681708.
   * local/manpages/ld.so.8: fix LD_VERBOSE description after manpage
     rework.  Closes: #681688.
+  * patches/any/cvs-vfprintf-positional.diff: new patch from upstream to
+    fix a stack corruption in vfprintf with positional parameters 
+    (CVE-2012-3404). patches/any/cvs-vfprintf-many-format-strings.diff: new
+    patch from upstream to fix a FORTIFY_SOURCE format string protection
+    bypass (CVE-2012-3405).  Closes: #681473.
 
   [ Petr Salinger ]
   * fixup kfreebsd/local-use-thr-primitives.diff. Closes: #681113.

Added: glibc-package/trunk/debian/patches/any/cvs-vfprintf-many-format-strings.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-vfprintf-many-format-strings.diff	                        (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-vfprintf-many-format-strings.diff	2012-07-17 14:12:04 UTC (rev 5305)
@@ -0,0 +1,41 @@
+2011-12-17  Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #13446]
+	* stdio-common/vfprintf.c (vfprintf): Fix extension of specs array.
+
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 753a5ac..952886b 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1640,9 +1640,9 @@ do_positional:
+     /* Array with information about the needed arguments.  This has to
+        be dynamically extensible.  */
+     size_t nspecs = 0;
+-    size_t nspecs_max = 32;	/* A more or less arbitrary start value.  */
+-    struct printf_spec *specs
+-      = alloca (nspecs_max * sizeof (struct printf_spec));
++    /* A more or less arbitrary start value.  */
++    size_t nspecs_size = 32 * sizeof (struct printf_spec);
++    struct printf_spec *specs = alloca (nspecs_size);
+ 
+     /* The number of arguments the format string requests.  This will
+        determine the size of the array needed to store the argument
+@@ -1679,15 +1679,14 @@ do_positional:
+ 
+     for (f = lead_str_end; *f != L_('\0'); f = specs[nspecs++].next_fmt)
+       {
+-	if (nspecs >= nspecs_max)
++	if (nspecs * sizeof (*specs) >= nspecs_size)
+ 	  {
+ 	    /* Extend the array of format specifiers.  */
+ 	    struct printf_spec *old = specs;
+-	    specs = extend_alloca (specs, nspecs_max,
+-				   2 * nspecs_max * sizeof (*specs));
++	    specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+ 
+ 	    /* Copy the old array's elements to the new space.  */
+-	    memmove (specs, old, nspecs * sizeof (struct printf_spec));
++	    memmove (specs, old, nspecs * sizeof (*specs));
+ 	  }
+ 
+ 	/* Parse the format specifier.  */

Added: glibc-package/trunk/debian/patches/any/cvs-vfprintf-positional.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-vfprintf-positional.diff	                        (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-vfprintf-positional.diff	2012-07-17 14:12:04 UTC (rev 5305)
@@ -0,0 +1,20 @@
+2011-01-27  Petr Baudis  <pasky@suse.cz>
+	    Ulrich Drepper  <drepper@gmail.com>
+
+	* stdio-common/vfprintf.c (vfprintf): Pass correct newlen
+	to extend_alloca().
+ 
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index fc370e8..cfa4c30 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1682,7 +1682,8 @@ do_positional:
+ 	  {
+ 	    /* Extend the array of format specifiers.  */
+ 	    struct printf_spec *old = specs;
+-	    specs = extend_alloca (specs, nspecs_max, 2 * nspecs_max);
++	    specs = extend_alloca (specs, nspecs_max,
++				   2 * nspecs_max * sizeof (*specs));
+ 
+ 	    /* Copy the old array's elements to the new space.  */
+ 	    memmove (specs, old, nspecs * sizeof (struct printf_spec));

Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series	2012-07-17 09:11:48 UTC (rev 5304)
+++ glibc-package/trunk/debian/patches/series	2012-07-17 14:12:04 UTC (rev 5305)
@@ -361,3 +361,5 @@
 any/local-sunrpc-dos.diff
 any/cvs-ld.so-rpath-origin.diff
 any/cvs-pthread-builtin-expect.diff
+any/cvs-vfprintf-positional.diff
+any/cvs-vfprintf-many-format-strings.diff

Reply to:

Prev by Date: Processed: tagging 681473
Next by Date: Bug#681473: CVE-2012-3404 CVE-2012-3405 CVE-2012-3406
Previous by thread: Processed: tagging 681473
Next by thread: r5306 - in glibc-package/branches/glibc-branch-squeeze/debian: . patches patches/any
Index(es):
- Date
- Thread