r6362 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Author: aurel32
Date: 2015-02-11 22:16:48 +0000 (Wed, 11 Feb 2015)
New Revision: 6362
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff
Modified:
glibc-package/branches/glibc-branch-wheezy/debian/changelog
glibc-package/branches/glibc-branch-wheezy/debian/patches/series
Log:
debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff: new patch
from upstream to fix a vulnerability in posix_spawn_file_actions_addopen
(CVE-2014-4043). Closes: #751774.
Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2015-02-11 22:04:39 UTC (rev 6361)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2015-02-11 22:16:48 UTC (rev 6362)
@@ -5,6 +5,9 @@
#777197.
* debian/patches/any/cvs-vfprintf.diff: new patch from ustream to fix a
stack overflow in vfprintf (CVE-2012-3406). Closes: #681888.
+ * debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff: new patch
+ from upstream to fix a vulnerability in posix_spawn_file_actions_addopen
+ (CVE-2014-4043). Closes: #751774.
-- Aurelien Jarno <aurel32@debian.org> Wed, 11 Feb 2015 21:54:57 +0100
Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff (rev 0)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-posix_spawn_file_actions_addopen.diff 2015-02-11 22:16:48 UTC (rev 6362)
@@ -0,0 +1,135 @@
+2014-06-12 Stefan Liebler <stli@linux.vnet.ibm.com>
+
+ * posix/spawn_faction_addopen.c: Include string.h.
+
+2014-06-11 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #17048]
+ * posix/spawn_int.h (struct __spawn_action): Make the path string
+ non-const to support deallocation.
+ * posix/spawn_faction_addopen.c
+ (posix_spawn_file_actions_addopen): Make a copy of the pathname.
+ * posix/spawn_faction_destroy.c
+ (posix_spawn_file_actions_destroy): Adjust comment. Deallocate
+ path in all spawn_do_open actions.
+ * posix/tst-spawn.c (do_test): Exercise the copy operation in
+ posix_spawn_file_actions_addopen.
+
+--- a/posix/spawn_faction_addopen.c
++++ b/posix/spawn_faction_addopen.c
+@@ -19,6 +19,7 @@
+ #include <errno.h>
+ #include <spawn.h>
+ #include <unistd.h>
++#include <string.h>
+
+ #include "spawn_int.h"
+
+@@ -36,17 +37,24 @@
+ if (fd < 0 || fd >= maxfd)
+ return EBADF;
+
++ char *path_copy = strdup (path);
++ if (path_copy == NULL)
++ return ENOMEM;
++
+ /* Allocate more memory if needed. */
+ if (file_actions->__used == file_actions->__allocated
+ && __posix_spawn_file_actions_realloc (file_actions) != 0)
+- /* This can only mean we ran out of memory. */
+- return ENOMEM;
++ {
++ /* This can only mean we ran out of memory. */
++ free (path_copy);
++ return ENOMEM;
++ }
+
+ /* Add the new value. */
+ rec = &file_actions->__actions[file_actions->__used];
+ rec->tag = spawn_do_open;
+ rec->action.open_action.fd = fd;
+- rec->action.open_action.path = path;
++ rec->action.open_action.path = path_copy;
+ rec->action.open_action.oflag = oflag;
+ rec->action.open_action.mode = mode;
+
+--- a/posix/spawn_faction_destroy.c
++++ b/posix/spawn_faction_destroy.c
+@@ -19,11 +19,29 @@
+ #include <spawn.h>
+ #include <stdlib.h>
+
+-/* Initialize data structure for file attribute for `spawn' call. */
++#include "spawn_int.h"
++
++/* Deallocate the file actions. */
+ int
+ posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions)
+ {
+- /* Free the memory allocated. */
++ /* Free the paths in the open actions. */
++ for (int i = 0; i < file_actions->__used; ++i)
++ {
++ struct __spawn_action *sa = &file_actions->__actions[i];
++ switch (sa->tag)
++ {
++ case spawn_do_open:
++ free (sa->action.open_action.path);
++ break;
++ case spawn_do_close:
++ case spawn_do_dup2:
++ /* No cleanup required. */
++ break;
++ }
++ }
++
++ /* Free the array of actions. */
+ free (file_actions->__actions);
+ return 0;
+ }
+--- a/posix/spawn_int.h
++++ b/posix/spawn_int.h
+@@ -22,7 +22,7 @@
+ struct
+ {
+ int fd;
+- const char *path;
++ char *path;
+ int oflag;
+ mode_t mode;
+ } open_action;
+--- a/posix/tst-spawn.c
++++ b/posix/tst-spawn.c
+@@ -169,6 +169,7 @@
+ char fd2name[18];
+ char fd3name[18];
+ char fd4name[18];
++ char *name3_copy;
+ char *spargv[12];
+
+ /* We must have
+@@ -222,9 +223,15 @@
+ if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
+ /* We want to open the third file. */
+- if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
++ name3_copy = strdup (name3);
++ if (name3_copy == NULL)
++ error (EXIT_FAILURE, errno, "strdup");
++ if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
+ O_RDONLY, 0666) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
++ /* Overwrite the name to check that a copy has been made. */
++ memset (name3_copy, 'X', strlen (name3_copy));
++
+ /* We dup the second descriptor. */
+ fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
+ if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
+@@ -255,6 +262,7 @@
+ /* Cleanup. */
+ if (posix_spawn_file_actions_destroy (&actions) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
++ free (name3_copy);
+
+ /* Wait for the child. */
+ if (waitpid (pid, &status, 0) != pid)
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2015-02-11 22:04:39 UTC (rev 6361)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2015-02-11 22:16:48 UTC (rev 6362)
@@ -400,3 +400,4 @@
any/cvs-wordexp.diff
any/cvs-wscanf.diff
any/cvs-vfprintf.diff
+any/cvs-posix_spawn_file_actions_addopen.diff
Reply to: