r5306 - in glibc-package/branches/glibc-branch-squeeze/debian: . patches patches/any

To: debian-glibc@lists.debian.org
Subject: r5306 - in glibc-package/branches/glibc-branch-squeeze/debian: . patches patches/any
From: Aurelien Jarno <aurel32@alioth.debian.org>
Date: Tue, 17 Jul 2012 14:47:36 +0000
Message-id: <[🔎] E1Sr93o-000549-La@vasks.debian.org>

Author: aurel32
Date: 2012-07-17 14:47:36 +0000 (Tue, 17 Jul 2012)
New Revision: 5306

Added:
   glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff
   glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff
Modified:
   glibc-package/branches/glibc-branch-squeeze/debian/changelog
   glibc-package/branches/glibc-branch-squeeze/debian/patches/series
Log:
  * patches/any/cvs-vfprintf-positional.diff: new patch from upstream to
    fix a stack corruption in vfprintf with positional parameters
    (CVE-2012-3404). patches/any/cvs-vfprintf-many-format-strings.diff: new
    patch from upstream to fix a FORTIFY_SOURCE format string protection
    bypass (CVE-2012-3405).  Closes: #681473.



Modified: glibc-package/branches/glibc-branch-squeeze/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/changelog	2012-07-17 14:12:04 UTC (rev 5305)
+++ glibc-package/branches/glibc-branch-squeeze/debian/changelog	2012-07-17 14:47:36 UTC (rev 5306)
@@ -1,6 +1,10 @@
 eglibc (2.11.3-5) UNRELEASED; urgency=low
 
-  * 
+  * patches/any/cvs-vfprintf-positional.diff: new patch from upstream to
+    fix a stack corruption in vfprintf with positional parameters
+    (CVE-2012-3404). patches/any/cvs-vfprintf-many-format-strings.diff: new
+    patch from upstream to fix a FORTIFY_SOURCE format string protection
+    bypass (CVE-2012-3405).  Closes: #681473.
 
  -- Aurelien Jarno <aurel32@debian.org>  Wed, 06 Jun 2012 23:59:32 +0200
 

Added: glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff	                        (rev 0)
+++ glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff	2012-07-17 14:47:36 UTC (rev 5306)
@@ -0,0 +1,41 @@
+2011-12-17  Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #13446]
+	* stdio-common/vfprintf.c (vfprintf): Fix extension of specs array.
+
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 753a5ac..952886b 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1640,9 +1640,9 @@ do_positional:
+     /* Array with information about the needed arguments.  This has to
+        be dynamically extensible.  */
+     size_t nspecs = 0;
+-    size_t nspecs_max = 32;	/* A more or less arbitrary start value.  */
+-    struct printf_spec *specs
+-      = alloca (nspecs_max * sizeof (struct printf_spec));
++    /* A more or less arbitrary start value.  */
++    size_t nspecs_size = 32 * sizeof (struct printf_spec);
++    struct printf_spec *specs = alloca (nspecs_size);
+ 
+     /* The number of arguments the format string requests.  This will
+        determine the size of the array needed to store the argument
+@@ -1679,15 +1679,14 @@ do_positional:
+ 
+     for (f = lead_str_end; *f != L_('\0'); f = specs[nspecs++].next_fmt)
+       {
+-	if (nspecs >= nspecs_max)
++	if (nspecs * sizeof (*specs) >= nspecs_size)
+ 	  {
+ 	    /* Extend the array of format specifiers.  */
+ 	    struct printf_spec *old = specs;
+-	    specs = extend_alloca (specs, nspecs_max,
+-				   2 * nspecs_max * sizeof (*specs));
++	    specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+ 
+ 	    /* Copy the old array's elements to the new space.  */
+-	    memmove (specs, old, nspecs * sizeof (struct printf_spec));
++	    memmove (specs, old, nspecs * sizeof (*specs));
+ 	  }
+ 
+ 	/* Parse the format specifier.  */

Added: glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff	                        (rev 0)
+++ glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff	2012-07-17 14:47:36 UTC (rev 5306)
@@ -0,0 +1,20 @@
+2011-01-27  Petr Baudis  <pasky@suse.cz>
+	    Ulrich Drepper  <drepper@gmail.com>
+
+	* stdio-common/vfprintf.c (vfprintf): Pass correct newlen
+	to extend_alloca().
+ 
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index fc370e8..cfa4c30 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1682,7 +1682,8 @@ do_positional:
+ 	  {
+ 	    /* Extend the array of format specifiers.  */
+ 	    struct printf_spec *old = specs;
+-	    specs = extend_alloca (specs, nspecs_max, 2 * nspecs_max);
++	    specs = extend_alloca (specs, nspecs_max,
++				   2 * nspecs_max * sizeof (*specs));
+ 
+ 	    /* Copy the old array's elements to the new space.  */
+ 	    memmove (specs, old, nspecs * sizeof (struct printf_spec));

Modified: glibc-package/branches/glibc-branch-squeeze/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/patches/series	2012-07-17 14:12:04 UTC (rev 5305)
+++ glibc-package/branches/glibc-branch-squeeze/debian/patches/series	2012-07-17 14:47:36 UTC (rev 5306)
@@ -275,3 +275,5 @@
 any/cvs-dlopen-tls.diff
 any/cvs-FORTIFY_SOURCE-format-strings.diff
 any/local-sunrpc-dos.diff
+any/cvs-vfprintf-positional.diff
+any/cvs-vfprintf-many-format-strings.diff

Reply to:

Prev by Date: Processed: tagging 681473
Next by Date: [bts-link] source package eglibc
Previous by thread: r5305 - in glibc-package/trunk/debian: . patches patches/any
Next by thread: [bts-link] source package eglibc
Index(es):
- Date
- Thread