r5857 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any patches/kfreebsd
Author: aurel32
Date: 2013-12-03 15:25:36 +0000 (Tue, 03 Dec 2013)
New Revision: 5857
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff
Removed:
glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff
Modified:
glibc-package/branches/glibc-branch-wheezy/debian/changelog
glibc-package/branches/glibc-branch-wheezy/debian/patches/series
glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64
glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386
Log:
patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
#718890, #730336). patches/kfreebsd/local-readdir_r.diff: remove
superseeded by the CVE patch.
Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2013-12-03 15:25:36 UTC (rev 5857)
@@ -9,9 +9,13 @@
addressing CVE-2013-0242 (Closes: #699399).
* patches/cvs-CVE-2013-1914.diff: backport stack overflow fixes in
getaddrinfo() addressing CVE-2013-1914 (Closes: #704623).
+ * patches/any/cvs-CVE-2013-4237.diff: backport buffer overwrite fix in
+ readdir_r for file systems returning file names longer than NAME_MAX
+ characters, addressing CVE-2013-4237 (Closes: #719558).
* patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
- #718890, #730336).
+ #718890, #730336). patches/kfreebsd/local-readdir_r.diff: remove
+ superseeded by the CVE patch.
* patches/mips/cvs-prlimit64.diff: patch from upstream to fix getrlimit64
and setrlimit64 with recent 64-bit kernels (Closes: #665897).
Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff (rev 0)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4237.diff 2013-12-03 15:25:36 UTC (rev 5857)
@@ -0,0 +1,164 @@
+2013-10-10 David S. Miller <davem@davemloft.net>
+
+ * sysdeps/posix/dirstream.h (struct __dirstream): Fix alignment of
+ directory block.
+
+2013-08-16 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #14699]
+ CVE-2013-4237
+ * sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
+ member.
+ * sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
+ member.
+ * sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
+ * sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
+ Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
+ conditional.
+ * sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
+ GETDENTS_64BIT_ALIGNED.
+ * sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
+ * manual/filesys.texi (Reading/Closing Directory): Document
+ ENAMETOOLONG return value of readdir_r. Recommend readdir more
+ strongly.
+ * manual/conf.texi (Limits for Files): Add portability note to
+ NAME_MAX, PATH_MAX.
+ (Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
+
+--- a/sysdeps/unix/dirstream.h
++++ b/sysdeps/unix/dirstream.h
+@@ -40,8 +40,15 @@
+
+ off_t filepos; /* Position of next entry to read. */
+
+- /* Directory block. */
+- char data[0] __attribute__ ((aligned (__alignof__ (void*))));
++ int errcode; /* Delayed error code. */
++
++ /* Directory block. We must make sure that this block starts
++ at an address that is aligned adequately enough to store
++ dirent entries. Using the alignment of "void *" is not
++ sufficient because dirents on 32-bit platforms can require
++ 64-bit alignment. We use "long double" here to be consistent
++ with what malloc uses. */
++ char data[0] __attribute__ ((aligned (__alignof__ (long double))));
+ };
+
+ #define _DIR_dirfd(dirp) ((dirp)->fd)
+--- a/sysdeps/unix/opendir.c
++++ b/sysdeps/unix/opendir.c
+@@ -210,6 +210,7 @@
+ dirp->size = 0;
+ dirp->offset = 0;
+ dirp->filepos = 0;
++ dirp->errcode = 0;
+
+ return dirp;
+ }
+--- a/sysdeps/unix/readdir_r.c
++++ b/sysdeps/unix/readdir_r.c
+@@ -42,6 +42,7 @@
+ DIRENT_TYPE *dp;
+ size_t reclen;
+ const int saved_errno = errno;
++ int ret;
+
+ __libc_lock_lock (dirp->lock);
+
+@@ -72,10 +73,10 @@
+ bytes = 0;
+ __set_errno (saved_errno);
+ }
++ if (bytes < 0)
++ dirp->errcode = errno;
+
+ dp = NULL;
+- /* Reclen != 0 signals that an error occurred. */
+- reclen = bytes != 0;
+ break;
+ }
+ dirp->size = (size_t) bytes;
+@@ -108,29 +109,46 @@
+ dirp->filepos += reclen;
+ #endif
+
+- /* Skip deleted files. */
++#ifdef NAME_MAX
++ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
++ {
++ /* The record is very long. It could still fit into the
++ caller-supplied buffer if we can skip padding at the
++ end. */
++ size_t namelen = _D_EXACT_NAMLEN (dp);
++ if (namelen <= NAME_MAX)
++ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
++ else
++ {
++ /* The name is too long. Ignore this file. */
++ dirp->errcode = ENAMETOOLONG;
++ dp->d_ino = 0;
++ continue;
++ }
++ }
++#endif
++
++ /* Skip deleted and ignored files. */
+ }
+ while (dp->d_ino == 0);
+
+ if (dp != NULL)
+ {
+-#ifdef GETDENTS_64BIT_ALIGNED
+- /* The d_reclen value might include padding which is not part of
+- the DIRENT_TYPE data structure. */
+- reclen = MIN (reclen,
+- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
+-#endif
+ *result = memcpy (entry, dp, reclen);
+-#ifdef GETDENTS_64BIT_ALIGNED
++#ifdef _DIRENT_HAVE_D_RECLEN
+ entry->d_reclen = reclen;
+ #endif
++ ret = 0;
+ }
+ else
+- *result = NULL;
++ {
++ *result = NULL;
++ ret = dirp->errcode;
++ }
+
+ __libc_lock_unlock (dirp->lock);
+
+- return dp != NULL ? 0 : reclen ? errno : 0;
++ return ret;
+ }
+
+ #ifdef __READDIR_R_ALIAS
+--- a/sysdeps/unix/rewinddir.c
++++ b/sysdeps/unix/rewinddir.c
+@@ -33,5 +33,6 @@
+ dirp->filepos = 0;
+ dirp->offset = 0;
+ dirp->size = 0;
++ dirp->errcode = 0;
+ __libc_lock_unlock (dirp->lock);
+ }
+--- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c
++++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+@@ -19,7 +19,6 @@
+ #define __READDIR_R __readdir64_r
+ #define __GETDENTS __getdents64
+ #define DIRENT_TYPE struct dirent64
+-#define GETDENTS_64BIT_ALIGNED 1
+
+ #include <sysdeps/unix/readdir_r.c>
+
+--- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
++++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+@@ -1,5 +1,4 @@
+ #define readdir64_r __no_readdir64_r_decl
+-#define GETDENTS_64BIT_ALIGNED 1
+ #include <sysdeps/unix/readdir_r.c>
+ #undef readdir64_r
+ weak_alias (__readdir_r, readdir64_r)
Deleted: glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff 2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/kfreebsd/local-readdir_r.diff 2013-12-03 15:25:36 UTC (rev 5857)
@@ -1,47 +0,0 @@
----
- sysdeps/unix/readdir_r.c | 33 +++++++++++++++++++++++++--------
- 1 file changed, 25 insertions(+), 8 deletions(-)
-
---- a/sysdeps/unix/readdir_r.c
-+++ b/sysdeps/unix/readdir_r.c
-@@ -114,15 +114,32 @@
-
- if (dp != NULL)
- {
--#ifdef GETDENTS_64BIT_ALIGNED
-- /* The d_reclen value might include padding which is not part of
-- the DIRENT_TYPE data structure. */
-- reclen = MIN (reclen,
-- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
--#endif
-+ /* The required size of *entry, according to POSIX, is
-+ offsetof (DIRENT_TYPE, d_name[0]) + NAME_MAX + 1.
-+ We must not write beyond the end of *entry. On some operating
-+ systems, dp->d_reclen may be larger; in this case, copy only as
-+ many bytes as needed. Also give an error if d_name is too long. */
-+#ifdef _DIRENT_HAVE_D_RECLEN
-+ /* DIRENT_TYPE is of variable size, with d_name as its last entry. */
-+ size_t namelen;
-+# ifdef _DIRENT_HAVE_D_NAMLEN
-+ namelen = dp->d_namlen;
-+# else
-+ namelen = strlen (dp->d_name);
-+# endif
-+
-+ if (namelen <= NAME_MAX)
-+ *result = memcpy (entry, dp,
-+ offsetof (DIRENT_TYPE, d_name[0]) + namelen + 1);
-+ else
-+ {
-+ errno = EOVERFLOW;
-+ dp = NULL;
-+ *result = NULL;
-+ }
-+#else
-+ /* DIRENT_TYPE is of fixed size. */
- *result = memcpy (entry, dp, reclen);
--#ifdef GETDENTS_64BIT_ALIGNED
-- entry->d_reclen = reclen;
- #endif
- }
- else
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2013-12-03 15:25:36 UTC (rev 5857)
@@ -378,4 +378,5 @@
any/cvs-CVE-2012-44xx.diff
any/cvs-CVE-2013-0242.diff
any/cvs-CVE-2013-1914.diff
+any/cvs-CVE-2013-4237.diff
any/cvs-findlocale-div-by-zero.diff
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64 2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-amd64 2013-12-03 15:25:36 UTC (rev 5857)
@@ -4,7 +4,6 @@
kfreebsd/local-nosavesse.diff
kfreebsd/local-memusage_no_mremap.diff
kfreebsd/local-pthread_at_fork.diff
-kfreebsd/local-readdir_r.diff
kfreebsd/local-scripts.diff
kfreebsd/local-sys_queue_h.diff
kfreebsd/local-sysdeps.diff
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386 2013-12-03 14:31:23 UTC (rev 5856)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series.kfreebsd-i386 2013-12-03 15:25:36 UTC (rev 5857)
@@ -4,7 +4,6 @@
kfreebsd/local-nosavesse.diff
kfreebsd/local-memusage_no_mremap.diff
kfreebsd/local-pthread_at_fork.diff
-kfreebsd/local-readdir_r.diff
kfreebsd/local-scripts.diff
kfreebsd/local-sys_queue_h.diff
kfreebsd/local-sysdeps.diff
Reply to: