r5759 - in glibc-package/trunk/debian: . patches patches/any patches/arm64
Author: adconrad
Date: 2013-11-10 01:05:51 +0000 (Sun, 10 Nov 2013)
New Revision: 5759
Added:
glibc-package/trunk/debian/patches/any/cvs-CVE-2012-44xx.diff
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4237.diff
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff
glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff
glibc-package/trunk/debian/patches/any/unsubmitted-dlopen-static-crash.diff
glibc-package/trunk/debian/patches/arm64/cvs-setjmp-clobber.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
* patches/any/cvs-CVE-2012-44xx.diff: backport overflow fixes in strcoll
addressing CVE-2012-4412 and CVE-2012-4424 (Closes: #687530, #689423)
* patches/any/cvs-CVE-2013-4237.diff: backport git fix to respect the
NAME_MAX constraints in readdir_r: CVE-2013-4237 (Closes: #719558)
* debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff: backpot git patch
to disable building and using pt_chown, but leave disabled for now
until we come up with a complete plan to not break end-user machines.
* patches/any/cvs-CVE-2013-4788-static-ptrguard*: backport fix from git
for pointer mangling in static builds, disabled due to ARM regression.
* patches/arm64/cvs-setjmp-clobber.diff: __sigsetjmp clobbers register
x1 before making the tail call to __sigjmp_save, which causes the
latter to always save the signal mask. Backport git patch to fix.
* patches/ubuntu/unsubmitted-dlopen-static-crash.diff: New patch from
Maciej Rozycki to fix a dlopen segfault in statically linked programs.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2013-11-09 11:50:11 UTC (rev 5758)
+++ glibc-package/trunk/debian/changelog 2013-11-10 01:05:51 UTC (rev 5759)
@@ -1,5 +1,21 @@
eglibc (2.17-94) UNRELEASED; urgency=low
+ [ Adam Conrad]
+ * patches/any/cvs-CVE-2012-44xx.diff: backport overflow fixes in strcoll
+ addressing CVE-2012-4412 and CVE-2012-4424 (Closes: #687530, #689423)
+ * patches/any/cvs-CVE-2013-4237.diff: backport git fix to respect the
+ NAME_MAX constraints in readdir_r: CVE-2013-4237 (Closes: #719558)
+ * debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff: backpot git patch
+ to disable building and using pt_chown, but leave disabled for now
+ until we come up with a complete plan to not break end-user machines.
+ * patches/any/cvs-CVE-2013-4788-static-ptrguard*: backport fix from git
+ for pointer mangling in static builds, disabled due to ARM regression.
+ * patches/arm64/cvs-setjmp-clobber.diff: __sigsetjmp clobbers register
+ x1 before making the tail call to __sigjmp_save, which causes the
+ latter to always save the signal mask. Backport git patch to fix.
+ * patches/ubuntu/unsubmitted-dlopen-static-crash.diff: New patch from
+ Maciej Rozycki to fix a dlopen segfault in statically linked programs.
+
[ Samuel Thibault ]
* libc0.3.symbols.hurd-i386: Refresh.
* patches/hurd-i386/tg-sendmsg-SCM_RIGHTS.diff: Fix spurious returned error
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2012-44xx.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2012-44xx.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2012-44xx.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,1091 @@
+Description: fix denial of service and possible code execution via strcoll overflows
+Origin: backport, https://sourceware.org/git/?p=glibc.git;a=commit;h=1326ba1af22068db9488c2328bdaf852b8a93dcf
+Origin: backport, https://sourceware.org/git/?p=glibc.git;a=commit;h=141f3a77fe4f1b59b0afa9bf6909cd2000448883
+Origin: backport, https://sourceware.org/git/?p=glibc.git;a=commit;h=303e567a8062200dc06acde7c76fc34679f08d8f
+Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=14547
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687530
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689423
+
+Index: eglibc-2.17/string/Makefile
+===================================================================
+--- eglibc-2.17.orig/string/Makefile 2012-10-25 16:09:53.000000000 -0400
++++ eglibc-2.17/string/Makefile 2013-09-27 08:52:43.931342684 -0400
+@@ -67,6 +67,8 @@
+ tests-ifunc := $(strop-tests:%=test-%-ifunc)
+ tests += $(tests-ifunc)
+
++xtests = tst-strcoll-overflow
++
+ include ../Rules
+
+ tester-ENV = LANGUAGE=C
+Index: eglibc-2.17/string/strcoll_l.c
+===================================================================
+--- eglibc-2.17.orig/string/strcoll_l.c 2012-02-17 21:24:59.000000000 -0500
++++ eglibc-2.17/string/strcoll_l.c 2013-09-27 08:52:43.931342684 -0400
+@@ -42,11 +42,434 @@
+
+ #include "../locale/localeinfo.h"
+
++/* Track status while looking for sequences in a string. */
++typedef struct
++{
++ int len; /* Length of the current sequence. */
++ size_t val; /* Position of the sequence relative to the
++ previous non-ignored sequence. */
++ size_t idxnow; /* Current index in sequences. */
++ size_t idxmax; /* Maximum index in sequences. */
++ size_t idxcnt; /* Current count of indices. */
++ size_t backw; /* Current Backward sequence index. */
++ size_t backw_stop; /* Index where the backward sequences stop. */
++ const USTRING_TYPE *us; /* The string. */
++ int32_t *idxarr; /* Array to cache weight indices. */
++ unsigned char *rulearr; /* Array to cache rules. */
++ unsigned char rule; /* Saved rule for the first sequence. */
++ int32_t idx; /* Index to weight of the current sequence. */
++ int32_t save_idx; /* Save looked up index of a forward
++ sequence after the last backward
++ sequence. */
++ const USTRING_TYPE *back_us; /* Beginning of the backward sequence. */
++} coll_seq;
++
++/* Get next sequence. The weight indices are cached, so we don't need to
++ traverse the string. */
++static void
++get_next_seq_cached (coll_seq *seq, int nrules, int pass,
++ const unsigned char *rulesets,
++ const USTRING_TYPE *weights)
++{
++ size_t val = seq->val = 0;
++ int len = seq->len;
++ size_t backw_stop = seq->backw_stop;
++ size_t backw = seq->backw;
++ size_t idxcnt = seq->idxcnt;
++ size_t idxmax = seq->idxmax;
++ size_t idxnow = seq->idxnow;
++ unsigned char *rulearr = seq->rulearr;
++ int32_t *idxarr = seq->idxarr;
++
++ while (len == 0)
++ {
++ ++val;
++ if (backw_stop != ~0ul)
++ {
++ /* There is something pushed. */
++ if (backw == backw_stop)
++ {
++ /* The last pushed character was handled. Continue
++ with forward characters. */
++ if (idxcnt < idxmax)
++ {
++ idxnow = idxcnt;
++ backw_stop = ~0ul;
++ }
++ else
++ {
++ /* Nothing any more. The backward sequence
++ ended with the last sequence in the string. */
++ idxnow = ~0ul;
++ break;
++ }
++ }
++ else
++ idxnow = --backw;
++ }
++ else
++ {
++ backw_stop = idxcnt;
++
++ while (idxcnt < idxmax)
++ {
++ if ((rulesets[rulearr[idxcnt] * nrules + pass]
++ & sort_backward) == 0)
++ /* No more backward characters to push. */
++ break;
++ ++idxcnt;
++ }
++
++ if (backw_stop == idxcnt)
++ {
++ /* No sequence at all or just one. */
++ if (idxcnt == idxmax)
++ /* Note that LEN is still zero. */
++ break;
++
++ backw_stop = ~0ul;
++ idxnow = idxcnt++;
++ }
++ else
++ /* We pushed backward sequences. */
++ idxnow = backw = idxcnt - 1;
++ }
++ len = weights[idxarr[idxnow]++];
++ }
++
++ /* Update the structure. */
++ seq->val = val;
++ seq->len = len;
++ seq->backw_stop = backw_stop;
++ seq->backw = backw;
++ seq->idxcnt = idxcnt;
++ seq->idxnow = idxnow;
++}
++
++/* Get next sequence. Traverse the string as required. */
++static void
++get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets,
++ const USTRING_TYPE *weights, const int32_t *table,
++ const USTRING_TYPE *extra, const int32_t *indirect)
++{
++#include WEIGHT_H
++ size_t val = seq->val = 0;
++ int len = seq->len;
++ size_t backw_stop = seq->backw_stop;
++ size_t backw = seq->backw;
++ size_t idxcnt = seq->idxcnt;
++ size_t idxmax = seq->idxmax;
++ size_t idxnow = seq->idxnow;
++ unsigned char *rulearr = seq->rulearr;
++ int32_t *idxarr = seq->idxarr;
++ const USTRING_TYPE *us = seq->us;
++
++ while (len == 0)
++ {
++ ++val;
++ if (backw_stop != ~0ul)
++ {
++ /* There is something pushed. */
++ if (backw == backw_stop)
++ {
++ /* The last pushed character was handled. Continue
++ with forward characters. */
++ if (idxcnt < idxmax)
++ {
++ idxnow = idxcnt;
++ backw_stop = ~0ul;
++ }
++ else
++ /* Nothing any more. The backward sequence ended with
++ the last sequence in the string. Note that LEN
++ is still zero. */
++ break;
++ }
++ else
++ idxnow = --backw;
++ }
++ else
++ {
++ backw_stop = idxmax;
++
++ while (*us != L('\0'))
++ {
++ int32_t tmp = findidx (&us, -1);
++ rulearr[idxmax] = tmp >> 24;
++ idxarr[idxmax] = tmp & 0xffffff;
++ idxcnt = idxmax++;
++
++ if ((rulesets[rulearr[idxcnt] * nrules]
++ & sort_backward) == 0)
++ /* No more backward characters to push. */
++ break;
++ ++idxcnt;
++ }
++
++ if (backw_stop >= idxcnt)
++ {
++ /* No sequence at all or just one. */
++ if (idxcnt == idxmax || backw_stop > idxcnt)
++ /* Note that LEN is still zero. */
++ break;
++
++ backw_stop = ~0ul;
++ idxnow = idxcnt;
++ }
++ else
++ /* We pushed backward sequences. */
++ idxnow = backw = idxcnt - 1;
++ }
++ len = weights[idxarr[idxnow]++];
++ }
++
++ /* Update the structure. */
++ seq->val = val;
++ seq->len = len;
++ seq->backw_stop = backw_stop;
++ seq->backw = backw;
++ seq->idxcnt = idxcnt;
++ seq->idxmax = idxmax;
++ seq->idxnow = idxnow;
++ seq->us = us;
++}
++
++/* Get next sequence. Traverse the string as required. This function does not
++ set or use any index or rule cache. */
++static void
++get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets,
++ const USTRING_TYPE *weights, const int32_t *table,
++ const USTRING_TYPE *extra, const int32_t *indirect,
++ int pass)
++{
++#include WEIGHT_H
++ size_t val = seq->val = 0;
++ int len = seq->len;
++ size_t backw_stop = seq->backw_stop;
++ size_t backw = seq->backw;
++ size_t idxcnt = seq->idxcnt;
++ size_t idxmax = seq->idxmax;
++ int32_t idx = seq->idx;
++ const USTRING_TYPE *us = seq->us;
++
++ while (len == 0)
++ {
++ ++val;
++ if (backw_stop != ~0ul)
++ {
++ /* There is something pushed. */
++ if (backw == backw_stop)
++ {
++ /* The last pushed character was handled. Continue
++ with forward characters. */
++ if (idxcnt < idxmax)
++ {
++ idx = seq->save_idx;
++ backw_stop = ~0ul;
++ }
++ else
++ {
++ /* Nothing anymore. The backward sequence ended with
++ the last sequence in the string. Note that len is
++ still zero. */
++ idx = 0;
++ break;
++ }
++ }
++ else
++ {
++ /* XXX Traverse BACKW sequences from the beginning of
++ BACKW_STOP to get the next sequence. Is ther a quicker way
++ to do this? */
++ size_t i = backw_stop;
++ us = seq->back_us;
++ while (i < backw)
++ {
++ int32_t tmp = findidx (&us, -1);
++ idx = tmp & 0xffffff;
++ i++;
++ }
++ --backw;
++ us = seq->us;
++ }
++ }
++ else
++ {
++ backw_stop = idxmax;
++ int32_t prev_idx = idx;
++
++ while (*us != L('\0'))
++ {
++ int32_t tmp = findidx (&us, -1);
++ unsigned char rule = tmp >> 24;
++ prev_idx = idx;
++ idx = tmp & 0xffffff;
++ idxcnt = idxmax++;
++
++ /* Save the rule for the first sequence. */
++ if (__glibc_unlikely (idxcnt == 0))
++ seq->rule = rule;
++
++ if ((rulesets[rule * nrules + pass]
++ & sort_backward) == 0)
++ /* No more backward characters to push. */
++ break;
++ ++idxcnt;
++ }
++
++ if (backw_stop >= idxcnt)
++ {
++ /* No sequence at all or just one. */
++ if (idxcnt == idxmax || backw_stop > idxcnt)
++ /* Note that len is still zero. */
++ break;
++
++ backw_stop = ~0ul;
++ }
++ else
++ {
++ /* We pushed backward sequences. If the stream ended with the
++ backward sequence, then we process the last sequence we
++ found. Otherwise we process the sequence before the last
++ one since the last one was a forward sequence. */
++ seq->back_us = seq->us;
++ seq->us = us;
++ backw = idxcnt;
++ if (idxmax > idxcnt)
++ {
++ backw--;
++ seq->save_idx = idx;
++ idx = prev_idx;
++ }
++ if (backw > backw_stop)
++ backw--;
++ }
++ }
++
++ len = weights[idx++];
++ /* Skip over indices of previous levels. */
++ for (int i = 0; i < pass; i++)
++ {
++ idx += len;
++ len = weights[idx];
++ idx++;
++ }
++ }
++
++ /* Update the structure. */
++ seq->val = val;
++ seq->len = len;
++ seq->backw_stop = backw_stop;
++ seq->backw = backw;
++ seq->idxcnt = idxcnt;
++ seq->idxmax = idxmax;
++ seq->us = us;
++ seq->idx = idx;
++}
++
++/* Compare two sequences. This version does not use the index and rules
++ cache. */
++static int
++do_compare_nocache (coll_seq *seq1, coll_seq *seq2, int position,
++ const USTRING_TYPE *weights)
++{
++ int seq1len = seq1->len;
++ int seq2len = seq2->len;
++ size_t val1 = seq1->val;
++ size_t val2 = seq2->val;
++ int idx1 = seq1->idx;
++ int idx2 = seq2->idx;
++ int result = 0;
++
++ /* Test for position if necessary. */
++ if (position && val1 != val2)
++ {
++ result = val1 > val2 ? 1 : -1;
++ goto out;
++ }
++
++ /* Compare the two sequences. */
++ do
++ {
++ if (weights[idx1] != weights[idx2])
++ {
++ /* The sequences differ. */
++ result = weights[idx1] - weights[idx2];
++ goto out;
++ }
++
++ /* Increment the offsets. */
++ ++idx1;
++ ++idx2;
++
++ --seq1len;
++ --seq2len;
++ }
++ while (seq1len > 0 && seq2len > 0);
++
++ if (position && seq1len != seq2len)
++ result = seq1len - seq2len;
++
++out:
++ seq1->len = seq1len;
++ seq2->len = seq2len;
++ seq1->idx = idx1;
++ seq2->idx = idx2;
++ return result;
++}
++
++/* Compare two sequences using the index cache. */
++static int
++do_compare (coll_seq *seq1, coll_seq *seq2, int position,
++ const USTRING_TYPE *weights)
++{
++ int seq1len = seq1->len;
++ int seq2len = seq2->len;
++ size_t val1 = seq1->val;
++ size_t val2 = seq2->val;
++ int32_t *idx1arr = seq1->idxarr;
++ int32_t *idx2arr = seq2->idxarr;
++ int idx1now = seq1->idxnow;
++ int idx2now = seq2->idxnow;
++ int result = 0;
++
++ /* Test for position if necessary. */
++ if (position && val1 != val2)
++ {
++ result = val1 > val2 ? 1 : -1;
++ goto out;
++ }
++
++ /* Compare the two sequences. */
++ do
++ {
++ if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]])
++ {
++ /* The sequences differ. */
++ result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]];
++ goto out;
++ }
++
++ /* Increment the offsets. */
++ ++idx1arr[idx1now];
++ ++idx2arr[idx2now];
++
++ --seq1len;
++ --seq2len;
++ }
++ while (seq1len > 0 && seq2len > 0);
++
++ if (position && seq1len != seq2len)
++ result = seq1len - seq2len;
++
++out:
++ seq1->len = seq1len;
++ seq2->len = seq2len;
++ return result;
++}
++
+ int
+-STRCOLL (s1, s2, l)
+- const STRING_TYPE *s1;
+- const STRING_TYPE *s2;
+- __locale_t l;
++STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
+ {
+ struct __locale_data *current = l->__locales[LC_COLLATE];
+ #if __OPTION_EGLIBC_LOCALE_CODE
+@@ -61,34 +484,6 @@
+ const USTRING_TYPE *weights;
+ const USTRING_TYPE *extra;
+ const int32_t *indirect;
+- uint_fast32_t pass;
+- int result = 0;
+- const USTRING_TYPE *us1;
+- const USTRING_TYPE *us2;
+- size_t s1len;
+- size_t s2len;
+- int32_t *idx1arr;
+- int32_t *idx2arr;
+- unsigned char *rule1arr;
+- unsigned char *rule2arr;
+- size_t idx1max;
+- size_t idx2max;
+- size_t idx1cnt;
+- size_t idx2cnt;
+- size_t idx1now;
+- size_t idx2now;
+- size_t backw1_stop;
+- size_t backw2_stop;
+- size_t backw1;
+- size_t backw2;
+- int val1;
+- int val2;
+- int position;
+- int seq1len;
+- int seq2len;
+- int use_malloc;
+-
+-#include WEIGHT_H
+
+ if (nrules == 0)
+ return STRCMP (s1, s2);
+@@ -103,7 +498,6 @@
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string;
+ indirect = (const int32_t *)
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string;
+- use_malloc = 0;
+
+ assert (((uintptr_t) table) % __alignof__ (table[0]) == 0);
+ assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0);
+@@ -111,18 +505,13 @@
+ assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0);
+
+ /* We need this a few times. */
+- s1len = STRLEN (s1);
+- s2len = STRLEN (s2);
++ size_t s1len = STRLEN (s1);
++ size_t s2len = STRLEN (s2);
+
+ /* Catch empty strings. */
+- if (__builtin_expect (s1len == 0, 0) || __builtin_expect (s2len == 0, 0))
++ if (__glibc_unlikely (s1len == 0) || __glibc_unlikely (s2len == 0))
+ return (s1len != 0) - (s2len != 0);
+
+- /* We need the elements of the strings as unsigned values since they
+- are used as indeces. */
+- us1 = (const USTRING_TYPE *) s1;
+- us2 = (const USTRING_TYPE *) s2;
+-
+ /* Perform the first pass over the string and while doing this find
+ and store the weights for each character. Since we want this to
+ be as fast as possible we are using `alloca' to store the temporary
+@@ -132,411 +521,122 @@
+
+ Please note that the localedef programs makes sure that `position'
+ is not used at the first level. */
+- if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
+- {
+- idx1arr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
+- idx2arr = &idx1arr[s1len];
+- rule1arr = (unsigned char *) &idx2arr[s2len];
+- rule2arr = &rule1arr[s1len];
+-
+- if (idx1arr == NULL)
+- /* No memory. Well, go with the stack then.
+-
+- XXX Once this implementation is stable we will handle this
+- differently. Instead of precomputing the indeces we will
+- do this in time. This means, though, that this happens for
+- every pass again. */
+- goto try_stack;
+- use_malloc = 1;
+- }
+- else
+- {
+- try_stack:
+- idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t));
+- idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t));
+- rule1arr = (unsigned char *) alloca (s1len);
+- rule2arr = (unsigned char *) alloca (s2len);
+- }
+-
+- idx1cnt = 0;
+- idx2cnt = 0;
+- idx1max = 0;
+- idx2max = 0;
+- idx1now = 0;
+- idx2now = 0;
+- backw1_stop = ~0ul;
+- backw2_stop = ~0ul;
+- backw1 = ~0ul;
+- backw2 = ~0ul;
+- seq1len = 0;
+- seq2len = 0;
+- position = rulesets[0] & sort_position;
+- while (1)
+- {
+- val1 = 0;
+- val2 = 0;
+-
+- /* Get the next non-IGNOREd element for string `s1'. */
+- if (seq1len == 0)
+- do
+- {
+- ++val1;
+-
+- if (backw1_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw1 == backw1_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx1cnt < idx1max)
+- {
+- idx1now = idx1cnt;
+- backw1_stop = ~0ul;
+- }
+- else
+- /* Nothing anymore. The backward sequence ended with
+- the last sequence in the string. Note that seq1len
+- is still zero. */
+- break;
+- }
+- else
+- idx1now = --backw1;
+- }
+- else
+- {
+- backw1_stop = idx1max;
+-
+- while (*us1 != L('\0'))
+- {
+- int32_t tmp = findidx (&us1, -1);
+- rule1arr[idx1max] = tmp >> 24;
+- idx1arr[idx1max] = tmp & 0xffffff;
+- idx1cnt = idx1max++;
+-
+- if ((rulesets[rule1arr[idx1cnt] * nrules]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx1cnt;
+- }
+-
+- if (backw1_stop >= idx1cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx1cnt == idx1max || backw1_stop > idx1cnt)
+- /* Note that seq1len is still zero. */
+- break;
+-
+- backw1_stop = ~0ul;
+- idx1now = idx1cnt;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx1now = backw1 = idx1cnt - 1;
+- }
+- }
+- while ((seq1len = weights[idx1arr[idx1now]++]) == 0);
+-
+- /* And the same for string `s2'. */
+- if (seq2len == 0)
+- do
+- {
+- ++val2;
+-
+- if (backw2_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw2 == backw2_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx2cnt < idx2max)
+- {
+- idx2now = idx2cnt;
+- backw2_stop = ~0ul;
+- }
+- else
+- /* Nothing anymore. The backward sequence ended with
+- the last sequence in the string. Note that seq2len
+- is still zero. */
+- break;
+- }
+- else
+- idx2now = --backw2;
+- }
+- else
+- {
+- backw2_stop = idx2max;
+-
+- while (*us2 != L('\0'))
+- {
+- int32_t tmp = findidx (&us2, -1);
+- rule2arr[idx2max] = tmp >> 24;
+- idx2arr[idx2max] = tmp & 0xffffff;
+- idx2cnt = idx2max++;
+-
+- if ((rulesets[rule2arr[idx2cnt] * nrules]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx2cnt;
+- }
+-
+- if (backw2_stop >= idx2cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx2cnt == idx2max || backw2_stop > idx2cnt)
+- /* Note that seq1len is still zero. */
+- break;
+-
+- backw2_stop = ~0ul;
+- idx2now = idx2cnt;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx2now = backw2 = idx2cnt - 1;
+- }
+- }
+- while ((seq2len = weights[idx2arr[idx2now]++]) == 0);
+-
+- /* See whether any or both strings are empty. */
+- if (seq1len == 0 || seq2len == 0)
+- {
+- if (seq1len == seq2len)
+- /* Both ended. So far so good, both strings are equal at the
+- first level. */
+- break;
+-
+- /* This means one string is shorter than the other. Find out
+- which one and return an appropriate value. */
+- result = seq1len == 0 ? -1 : 1;
+- goto free_and_return;
+- }
+-
+- /* Test for position if necessary. */
+- if (position && val1 != val2)
+- {
+- result = val1 - val2;
+- goto free_and_return;
+- }
+
+- /* Compare the two sequences. */
+- do
+- {
+- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]])
+- {
+- /* The sequences differ. */
+- result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]];
+- goto free_and_return;
+- }
++ coll_seq seq1, seq2;
++ bool use_malloc = false;
++ int result = 0;
+
+- /* Increment the offsets. */
+- ++idx1arr[idx1now];
+- ++idx2arr[idx2now];
++ memset (&seq1, 0, sizeof (seq1));
++ seq2 = seq1;
+
+- --seq1len;
+- --seq2len;
+- }
+- while (seq1len > 0 && seq2len > 0);
++ size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
+
+- if (position && seq1len != seq2len)
++ if (MIN (s1len, s2len) > size_max
++ || MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
++ {
++ /* If the strings are long enough to cause overflow in the size request,
++ then skip the allocation and proceed with the non-cached routines. */
++ }
++ else if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
++ {
++ seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
++
++ /* If we failed to allocate memory, we leave everything as NULL so that
++ we use the nocache version of traversal and comparison functions. */
++ if (seq1.idxarr != NULL)
+ {
+- result = seq1len - seq2len;
+- goto free_and_return;
++ seq2.idxarr = &seq1.idxarr[s1len];
++ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len];
++ seq2.rulearr = &seq1.rulearr[s1len];
++ use_malloc = true;
+ }
+ }
++ else
++ {
++ seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t));
++ seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t));
++ seq1.rulearr = (unsigned char *) alloca (s1len);
++ seq2.rulearr = (unsigned char *) alloca (s2len);
++ }
++
++ int rule = 0;
+
+- /* Now the remaining passes over the weights. We now use the
+- indeces we found before. */
+- for (pass = 1; pass < nrules; ++pass)
++ /* Cache values in the first pass and if needed, use them in subsequent
++ passes. */
++ for (int pass = 0; pass < nrules; ++pass)
+ {
++ seq1.idxcnt = 0;
++ seq1.idx = 0;
++ seq2.idx = 0;
++ seq1.backw_stop = ~0ul;
++ seq1.backw = ~0ul;
++ seq2.idxcnt = 0;
++ seq2.backw_stop = ~0ul;
++ seq2.backw = ~0ul;
++
++ /* We need the elements of the strings as unsigned values since they
++ are used as indices. */
++ seq1.us = (const USTRING_TYPE *) s1;
++ seq2.us = (const USTRING_TYPE *) s2;
++
+ /* We assume that if a rule has defined `position' in one section
+ this is true for all of them. */
+- idx1cnt = 0;
+- idx2cnt = 0;
+- backw1_stop = ~0ul;
+- backw2_stop = ~0ul;
+- backw1 = ~0ul;
+- backw2 = ~0ul;
+- position = rulesets[rule1arr[0] * nrules + pass] & sort_position;
++ int position = rulesets[rule * nrules + pass] & sort_position;
+
+ while (1)
+ {
+- val1 = 0;
+- val2 = 0;
+-
+- /* Get the next non-IGNOREd element for string `s1'. */
+- if (seq1len == 0)
+- do
+- {
+- ++val1;
+-
+- if (backw1_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw1 == backw1_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx1cnt < idx1max)
+- {
+- idx1now = idx1cnt;
+- backw1_stop = ~0ul;
+- }
+- else
+- {
+- /* Nothing anymore. The backward sequence
+- ended with the last sequence in the string. */
+- idx1now = ~0ul;
+- break;
+- }
+- }
+- else
+- idx1now = --backw1;
+- }
+- else
+- {
+- backw1_stop = idx1cnt;
+-
+- while (idx1cnt < idx1max)
+- {
+- if ((rulesets[rule1arr[idx1cnt] * nrules + pass]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx1cnt;
+- }
+-
+- if (backw1_stop == idx1cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx1cnt == idx1max)
+- /* Note that seq1len is still zero. */
+- break;
+-
+- backw1_stop = ~0ul;
+- idx1now = idx1cnt++;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx1now = backw1 = idx1cnt - 1;
+- }
+- }
+- while ((seq1len = weights[idx1arr[idx1now]++]) == 0);
+-
+- /* And the same for string `s2'. */
+- if (seq2len == 0)
+- do
+- {
+- ++val2;
+-
+- if (backw2_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw2 == backw2_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx2cnt < idx2max)
+- {
+- idx2now = idx2cnt;
+- backw2_stop = ~0ul;
+- }
+- else
+- {
+- /* Nothing anymore. The backward sequence
+- ended with the last sequence in the string. */
+- idx2now = ~0ul;
+- break;
+- }
+- }
+- else
+- idx2now = --backw2;
+- }
+- else
+- {
+- backw2_stop = idx2cnt;
+-
+- while (idx2cnt < idx2max)
+- {
+- if ((rulesets[rule2arr[idx2cnt] * nrules + pass]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx2cnt;
+- }
+-
+- if (backw2_stop == idx2cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx2cnt == idx2max)
+- /* Note that seq2len is still zero. */
+- break;
+-
+- backw2_stop = ~0ul;
+- idx2now = idx2cnt++;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx2now = backw2 = idx2cnt - 1;
+- }
+- }
+- while ((seq2len = weights[idx2arr[idx2now]++]) == 0);
++ if (__glibc_unlikely (seq1.idxarr == NULL))
++ {
++ get_next_seq_nocache (&seq1, nrules, rulesets, weights, table,
++ extra, indirect, pass);
++ get_next_seq_nocache (&seq2, nrules, rulesets, weights, table,
++ extra, indirect, pass);
++ }
++ else if (pass == 0)
++ {
++ get_next_seq (&seq1, nrules, rulesets, weights, table, extra,
++ indirect);
++ get_next_seq (&seq2, nrules, rulesets, weights, table, extra,
++ indirect);
++ }
++ else
++ {
++ get_next_seq_cached (&seq1, nrules, pass, rulesets, weights);
++ get_next_seq_cached (&seq2, nrules, pass, rulesets, weights);
++ }
+
+ /* See whether any or both strings are empty. */
+- if (seq1len == 0 || seq2len == 0)
++ if (seq1.len == 0 || seq2.len == 0)
+ {
+- if (seq1len == seq2len)
++ if (seq1.len == seq2.len)
+ /* Both ended. So far so good, both strings are equal
+ at this level. */
+ break;
+
+ /* This means one string is shorter than the other. Find out
+ which one and return an appropriate value. */
+- result = seq1len == 0 ? -1 : 1;
++ result = seq1.len == 0 ? -1 : 1;
+ goto free_and_return;
+ }
+
+- /* Test for position if necessary. */
+- if (position && val1 != val2)
+- {
+- result = val1 - val2;
+- goto free_and_return;
+- }
+-
+- /* Compare the two sequences. */
+- do
+- {
+- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]])
+- {
+- /* The sequences differ. */
+- result = (weights[idx1arr[idx1now]]
+- - weights[idx2arr[idx2now]]);
+- goto free_and_return;
+- }
+-
+- /* Increment the offsets. */
+- ++idx1arr[idx1now];
+- ++idx2arr[idx2now];
+-
+- --seq1len;
+- --seq2len;
+- }
+- while (seq1len > 0 && seq2len > 0);
+-
+- if (position && seq1len != seq2len)
+- {
+- result = seq1len - seq2len;
+- goto free_and_return;
+- }
++ if (__glibc_unlikely (seq1.idxarr == NULL))
++ result = do_compare_nocache (&seq1, &seq2, position, weights);
++ else
++ result = do_compare (&seq1, &seq2, position, weights);
++ if (result != 0)
++ goto free_and_return;
+ }
++
++ if (__builtin_expect ((seq1.rulearr != NULL), 1))
++ rule = seq1.rulearr[0];
++ else
++ rule = seq1.rule;
+ }
+
+ /* Free the memory if needed. */
+ free_and_return:
+ if (use_malloc)
+- free (idx1arr);
++ free (seq1.idxarr);
+
+ return result;
+ }
+Index: eglibc-2.17/string/tst-strcoll-overflow.c
+===================================================================
+--- /dev/null 1970-01-01 00:00:00.000000000 +0000
++++ eglibc-2.17/string/tst-strcoll-overflow.c 2013-09-27 08:52:43.931342684 -0400
+@@ -0,0 +1,61 @@
++/* Copyright (C) 2013 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <locale.h>
++#include <stdio.h>
++#include <stdint.h>
++#include <stdlib.h>
++#include <string.h>
++
++/* Verify that strcoll does not crash for large strings for which it cannot
++ cache weight lookup results. The size is large enough to cause integer
++ overflows on 32-bit as well as buffer overflows on 64-bit. The test should
++ work reasonably reliably when overcommit is disabled, but it obviously
++ depends on how much memory the system has. There's a limitation to this
++ test in that it does not run to completion. Actually collating such a
++ large string can take days and we can't have xcheck running that long. For
++ that reason, we run the test for about 5 minutes and then assume that
++ everything is fine if there are no crashes. */
++#define SIZE 0x40000000ul
++
++int
++do_test (void)
++{
++ if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL)
++ {
++ puts ("setlocale failed, cannot test for overflow");
++ return 0;
++ }
++
++ char *p = malloc (SIZE);
++
++ if (p == NULL)
++ {
++ puts ("could not allocate memory");
++ return 1;
++ }
++
++ memset (p, 'x', SIZE - 1);
++ p[SIZE - 1] = 0;
++ printf ("%d\n", strcoll (p, p));
++ return 0;
++}
++
++#define TIMEOUT 300
++#define EXPECTED_SIGNAL SIGALRM
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,244 @@
+commit e4608715e6e1dd2adc91982fd151d5ba4f761d69
+Author: Carlos O'Donell <carlos@redhat.com>
+Date: Fri Jul 19 02:42:03 2013 -0400
+
+ CVE-2013-2207, BZ #15755: Disable pt_chown.
+
+ The helper binary pt_chown tricked into granting access to another
+ user's pseudo-terminal.
+
+ Pre-conditions for the attack:
+
+ * Attacker with local user account
+ * Kernel with FUSE support
+ * "user_allow_other" in /etc/fuse.conf
+ * Victim with allocated slave in /dev/pts
+
+ Using the setuid installed pt_chown and a weak check on whether a file
+ descriptor is a tty, an attacker could fake a pty check using FUSE and
+ trick pt_chown to grant ownership of a pty descriptor that the current
+ user does not own. It cannot access /dev/pts/ptmx however.
+
+ In most modern distributions pt_chown is not needed because devpts
+ is enabled by default. The fix for this CVE is to disable building
+ and using pt_chown by default. We still provide a configure option
+ to enable hte use of pt_chown but distributions do so at their own
+ risk.
+
+2013-07-21 Siddhesh Poyarekar <siddhesh@redhat.com>
+ Andreas Schwab <schwab@suse.de>
+ Roland McGrath <roland@hack.frob.com>
+ Joseph Myers <joseph@codesourcery.com>
+ Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15755]
+ * config.h.in: Define HAVE_PT_CHOWN.
+ * config.make.in (build-pt-chown): New variable.
+ * configure.in (--enable-pt_chown): New configure option.
+ * configure: Regenerate.
+ * login/Makefile: Include Makeconfig. Build pt_chown only if
+ build-pt-chown is enabled.
+ * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
+ pt_chown to fix pty ownership.
+ * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
+ CLOSE_ALL_FDS.
+ * manual/install.texi (Configuring and compiling): Mention
+ --enable-pt_chown. Add @findex for grantpt.
+ * INSTALL: Regenerate.
+
+diff --git a/INSTALL b/INSTALL
+index 721a7fc..2c61704 100644
+--- a/INSTALL
++++ b/INSTALL
+@@ -136,6 +136,18 @@ will be used, and CFLAGS sets optimization options for the compiler.
+ this can be prevented though there generally is no reason since it
+ creates compatibility problems.
+
++`--enable-pt_chown'
++ The file `pt_chown' is a helper binary for `grantpt' (*note
++ Pseudo-Terminals: Allocation.) that is installed setuid root to
++ fix up pseudo-terminal ownership. It is not built by default
++ because systems using the Linux kernel are commonly built with the
++ `devpts' filesystem enabled and mounted at `/dev/pts', which
++ manages pseudo-terminal ownership automatically. By using
++ `--enable-pt_chown', you may build `pt_chown' and install it
++ setuid and owned by `root'. The use of `pt_chown' introduces
++ additional security risks to the system and you should enable it
++ only if you understand and accept those risks.
++
+ `--build=BUILD-SYSTEM'
+ `--host=HOST-SYSTEM'
+ These options are for cross-compiling. If you specify both
+diff --git a/config.h.in b/config.h.in
+index 6284e2a..a85f131 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -238,4 +238,7 @@
+ /* The ARM hard-float ABI is being used. */
+ #undef HAVE_ARM_PCS_VFP
+
++/* The pt_chown binary is being built and used by grantpt. */
++#undef HAVE_PT_CHOWN
++
+ #endif
+diff --git a/config.make.in b/config.make.in
+index b01b70b..7b04568 100644
+--- a/config.make.in
++++ b/config.make.in
+@@ -95,6 +95,7 @@ link-obsolete-rpc = @link_obsolete_rpc@
+ link-obsolete-rpc = @link_obsolete_rpc@
+ build-nscd = @build_nscd@
+ use-nscd = @use_nscd@
++build-pt-chown = @build_pt_chown@
+
+ # Build tools.
+ CC = @CC@
+diff --git a/configure b/configure
+index 59a69f6..1ee4c42 100755
+--- a/configure
++++ b/configure
+@@ -647,6 +647,7 @@ multi_arch
+ base_machine
+ add_on_subdirs
+ add_ons
++build_pt_chown
+ build_nscd
+ link_obsolete_rpc
+ libc_cv_nss_crypt
+@@ -756,6 +757,7 @@ enable_obsolete_rpc
+ enable_systemtap
+ enable_build_nscd
+ enable_nscd
++enable_pt_chown
+ with_cpu
+ '
+ ac_precious_vars='build_alias
+@@ -1421,6 +1423,7 @@ Optional Features:
+ --enable-systemtap enable systemtap static probe points [default=no]
+ --disable-build-nscd disable building and installing the nscd daemon
+ --disable-nscd library functions will not contact the nscd daemon
++ --enable-pt_chown Enable building and installing pt_chown
+
+ Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+@@ -3711,6 +3714,19 @@ else
+ fi
+
+
++# Check whether --enable-pt_chown was given.
++if test "${enable_pt_chown+set}" = set; then :
++ enableval=$enable_pt_chown; build_pt_chown=$enableval
++else
++ build_pt_chown=no
++fi
++
++
++if test $build_pt_chown = yes; then
++ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
++
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
+diff --git a/configure.in b/configure.in
+index 4db1acf..769e8ef 100644
+--- a/configure.in
++++ b/configure.in
+@@ -353,6 +353,16 @@ AC_ARG_ENABLE([nscd],
+ [use_nscd=$enableval],
+ [use_nscd=yes])
+
++AC_ARG_ENABLE([pt_chown],
++ [AS_HELP_STRING([--enable-pt_chown],
++ [Enable building and installing pt_chown])],
++ [build_pt_chown=$enableval],
++ [build_pt_chown=no])
++AC_SUBST(build_pt_chown)
++if test $build_pt_chown = yes; then
++ AC_DEFINE(HAVE_PT_CHOWN)
++fi
++
+ # The way shlib-versions is used to generate soversions.mk uses a
+ # fairly simplistic model for name recognition that can't distinguish
+ # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os
+diff --git a/login/Makefile b/login/Makefile
+index 0bfe643..430c6d9 100644
+--- a/login/Makefile
++++ b/login/Makefile
+@@ -30,10 +30,16 @@ routines := getlogin getlogin_r setlogin getlogin_r_chk \
+
+ CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
+
+-others = pt_chown
++others =
+ others-$(OPTION_EGLIBC_UTMP) += utmpdump
++
++include ../Makeconfig
++
++ifeq (yes,$(build-pt-chown))
++others += pt_chown
+ others-pie = pt_chown
+ install-others-programs = $(inst_libexecdir)/pt_chown
++endif
+
+ subdir-dirs = programs
+ vpath %.c programs
+diff --git a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c
+index d37da13..431be85 100644
+--- a/sysdeps/unix/grantpt.c
++++ b/sysdeps/unix/grantpt.c
+@@ -173,9 +173,10 @@ grantpt (int fd)
+ retval = 0;
+ goto cleanup;
+
+- /* We have to use the helper program. */
++ /* We have to use the helper program if it is available. */
+ helper:;
+
++#ifdef HAVE_PT_CHOWN
+ pid_t pid = __fork ();
+ if (pid == -1)
+ goto cleanup;
+@@ -190,9 +191,9 @@ grantpt (int fd)
+ if (__dup2 (fd, PTY_FILENO) < 0)
+ _exit (FAIL_EBADF);
+
+-#ifdef CLOSE_ALL_FDS
++# ifdef CLOSE_ALL_FDS
+ CLOSE_ALL_FDS ();
+-#endif
++# endif
+
+ execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
+ _exit (FAIL_EXEC);
+@@ -231,6 +232,7 @@ grantpt (int fd)
+ assert(! "getpt: internal error: invalid exit code from pt_chown");
+ }
+ }
++#endif
+
+ cleanup:
+ if (buf != _buf)
+diff --git a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c
+index 0a3cd47..8cebde3 100644
+--- a/sysdeps/unix/sysv/linux/grantpt.c
++++ b/sysdeps/unix/sysv/linux/grantpt.c
+@@ -11,7 +11,7 @@
+
+ #include "pty-private.h"
+
+-
++#if HAVE_PT_CHOWN
+ /* Close all file descriptors except the one specified. */
+ static void
+ close_all_fds (void)
+@@ -38,6 +38,7 @@ close_all_fds (void)
+ __dup2 (STDOUT_FILENO, STDERR_FILENO);
+ }
+ }
+-#define CLOSE_ALL_FDS() close_all_fds()
++# define CLOSE_ALL_FDS() close_all_fds()
++#endif
+
+ #include <sysdeps/unix/grantpt.c>
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4237.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4237.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4237.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,146 @@
+Description: fix denial of service and possible code execution via readdir_r
+Origin: backport, https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=91ce40854d0b7f865cf5024ef95a8026b76096f3
+Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=14699
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719558
+
+Index: eglibc-2.17/sysdeps/posix/dirstream.h
+===================================================================
+--- eglibc-2.17.orig/sysdeps/posix/dirstream.h 2013-10-02 08:35:10.479670086 -0400
++++ eglibc-2.17/sysdeps/posix/dirstream.h 2013-10-02 08:35:10.471670085 -0400
+@@ -39,6 +39,8 @@
+
+ off_t filepos; /* Position of next entry to read. */
+
++ int errcode; /* Delayed error code. */
++
+ /* Directory block. */
+ char data[0] __attribute__ ((aligned (__alignof__ (void*))));
+ };
+Index: eglibc-2.17/sysdeps/posix/opendir.c
+===================================================================
+--- eglibc-2.17.orig/sysdeps/posix/opendir.c 2013-10-02 08:35:10.479670086 -0400
++++ eglibc-2.17/sysdeps/posix/opendir.c 2013-10-02 08:35:10.471670085 -0400
+@@ -230,6 +230,7 @@
+ dirp->size = 0;
+ dirp->offset = 0;
+ dirp->filepos = 0;
++ dirp->errcode = 0;
+
+ return dirp;
+ }
+Index: eglibc-2.17/sysdeps/posix/readdir_r.c
+===================================================================
+--- eglibc-2.17.orig/sysdeps/posix/readdir_r.c 2013-10-02 08:35:10.479670086 -0400
++++ eglibc-2.17/sysdeps/posix/readdir_r.c 2013-10-02 08:35:10.471670085 -0400
+@@ -41,6 +41,7 @@
+ DIRENT_TYPE *dp;
+ size_t reclen;
+ const int saved_errno = errno;
++ int ret;
+
+ __libc_lock_lock (dirp->lock);
+
+@@ -71,10 +72,10 @@
+ bytes = 0;
+ __set_errno (saved_errno);
+ }
++ if (bytes < 0)
++ dirp->errcode = errno;
+
+ dp = NULL;
+- /* Reclen != 0 signals that an error occurred. */
+- reclen = bytes != 0;
+ break;
+ }
+ dirp->size = (size_t) bytes;
+@@ -107,29 +108,46 @@
+ dirp->filepos += reclen;
+ #endif
+
+- /* Skip deleted files. */
++#ifdef NAME_MAX
++ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
++ {
++ /* The record is very long. It could still fit into the
++ caller-supplied buffer if we can skip padding at the
++ end. */
++ size_t namelen = _D_EXACT_NAMLEN (dp);
++ if (namelen <= NAME_MAX)
++ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
++ else
++ {
++ /* The name is too long. Ignore this file. */
++ dirp->errcode = ENAMETOOLONG;
++ dp->d_ino = 0;
++ continue;
++ }
++ }
++#endif
++
++ /* Skip deleted and ignored files. */
+ }
+ while (dp->d_ino == 0);
+
+ if (dp != NULL)
+ {
+-#ifdef GETDENTS_64BIT_ALIGNED
+- /* The d_reclen value might include padding which is not part of
+- the DIRENT_TYPE data structure. */
+- reclen = MIN (reclen,
+- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
+-#endif
+ *result = memcpy (entry, dp, reclen);
+-#ifdef GETDENTS_64BIT_ALIGNED
++#ifdef _DIRENT_HAVE_D_RECLEN
+ entry->d_reclen = reclen;
+ #endif
++ ret = 0;
+ }
+ else
+- *result = NULL;
++ {
++ *result = NULL;
++ ret = dirp->errcode;
++ }
+
+ __libc_lock_unlock (dirp->lock);
+
+- return dp != NULL ? 0 : reclen ? errno : 0;
++ return ret;
+ }
+
+ #ifdef __READDIR_R_ALIAS
+Index: eglibc-2.17/sysdeps/posix/rewinddir.c
+===================================================================
+--- eglibc-2.17.orig/sysdeps/posix/rewinddir.c 2013-10-02 08:35:10.479670086 -0400
++++ eglibc-2.17/sysdeps/posix/rewinddir.c 2013-10-02 08:35:10.471670085 -0400
+@@ -33,6 +33,7 @@
+ dirp->filepos = 0;
+ dirp->offset = 0;
+ dirp->size = 0;
++ dirp->errcode = 0;
+ #ifndef NOT_IN_libc
+ __libc_lock_unlock (dirp->lock);
+ #endif
+Index: eglibc-2.17/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+===================================================================
+--- eglibc-2.17.orig/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2013-10-02 08:35:10.479670086 -0400
++++ eglibc-2.17/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2013-10-02 08:35:10.471670085 -0400
+@@ -18,7 +18,6 @@
+ #define __READDIR_R __readdir64_r
+ #define __GETDENTS __getdents64
+ #define DIRENT_TYPE struct dirent64
+-#define GETDENTS_64BIT_ALIGNED 1
+
+ #include <sysdeps/posix/readdir_r.c>
+
+Index: eglibc-2.17/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+===================================================================
+--- eglibc-2.17.orig/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2013-10-02 08:35:10.479670086 -0400
++++ eglibc-2.17/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2013-10-02 08:35:10.475670086 -0400
+@@ -1,5 +1,4 @@
+ #define readdir64_r __no_readdir64_r_decl
+-#define GETDENTS_64BIT_ALIGNED 1
+ #include <sysdeps/posix/readdir_r.c>
+ #undef readdir64_r
+ weak_alias (__readdir_r, readdir64_r)
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,24 @@
+commit 5ebbff8fd1529aec13ac4d2906c1a36f3e738519
+Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
+Date: Wed Sep 25 13:43:04 2013 -0500
+
+ PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
+
+2013-09-25 Adhemerval Zanella <azanella@linux.vnet.ibm.com>
+
+ * sysdeps/powerpc/powerpc64/stackguard-macros.h (POINTER_CHK_GUARD:
+ Fix thread ID register.
+
+diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h
+index 4620f96..e80a683 100644
+--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h
++++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h
+@@ -6,7 +6,7 @@
+ #define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+- asm ("ld %0,%1(2)" \
++ asm ("ld %0,%1(13)" \
+ : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
+ ); \
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,501 @@
+commit c61b4d41c9647a54a329aa021341c0eb032b793e
+Author: Carlos O'Donell <carlos@redhat.com>
+Date: Mon Sep 23 00:52:09 2013 -0400
+
+ BZ #15754: CVE-2013-4788
+
+ The pointer guard used for pointer mangling was not initialized for
+ static applications resulting in the security feature being disabled.
+ The pointer guard is now correctly initialized to a random value for
+ static applications. Existing static applications need to be
+ recompiled to take advantage of the fix.
+
+ The test tst-ptrguard1-static and tst-ptrguard1 add regression
+ coverage to ensure the pointer guards are sufficiently random
+ and initialized to a default value.
+
+2013-09-23 Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15754]
+ * elf/Makefile (tests): Add tst-ptrguard1.
+ (tests-static): Add tst-ptrguard1-static.
+ (tst-ptrguard1-ARGS): Define.
+ (tst-ptrguard1-static-ARGS): Define.
+ * elf/tst-ptrguard1.c: New file.
+ * elf/tst-ptrguard1-static.c: New file.
+ * sysdeps/x86_64/stackguard-macros.h: Define POINTER_CHK_GUARD.
+ * sysdeps/i386/stackguard-macros.h: Likewise.
+ * sysdeps/powerpc/powerpc32/stackguard-macros.h: Likewise.
+ * sysdeps/powerpc/powerpc64/stackguard-macros.h: Likewise.
+ * sysdeps/s390/s390-32/stackguard-macros.h: Likewise.
+ * sysdeps/s390/s390-64/stackguard-macros.h: Likewise.
+ * sysdeps/sparc/sparc32/stackguard-macros.h: Likewise.
+ * sysdeps/sparc/sparc64/stackguard-macros.h: Likewise.
+
+2013-09-23 Hector Marco <hecmargi@upv.es>
+ Ismael Ripoll <iripoll@disca.upv.es>
+ Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15754]
+ * sysdeps/generic/stackguard-macros.h: Define
+ __pointer_chk_guard_local and POINTER_CHK_GUARD.
+ * csu/libc-start.c [!SHARED && !THREAD_SET_POINTER_GUARD]:
+ Define __pointer_chk_guard_local.
+ (LIBC_START_MAIN) [!SHARED]: Call _dl_setup_pointer_guard.
+ Use THREAD_SET_POINTER_GUARD or set __pointer_chk_guard_local.
+
+diff --git a/csu/libc-start.c b/csu/libc-start.c
+index e5da3ef..c898d06 100644
+--- a/csu/libc-start.c
++++ b/csu/libc-start.c
+@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void);
+ in thread local area. */
+ uintptr_t __stack_chk_guard attribute_relro;
+ # endif
++# ifndef THREAD_SET_POINTER_GUARD
++/* Only exported for architectures that don't store the pointer guard
++ value in thread local area. */
++uintptr_t __pointer_chk_guard_local
++ attribute_relro attribute_hidden __attribute__ ((nocommon));
++# endif
+ #endif
+
+ #ifdef HAVE_PTR_NTHREADS
+@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
+ # else
+ __stack_chk_guard = stack_chk_guard;
+ # endif
++
++ /* Set up the pointer guard value. */
++ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
++ stack_chk_guard);
++# ifdef THREAD_SET_POINTER_GUARD
++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++# else
++ __pointer_chk_guard_local = pointer_chk_guard;
++# endif
++
+ #endif
+
+ /* Register the destructor of the dynamic linker if there is any. */
+diff --git a/elf/Makefile b/elf/Makefile
+index aaa9534..cb8da93 100644
+--- a/elf/Makefile
++++ b/elf/Makefile
+@@ -121,7 +121,8 @@ endif
+ tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \
+ tst-array1 tst-array2 tst-array3 tst-array4 tst-array5
+ tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \
+- tst-leaks1-static tst-array1-static tst-array5-static
++ tst-leaks1-static tst-array1-static tst-array5-static \
++ tst-ptrguard1-static
+ ifeq (yes,$(build-shared))
+ tests-static += tst-tls9-static
+ tst-tls9-static-ENV = \
+@@ -145,7 +146,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \
+ tst-audit1 tst-audit2 tst-audit8 \
+ tst-stackguard1 tst-addr1 tst-thrlock \
+ tst-unique1 tst-unique2 tst-unique3 tst-unique4 \
+- tst-initorder tst-initorder2 tst-relsort1
++ tst-initorder tst-initorder2 tst-relsort1 \
++ tst-ptrguard1
+ # reldep9
+ test-srcs = tst-pathopt
+ selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null)
+@@ -1016,6 +1018,9 @@ LDFLAGS-order2mod2.so = $(no-as-needed)
+ tst-stackguard1-ARGS = --command "$(host-built-program-cmd) --child"
+ tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
+
++tst-ptrguard1-ARGS = --command "$(host-built-program-cmd) --child"
++tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
++
+ $(objpfx)tst-leaks1: $(libdl)
+ $(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@
+diff --git a/elf/tst-ptrguard1-static.c b/elf/tst-ptrguard1-static.c
+new file mode 100644
+index 0000000..7aff3b7
+--- /dev/null
++++ b/elf/tst-ptrguard1-static.c
+@@ -0,0 +1 @@
++#include "tst-ptrguard1.c"
+diff --git a/elf/tst-ptrguard1.c b/elf/tst-ptrguard1.c
+new file mode 100644
+index 0000000..c344a04
+--- /dev/null
++++ b/elf/tst-ptrguard1.c
+@@ -0,0 +1,202 @@
++/* Copyright (C) 2013 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/wait.h>
++#include <stackguard-macros.h>
++#include <tls.h>
++#include <unistd.h>
++
++#ifndef POINTER_CHK_GUARD
++extern uintptr_t __pointer_chk_guard;
++# define POINTER_CHK_GUARD __pointer_chk_guard
++#endif
++
++static const char *command;
++static bool child;
++static uintptr_t ptr_chk_guard_copy;
++static bool ptr_chk_guard_copy_set;
++static int fds[2];
++
++static void __attribute__ ((constructor))
++con (void)
++{
++ ptr_chk_guard_copy = POINTER_CHK_GUARD;
++ ptr_chk_guard_copy_set = true;
++}
++
++static int
++uintptr_t_cmp (const void *a, const void *b)
++{
++ if (*(uintptr_t *) a < *(uintptr_t *) b)
++ return 1;
++ if (*(uintptr_t *) a > *(uintptr_t *) b)
++ return -1;
++ return 0;
++}
++
++static int
++do_test (void)
++{
++ if (!ptr_chk_guard_copy_set)
++ {
++ puts ("constructor has not been run");
++ return 1;
++ }
++
++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
++ {
++ puts ("POINTER_CHK_GUARD changed between constructor and do_test");
++ return 1;
++ }
++
++ if (child)
++ {
++ write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy));
++ return 0;
++ }
++
++ if (command == NULL)
++ {
++ puts ("missing --command or --child argument");
++ return 1;
++ }
++
++#define N 16
++ uintptr_t child_ptr_chk_guards[N + 1];
++ child_ptr_chk_guards[N] = ptr_chk_guard_copy;
++ int i;
++ for (i = 0; i < N; ++i)
++ {
++ if (pipe (fds) < 0)
++ {
++ printf ("couldn't create pipe: %m\n");
++ return 1;
++ }
++
++ pid_t pid = fork ();
++ if (pid < 0)
++ {
++ printf ("fork failed: %m\n");
++ return 1;
++ }
++
++ if (!pid)
++ {
++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
++ {
++ puts ("POINTER_CHK_GUARD changed after fork");
++ exit (1);
++ }
++
++ close (fds[0]);
++ close (2);
++ dup2 (fds[1], 2);
++ close (fds[1]);
++
++ system (command);
++ exit (0);
++ }
++
++ close (fds[1]);
++
++ if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i],
++ sizeof (uintptr_t))) != sizeof (uintptr_t))
++ {
++ puts ("could not read ptr_chk_guard value from child");
++ return 1;
++ }
++
++ close (fds[0]);
++
++ pid_t termpid;
++ int status;
++ termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
++ if (termpid == -1)
++ {
++ printf ("waitpid failed: %m\n");
++ return 1;
++ }
++ else if (termpid != pid)
++ {
++ printf ("waitpid returned %ld != %ld\n",
++ (long int) termpid, (long int) pid);
++ return 1;
++ }
++ else if (!WIFEXITED (status) || WEXITSTATUS (status))
++ {
++ puts ("child hasn't exited with exit status 0");
++ return 1;
++ }
++ }
++
++ qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp);
++
++ /* The default pointer guard is the same as the default stack guard.
++ They are only set to default if dl_random is NULL. */
++ uintptr_t default_guard = 0;
++ unsigned char *p = (unsigned char *) &default_guard;
++ p[sizeof (uintptr_t) - 1] = 255;
++ p[sizeof (uintptr_t) - 2] = '\n';
++ p[0] = 0;
++
++ /* Test if the pointer guard canaries are either randomized,
++ or equal to the default pointer guard value.
++ Even with randomized pointer guards it might happen
++ that the random number generator generates the same
++ values, but if that happens in more than half from
++ the 16 runs, something is very wrong. */
++ int ndifferences = 0;
++ int ndefaults = 0;
++ for (i = 0; i < N; ++i)
++ {
++ if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1])
++ ndifferences++;
++ else if (child_ptr_chk_guards[i] == default_guard)
++ ndefaults++;
++ }
++
++ printf ("differences %d defaults %d\n", ndifferences, ndefaults);
++
++ if (ndifferences < N / 2 && ndefaults < N / 2)
++ {
++ puts ("pointer guard values are not randomized enough");
++ puts ("nor equal to the default value");
++ return 1;
++ }
++
++ return 0;
++}
++
++#define OPT_COMMAND 10000
++#define OPT_CHILD 10001
++#define CMDLINE_OPTIONS \
++ { "command", required_argument, NULL, OPT_COMMAND }, \
++ { "child", no_argument, NULL, OPT_CHILD },
++#define CMDLINE_PROCESS \
++ case OPT_COMMAND: \
++ command = optarg; \
++ break; \
++ case OPT_CHILD: \
++ child = true; \
++ break;
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h
+index dc683c2..3907293 100644
+--- a/ports/sysdeps/ia64/stackguard-macros.h
++++ b/ports/sysdeps/ia64/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
+diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h
+index 589ea2b..f2e041b 100644
+--- a/ports/sysdeps/tile/stackguard-macros.h
++++ b/ports/sysdeps/tile/stackguard-macros.h
+@@ -4,11 +4,17 @@
+ # if __WORDSIZE == 64
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })
++# define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; })
+ # else
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })
++# define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; })
+ # endif
+ #else
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })
++# define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; })
+ #endif
+diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h
+index ababf65..4fa3d96 100644
+--- a/sysdeps/generic/stackguard-macros.h
++++ b/sysdeps/generic/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ extern uintptr_t __stack_chk_guard;
+ #define STACK_CHK_GUARD __stack_chk_guard
++
++extern uintptr_t __pointer_chk_guard_local;
++#define POINTER_CHK_GUARD __pointer_chk_guard_local
+diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h
+index 8c31e19..0397629 100644
+--- a/sysdeps/i386/stackguard-macros.h
++++ b/sysdeps/i386/stackguard-macros.h
+@@ -2,3 +2,11 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("movl %%gs:%c1, %0" : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard))); \
++ x; \
++ })
+diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h
+index 839f6a4..b3d0af8 100644
+--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h
++++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h
+@@ -2,3 +2,13 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("lwz %0,%1(2)" \
++ : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
++ ); \
++ x; \
++ })
+diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h
+index 9da879c..4620f96 100644
+--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h
++++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h
+@@ -2,3 +2,13 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ld %0,%1(2)" \
++ : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
++ ); \
++ x; \
++ })
+diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h
+index b74c579..449e8d4 100644
+--- a/sysdeps/s390/s390-32/stackguard-macros.h
++++ b/sysdeps/s390/s390-32/stackguard-macros.h
+@@ -2,3 +2,14 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
++
++/* On s390/s390x there is no unique pointer guard, instead we use the
++ same value as the stack guard. */
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ear %0,%%a0; l %0,%1(%0)" \
++ : "=a" (x) \
++ : "i" (offsetof (tcbhead_t, stack_guard))); \
++ x; \
++ })
+diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h
+index 0cebb5f..c8270fb 100644
+--- a/sysdeps/s390/s390-64/stackguard-macros.h
++++ b/sysdeps/s390/s390-64/stackguard-macros.h
+@@ -2,3 +2,17 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
++
++/* On s390/s390x there is no unique pointer guard, instead we use the
++ same value as the stack guard. */
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ear %0,%%a0;" \
++ "sllg %0,%0,32;" \
++ "ear %0,%%a1;" \
++ "lg %0,%1(%0)" \
++ : "=a" (x) \
++ : "i" (offsetof (tcbhead_t, stack_guard))); \
++ x; \
++ })
+diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h
+index c0b02b0..1eef0f1 100644
+--- a/sysdeps/sparc/sparc32/stackguard-macros.h
++++ b/sysdeps/sparc/sparc32/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })
+diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h
+index 80f0635..cc0c12c 100644
+--- a/sysdeps/sparc/sparc64/stackguard-macros.h
++++ b/sysdeps/sparc/sparc64/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })
+diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h
+index d7fedb3..1948800 100644
+--- a/sysdeps/x86_64/stackguard-macros.h
++++ b/sysdeps/x86_64/stackguard-macros.h
+@@ -4,3 +4,8 @@
+ ({ uintptr_t x; \
+ asm ("mov %%fs:%c1, %0" : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, stack_guard))); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; \
++ asm ("mov %%fs:%c1, %0" : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
Added: glibc-package/trunk/debian/patches/any/unsubmitted-dlopen-static-crash.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/unsubmitted-dlopen-static-crash.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/unsubmitted-dlopen-static-crash.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,33 @@
+Description: Fix dlopen segfault in statically linked programs
+Author: Maciej Rozycki
+Origin: http://www.eglibc.org/archives/issues/msg00084.html
+Last-Update: 2013-10-09
+
+Index: b/elf/dl-open.c
+===================================================================
+--- a/elf/dl-open.c
++++ b/elf/dl-open.c
+@@ -92,11 +92,22 @@
+ anymore. Instead the malloc() implementation of the libc is
+ used. But this means the block from the main map cannot be used
+ in an realloc() call. Therefore we allocate a completely new
+- array the first time we have to add something to the locale scope. */
++ array the first time we have to add something to the locale scope.
++
++ Also the list may be missing altogether if we are called via
++ dlopen() from a statically linked executable as in this case ld.so
++ has not been called and no dynamic symbols have been pulled yet.
++ Start a new list in this case. */
+
+ struct link_namespaces *ns = &GL(dl_ns)[new->l_ns];
+ if (ns->_ns_global_scope_alloc == 0)
+ {
++ /* See if we've got a list at all. */
++ if (ns->_ns_main_searchlist == NULL)
++ ns->_ns_main_searchlist = calloc (1, sizeof (struct r_scope_elem));
++ if (ns->_ns_main_searchlist == NULL)
++ goto nomem;
++
+ /* This is the first dynamic object given global scope. */
+ ns->_ns_global_scope_alloc
+ = ns->_ns_main_searchlist->r_nlist + to_add + 8;
Added: glibc-package/trunk/debian/patches/arm64/cvs-setjmp-clobber.diff
===================================================================
--- glibc-package/trunk/debian/patches/arm64/cvs-setjmp-clobber.diff (rev 0)
+++ glibc-package/trunk/debian/patches/arm64/cvs-setjmp-clobber.diff 2013-11-10 01:05:51 UTC (rev 5759)
@@ -0,0 +1,97 @@
+commit e39adf43c7d1979884dd304ed1250baf1f78fadc
+Author: Andreas Schwab <schwab@suse.de>
+Date: Mon May 20 10:19:31 2013 +0200
+
+ AArch64: Don't clobber argument for tail call to __sigjmp_save in sigsetjmp
+
+2013-05-21 Andreas Schwab <schwab@suse.de>
+
+ [BZ #15493]
+ * setjmp/Makefile (tests): Add tst-sigsetjmp.
+ * setjmp/tst-sigsetjmp.c: New test.
+
+diff --git a/ports/sysdeps/aarch64/setjmp.S b/ports/sysdeps/aarch64/setjmp.S
+index cff81c7..10e0709 100644
+--- a/ports/sysdeps/aarch64/setjmp.S
++++ b/ports/sysdeps/aarch64/setjmp.S
+@@ -44,8 +44,14 @@ ENTRY (__sigsetjmp)
+ stp d10, d11, [x0, #JB_D10<<3]
+ stp d12, d13, [x0, #JB_D12<<3]
+ stp d14, d15, [x0, #JB_D14<<3]
+- mov x1, sp
+- str x1, [x0, #JB_SP<<3]
++ mov x2, sp
++ str x2, [x0, #JB_SP<<3]
++#if defined NOT_IN_libc && defined IS_IN_rtld
++ /* In ld.so we never save the signal mask */
++ mov w0, #0
++ RET
++#else
+ b C_SYMBOL_NAME(__sigjmp_save)
++#endif
+ END (__sigsetjmp)
+ hidden_def (__sigsetjmp)
+diff --git a/setjmp/Makefile b/setjmp/Makefile
+index 6124333..913359c 100644
+--- a/setjmp/Makefile
++++ b/setjmp/Makefile
+@@ -25,7 +25,8 @@ headers := setjmp.h bits/setjmp.h bits/setjmp2.h
+ routines := setjmp sigjmp bsd-setjmp bsd-_setjmp \
+ longjmp __longjmp jmp-unwind
+
+-tests := tst-setjmp jmpbug bug269-setjmp
++tests := tst-setjmp jmpbug bug269-setjmp \
++ tst-sigsetjmp
+
+
+ include ../Rules
+diff --git a/setjmp/tst-sigsetjmp.c b/setjmp/tst-sigsetjmp.c
+new file mode 100644
+index 0000000..467c26a
+--- /dev/null
++++ b/setjmp/tst-sigsetjmp.c
+@@ -0,0 +1,44 @@
++/* Copyright (C) 2013 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++/* Test case for BZ #15493 */
++
++#include <stdlib.h>
++#include <signal.h>
++#include <setjmp.h>
++
++static int
++do_test (void)
++{
++ sigjmp_buf sj;
++ sigset_t m;
++
++ sigemptyset (&m);
++ sigprocmask (SIG_SETMASK, &m, NULL);
++ if (sigsetjmp (sj, 0) == 0)
++ {
++ sigaddset (&m, SIGUSR1);
++ sigprocmask (SIG_SETMASK, &m, NULL);
++ siglongjmp (sj, 1);
++ return EXIT_FAILURE;
++ }
++ sigprocmask (SIG_SETMASK, NULL, &m);
++ return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2013-11-09 11:50:11 UTC (rev 5758)
+++ glibc-package/trunk/debian/patches/series 2013-11-10 01:05:51 UTC (rev 5759)
@@ -56,6 +56,8 @@
arm/local-vfp-sysdeps.diff
arm/unsubmitted-ldso-multilib.diff
+arm64/cvs-setjmp-clobber.diff
+
hppa/local-inlining.diff
hppa/submitted-fadvise64_64.diff
hppa/submitted-nptl-carlos.diff
@@ -259,3 +261,9 @@
any/cvs-CVE-2013-4332-memalign.diff
any/cvs-CVE-2013-4332-pvalloc.diff
any/cvs-CVE-2013-4332-valloc.diff
+any/cvs-CVE-2012-44xx.diff
+any/cvs-CVE-2013-4237.diff
+#any/cvs-CVE-2013-2207-pt_chown.diff
+#any/cvs-CVE-2013-4788-static-ptrguard.diff
+#any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff
+any/unsubmitted-dlopen-static-crash.diff
Reply to: