r6496 - in glibc-package/branches/glibc-2.21/debian: . patches
Author: aurel32
Date: 2015-08-28 21:51:08 +0000 (Fri, 28 Aug 2015)
New Revision: 6496
Modified:
glibc-package/branches/glibc-2.21/debian/changelog
glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff
Log:
* Update from upstream stable branch:
- Fix a buffer overflow in overflow in getanswer_r (CVE-2015-1781)
Closes: #796105.
Modified: glibc-package/branches/glibc-2.21/debian/changelog
===================================================================
--- glibc-package/branches/glibc-2.21/debian/changelog 2015-08-28 21:49:56 UTC (rev 6495)
+++ glibc-package/branches/glibc-2.21/debian/changelog 2015-08-28 21:51:08 UTC (rev 6496)
@@ -88,6 +88,9 @@
#775179).
* Create source tarball in a deterministic manner: adjust file modification
time, user, group, permissions, and file order (addresses: #783210).
+ * Update from upstream stable branch:
+ - Fix a buffer overflow in overflow in getanswer_r (CVE-2015-1781)
+ Closes: #796105.
[ Breno Leitao ]
* Remove --without-cvs that is not used anymore as a valid configuration.
Modified: glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff
===================================================================
--- glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff 2015-08-28 21:49:56 UTC (rev 6495)
+++ glibc-package/branches/glibc-2.21/debian/patches/git-updates.diff 2015-08-28 21:51:08 UTC (rev 6496)
@@ -1,10 +1,41 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.21/master from glibc-2.21
diff --git a/ChangeLog b/ChangeLog
-index dc1ed1b..45579de 100644
+index dc1ed1b..61e6671 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,9 @@
+@@ -1,3 +1,40 @@
++2015-07-27 Mike Frysinger <vapier@gentoo.org>
++
++ * sysdeps/ia64/bits/atomic.h (atomic_exchange_and_add): Define
++ directly in terms of __sync_fetch_and_add and delete (int) cast.
++
++2015-02-22 Paul Pluzhnikov <ppluzhnikov@google.com>
++
++ [BZ #17269]
++ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
++ (enlarge_userbuf): Likewise.
++
++2015-02-26 Andreas Schwab <schwab@suse.de>
++
++ [BZ #18032]
++ * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
++ over collating symbol inside a bracket expression. Minor cleanup.
++ * posix/tst-fnmatch3.c (do_test): Add test case.
++
++2015-07-21 Mike Frysinger <vapier@gentoo.org>
++
++ [BZ #18694]
++ * sysdeps/unix/sysv/linux/sparc/bits/sigaction.h: Include
++ bits/wordsize.h.
++ (sigaction): Declare __glibc_reserved0 only when __WORDSIZE is 64.
++
++2015-04-21 Arjun Shankar <arjun.is@lostca.se>
++
++ [BZ #18287]
++ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
++ based on padding. (CVE-2015-1781)
++
+2015-02-10 Evangelos Foutras <evangelos@foutrelis.com>
+
+ [BZ #17949]
@@ -14,7 +45,7 @@
2015-02-06 Carlos O'Donell <carlos@systemhalted.org>
* version.h (RELEASE): Set to "stable".
-@@ -7,6 +13,7 @@
+@@ -7,6 +44,7 @@
* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
@@ -23,10 +54,10 @@
[BZ #16618]
* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
diff --git a/NEWS b/NEWS
-index 617cdbb..ff79f0d 100644
+index 617cdbb..e3588fc 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,12 @@ See the end for copying conditions.
+@@ -5,6 +5,23 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
@@ -34,12 +65,23 @@
+
+* The following bugs are resolved with this release:
+
-+ 17949.
++ 17269, 17949, 18032, 18287, 18694.
++
++* A buffer overflow in gethostbyname_r and related functions performing DNS
++ requests has been fixed. If the NSS functions were called with a
++ misaligned buffer, the buffer length change due to pointer alignment was
++ not taken into account. This could result in application crashes or,
++ potentially arbitrary code execution, using crafted, but syntactically
++ valid DNS responses. (CVE-2015-1781)
++
++* The 32-bit sparc sigaction ABI was inadvertently broken in the 2.20 and 2.21
++ releases. It has been fixed to match 2.19 and older, but binaries built
++ against 2.20 and 2.21 might need to be recompiled. See BZ#18694.
+
Version 2.21
* The following bugs are resolved with this release:
-@@ -21,10 +27,11 @@ Version 2.21
+@@ -21,10 +38,11 @@ Version 2.21
17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
17892.
@@ -55,6 +97,87 @@
* A new semaphore algorithm has been implemented in generic C code for all
machines. Previous custom assembly implementations of semaphore were
+diff --git a/libio/wstrops.c b/libio/wstrops.c
+index 43d847d..3993579 100644
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
+ wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ size_t old_wblen = _IO_wblen (fp);
+ _IO_size_t new_size = 2 * old_wblen + 100;
+- if (new_size < old_wblen)
++
++ if (__glibc_unlikely (new_size < old_wblen)
++ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
+ return EOF;
++
+ new_buf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ * sizeof (wchar_t));
+@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
+ return 1;
+
+ _IO_size_t newsize = offset + 100;
++ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
++ return 1;
++
+ wchar_t *oldbuf = wd->_IO_buf_base;
+ wchar_t *newbuf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index c0cb2fc..72c5d8f 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -945,14 +945,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ }
+ else if (c == L('[') && *p == L('.'))
+ {
+- ++p;
+ while (1)
+ {
+ c = *++p;
+- if (c == '\0')
++ if (c == L('\0'))
+ return FNM_NOMATCH;
+
+- if (*p == L('.') && p[1] == L(']'))
++ if (c == L('.') && p[1] == L(']'))
+ break;
+ }
+ p += 2;
+diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
+index d27a557..75bc00a 100644
+--- a/posix/tst-fnmatch3.c
++++ b/posix/tst-fnmatch3.c
+@@ -21,9 +21,11 @@
+ int
+ do_test (void)
+ {
+- const char *pattern = "[[:alpha:]'[:alpha:]\0]";
+-
+- return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
++ if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
++ return 1;
++ if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
++ return 1;
++ return 0;
+ }
+
+ #define TEST_FUNCTION do_test ()
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index f715ab0..40069a7 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+ int have_to_map = 0;
+ uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+ buffer += pad;
+- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
++ buflen = buflen > pad ? buflen - pad : 0;
++ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+ {
+ /* The buffer is too small. */
+ too_small:
diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
index 207b648..b6fa202 100644
--- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S
@@ -70,3 +193,41 @@
jz 2f
leal __mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax
testl $bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)
+diff --git a/sysdeps/ia64/bits/atomic.h b/sysdeps/ia64/bits/atomic.h
+index 0e9dfc7..4c2b540 100644
+--- a/sysdeps/ia64/bits/atomic.h
++++ b/sysdeps/ia64/bits/atomic.h
+@@ -82,9 +82,7 @@ typedef uintmax_t uatomic_max_t;
+ (__sync_synchronize (), __sync_lock_test_and_set (mem, value))
+
+ #define atomic_exchange_and_add(mem, value) \
+- ({ __typeof (*mem) __result; \
+- __result = __sync_fetch_and_add ((mem), (int) (value)); \
+- __result; })
++ __sync_fetch_and_add ((mem), (value))
+
+ #define atomic_decrement_if_positive(mem) \
+ ({ __typeof (*mem) __oldval, __val; \
+diff --git a/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h b/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h
+index 0750b52..3af5541 100644
+--- a/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h
++++ b/sysdeps/unix/sysv/linux/sparc/bits/sigaction.h
+@@ -20,6 +20,8 @@
+ # error "Never include <bits/sigaction.h> directly; use <signal.h> instead."
+ #endif
+
++#include <bits/wordsize.h>
++
+ /* Structure describing the action to be taken when a signal arrives. */
+ struct sigaction
+ {
+@@ -43,7 +45,9 @@ struct sigaction
+ __sigset_t sa_mask;
+
+ /* Special flags. */
++#if __WORDSIZE == 64
+ int __glibc_reserved0;
++#endif
+ int sa_flags;
+
+ /* Not used by Linux/Sparc yet. */
Reply to: