r6496 - in glibc-package/branches/glibc-2.21/debian: . patches

To: debian-glibc@lists.debian.org
Subject: r6496 - in glibc-package/branches/glibc-2.21/debian: . patches
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Fri, 28 Aug 2015 21:51:08 +0000
Message-id: <[🔎] E1ZVRYC-0000Wl-FX@moszumanska.debian.org>
Author: aurel32
Date: 2015-08-28 21:51:08 +0000 (Fri, 28 Aug 2015)
New Revision: 6496

Modified:
   glibc-package/branches/glibc-2.21/debian/changelog
   glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff
Log:
* Update from upstream stable branch:
  - Fix a buffer overflow in overflow in getanswer_r (CVE-2015-1781)
    Closes: #796105.

Modified: glibc-package/branches/glibc-2.21/debian/changelog
===================================================================
--- glibc-package/branches/glibc-2.21/debian/changelog	2015-08-28 21:49:56 UTC (rev 6495)
+++ glibc-package/branches/glibc-2.21/debian/changelog	2015-08-28 21:51:08 UTC (rev 6496)
@@ -88,6 +88,9 @@
     #775179).
   * Create source tarball in a deterministic manner: adjust file modification
     time, user, group, permissions, and file order (addresses: #783210).
+  * Update from upstream stable branch:
+    - Fix a buffer overflow in overflow in getanswer_r (CVE-2015-1781)
+      Closes: #796105.
 
   [ Breno Leitao ]
   * Remove --without-cvs that is not used anymore as a valid configuration.

Modified: glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff
===================================================================
--- glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff	2015-08-28 21:49:56 UTC (rev 6495)
+++ glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff	2015-08-28 21:51:08 UTC (rev 6496)
@@ -1,10 +1,41 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.21/master from glibc-2.21
 
 diff --git a/ChangeLog b/ChangeLog
-index dc1ed1b..45579de 100644
+index dc1ed1b..61e6671 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,9 @@
+@@ -1,3 +1,40 @@
++2015-07-27  Mike Frysinger  <vapier@gentoo.org>
++
++	* sysdeps/ia64/bits/atomic.h (atomic_exchange_and_add): Define
++	directly in terms of __sync_fetch_and_add and delete (int) cast.
++
++2015-02-22  Paul Pluzhnikov  <ppluzhnikov@google.com>
++
++	[BZ #17269]
++	* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
++	(enlarge_userbuf): Likewise.
++
++2015-02-26  Andreas Schwab  <schwab@suse.de>
++
++	[BZ #18032]
++	* posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
++	over collating symbol inside a bracket expression.  Minor cleanup.
++	* posix/tst-fnmatch3.c (do_test): Add test case.
++
++2015-07-21  Mike Frysinger  <vapier@gentoo.org>
++
++	[BZ #18694]
++	* sysdeps/unix/sysv/linux/sparc/bits/sigaction.h: Include
++	bits/wordsize.h.
++	(sigaction): Declare __glibc_reserved0 only when __WORDSIZE is 64.
++
++2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
++
++	[BZ #18287]
++	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
++	based on padding.  (CVE-2015-1781)
++
 +2015-02-10  Evangelos Foutras  <evangelos@foutrelis.com>
 +
 +	[BZ #17949]
@@ -14,7 +45,7 @@
  2015-02-06  Carlos O'Donell  <carlos@systemhalted.org>
  
  	* version.h (RELEASE): Set to "stable".
-@@ -7,6 +13,7 @@
+@@ -7,6 +44,7 @@
  	* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
  
  2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
@@ -23,10 +54,10 @@
  	[BZ #16618]
  	* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
 diff --git a/NEWS b/NEWS
-index 617cdbb..ff79f0d 100644
+index 617cdbb..e3588fc 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,12 @@ See the end for copying conditions.
+@@ -5,6 +5,23 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -34,12 +65,23 @@
 +
 +* The following bugs are resolved with this release:
 +
-+  17949.
++  17269, 17949, 18032, 18287, 18694.
++
++* A buffer overflow in gethostbyname_r and related functions performing DNS
++  requests has been fixed.  If the NSS functions were called with a
++  misaligned buffer, the buffer length change due to pointer alignment was
++  not taken into account.  This could result in application crashes or,
++  potentially arbitrary code execution, using crafted, but syntactically
++  valid DNS responses.  (CVE-2015-1781)
++
++* The 32-bit sparc sigaction ABI was inadvertently broken in the 2.20 and 2.21
++  releases.  It has been fixed to match 2.19 and older, but binaries built
++  against 2.20 and 2.21 might need to be recompiled.  See BZ#18694.
 +
  Version 2.21
  
  * The following bugs are resolved with this release:
-@@ -21,10 +27,11 @@ Version 2.21
+@@ -21,10 +38,11 @@ Version 2.21
    17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
    17892.
  
@@ -55,6 +97,87 @@
  
  * A new semaphore algorithm has been implemented in generic C code for all
    machines. Previous custom assembly implementations of semaphore were
+diff --git a/libio/wstrops.c b/libio/wstrops.c
+index 43d847d..3993579 100644
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
+ 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ 	  size_t old_wblen = _IO_wblen (fp);
+ 	  _IO_size_t new_size = 2 * old_wblen + 100;
+-	  if (new_size < old_wblen)
++
++	  if (__glibc_unlikely (new_size < old_wblen)
++	      || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
+ 	    return EOF;
++
+ 	  new_buf
+ 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ 									* sizeof (wchar_t));
+@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
+     return 1;
+ 
+   _IO_size_t newsize = offset + 100;
++  if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
++    return 1;
++
+   wchar_t *oldbuf = wd->_IO_buf_base;
+   wchar_t *newbuf
+     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index c0cb2fc..72c5d8f 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -945,14 +945,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ 		  }
+ 		else if (c == L('[') && *p == L('.'))
+ 		  {
+-		    ++p;
+ 		    while (1)
+ 		      {
+ 			c = *++p;
+-			if (c == '\0')
++			if (c == L('\0'))
+ 			  return FNM_NOMATCH;
+ 
+-			if (*p == L('.') && p[1] == L(']'))
++			if (c == L('.') && p[1] == L(']'))
+ 			  break;
+ 		      }
+ 		    p += 2;
+diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
+index d27a557..75bc00a 100644
+--- a/posix/tst-fnmatch3.c
++++ b/posix/tst-fnmatch3.c
+@@ -21,9 +21,11 @@
+ int
+ do_test (void)
+ {
+-  const char *pattern = "[[:alpha:]'[:alpha:]\0]";
+-
+-  return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
++  if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
++    return 1;
++  if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
++    return 1;
++  return 0;
+ }
+ 
+ #define TEST_FUNCTION do_test ()
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index f715ab0..40069a7 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+     {
+       /* The buffer is too small.  */
+     too_small:
 diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
 index 207b648..b6fa202 100644
 --- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S
@@ -70,3 +193,41 @@
  	jz	2f
  	leal	__mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax
  	testl	$bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)
+diff --git a/sysdeps/ia64/bits/atomic.h b/sysdeps/ia64/bits/atomic.h
+index 0e9dfc7..4c2b540 100644
+--- a/sysdeps/ia64/bits/atomic.h
++++ b/sysdeps/ia64/bits/atomic.h
+@@ -82,9 +82,7 @@ typedef uintmax_t uatomic_max_t;
+   (__sync_synchronize (), __sync_lock_test_and_set (mem, value))
+ 
+ #define atomic_exchange_and_add(mem, value) \
+-  ({ __typeof (*mem) __result;						      \
+-     __result = __sync_fetch_and_add ((mem), (int) (value));		      \
+-     __result; })
++  __sync_fetch_and_add ((mem), (value))
+ 
+ #define atomic_decrement_if_positive(mem) \
+   ({ __typeof (*mem) __oldval, __val;					      \
+diff --git a/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h b/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h
+index 0750b52..3af5541 100644
+--- a/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h
++++ b/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h
+@@ -20,6 +20,8 @@
+ # error "Never include <bits/sigaction.h> directly; use <signal.h> instead."
+ #endif
+ 
++#include <bits/wordsize.h>
++
+ /* Structure describing the action to be taken when a signal arrives.  */
+ struct sigaction
+   {
+@@ -43,7 +45,9 @@ struct sigaction
+     __sigset_t sa_mask;
+ 
+     /* Special flags.  */
++#if __WORDSIZE == 64
+     int __glibc_reserved0;
++#endif
+     int sa_flags;
+ 
+     /* Not used by Linux/Sparc yet.  */
Reply to:
Prev by Date: r6495 - glibc-package/branches/glibc-2.21/debian
Next by Date: r6497 - glibc-package/branches/glibc-2.21/debian/patches/hurd-i386
Previous by thread: r6495 - glibc-package/branches/glibc-2.21/debian
Next by thread: r6497 - glibc-package/branches/glibc-2.21/debian/patches/hurd-i386
Index(es):
- Date
- Thread