r6157 - in glibc-package/trunk/debian: . patches patches/any
Author: aurel32
Date: 2014-06-16 15:25:08 +0000 (Mon, 16 Jun 2014)
New Revision: 6157
Added:
glibc-package/trunk/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
patches/any/cvs-posix_spawn_file_actions_addopen.diff: new patch from
upstream to fix a vulnerability in posix_spawn_file_actions_addopen
(CVE-2014-4043). Closes: #751774.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2014-06-16 13:25:36 UTC (rev 6156)
+++ glibc-package/trunk/debian/changelog 2014-06-16 15:25:08 UTC (rev 6157)
@@ -35,6 +35,9 @@
* debian/patches/any/submitted-resolv-ipv6-nameservers.diff: new patch to
fix resolving issues when using IPv6 nameservers in resolv.conf. Closes:
#627531, #644406, #709867.
+ * patches/any/cvs-posix_spawn_file_actions_addopen.diff: new patch from
+ upstream to fix a vulnerability in posix_spawn_file_actions_addopen
+ (CVE-2014-4043). Closes: #751774.
-- Aurelien Jarno <aurel32@debian.org> Wed, 04 Jun 2014 21:51:13 +0200
Added: glibc-package/trunk/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff 2014-06-16 15:25:08 UTC (rev 6157)
@@ -0,0 +1,135 @@
+2014-06-12 Stefan Liebler <stli@linux.vnet.ibm.com>
+
+ * posix/spawn_faction_addopen.c: Include string.h.
+
+2014-06-11 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #17048]
+ * posix/spawn_int.h (struct __spawn_action): Make the path string
+ non-const to support deallocation.
+ * posix/spawn_faction_addopen.c
+ (posix_spawn_file_actions_addopen): Make a copy of the pathname.
+ * posix/spawn_faction_destroy.c
+ (posix_spawn_file_actions_destroy): Adjust comment. Deallocate
+ path in all spawn_do_open actions.
+ * posix/tst-spawn.c (do_test): Exercise the copy operation in
+ posix_spawn_file_actions_addopen.
+
+--- a/posix/spawn_faction_addopen.c
++++ b/posix/spawn_faction_addopen.c
+@@ -18,6 +18,7 @@
+ #include <errno.h>
+ #include <spawn.h>
+ #include <unistd.h>
++#include <string.h>
+
+ #include "spawn_int.h"
+
+@@ -36,17 +36,24 @@ posix_spawn_file_actions_addopen (posix_spawn_file_actions_t *file_actions,
+ if (fd < 0 || fd >= maxfd)
+ return EBADF;
+
++ char *path_copy = strdup (path);
++ if (path_copy == NULL)
++ return ENOMEM;
++
+ /* Allocate more memory if needed. */
+ if (file_actions->__used == file_actions->__allocated
+ && __posix_spawn_file_actions_realloc (file_actions) != 0)
+- /* This can only mean we ran out of memory. */
+- return ENOMEM;
++ {
++ /* This can only mean we ran out of memory. */
++ free (path_copy);
++ return ENOMEM;
++ }
+
+ /* Add the new value. */
+ rec = &file_actions->__actions[file_actions->__used];
+ rec->tag = spawn_do_open;
+ rec->action.open_action.fd = fd;
+- rec->action.open_action.path = path;
++ rec->action.open_action.path = path_copy;
+ rec->action.open_action.oflag = oflag;
+ rec->action.open_action.mode = mode;
+
+--- a/posix/spawn_faction_destroy.c
++++ b/posix/spawn_faction_destroy.c
+@@ -18,11 +18,29 @@
+ #include <spawn.h>
+ #include <stdlib.h>
+
+-/* Initialize data structure for file attribute for `spawn' call. */
++#include "spawn_int.h"
++
++/* Deallocate the file actions. */
+ int
+ posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions)
+ {
+- /* Free the memory allocated. */
++ /* Free the paths in the open actions. */
++ for (int i = 0; i < file_actions->__used; ++i)
++ {
++ struct __spawn_action *sa = &file_actions->__actions[i];
++ switch (sa->tag)
++ {
++ case spawn_do_open:
++ free (sa->action.open_action.path);
++ break;
++ case spawn_do_close:
++ case spawn_do_dup2:
++ /* No cleanup required. */
++ break;
++ }
++ }
++
++ /* Free the array of actions. */
+ free (file_actions->__actions);
+ return 0;
+ }
+--- a/posix/spawn_int.h
++++ b/posix/spawn_int.h
+@@ -22,7 +22,7 @@ struct __spawn_action
+ struct
+ {
+ int fd;
+- const char *path;
++ char *path;
+ int oflag;
+ mode_t mode;
+ } open_action;
+--- a/posix/tst-spawn.c
++++ b/posix/tst-spawn.c
+@@ -168,6 +168,7 @@ do_test (int argc, char *argv[])
+ char fd2name[18];
+ char fd3name[18];
+ char fd4name[18];
++ char *name3_copy;
+ char *spargv[12];
+ int i;
+
+@@ -222,9 +223,15 @@ do_test (int argc, char *argv[])
+ if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
+ /* We want to open the third file. */
+- if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
++ name3_copy = strdup (name3);
++ if (name3_copy == NULL)
++ error (EXIT_FAILURE, errno, "strdup");
++ if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
+ O_RDONLY, 0666) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
++ /* Overwrite the name to check that a copy has been made. */
++ memset (name3_copy, 'X', strlen (name3_copy));
++
+ /* We dup the second descriptor. */
+ fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
+ if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
+@@ -253,6 +260,7 @@ do_test (int argc, char *argv[])
+ /* Cleanup. */
+ if (posix_spawn_file_actions_destroy (&actions) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
++ free (name3_copy);
+
+ /* Wait for the child. */
+ if (waitpid (pid, &status, 0) != pid)
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2014-06-16 13:25:36 UTC (rev 6156)
+++ glibc-package/trunk/debian/patches/series 2014-06-16 15:25:08 UTC (rev 6157)
@@ -246,3 +246,4 @@
any/cvs-resolv-reuse-fd.diff
any/submitted-argp-attribute.diff
any/submitted-resolv-ipv6-nameservers.diff
+any/cvs-posix_spawn_file_actions_addopen.diff
Reply to: