r6662 - in glibc-package/branches/glibc-branch-jessie/debian: . patches
Author: aurel32
Date: 2015-10-19 11:26:14 +0000 (Mon, 19 Oct 2015)
New Revision: 6662
Modified:
glibc-package/branches/glibc-branch-jessie/debian/changelog
glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff
Log:
- Fix buffer overflow (read past end of buffer) in internal_fnmatch.
- Fix _IO_wstr_overflow integer overflow.
- Fix unexpected closing of nss_files databases after lookups,
causing denial of service (CVE-2014-8121). Closes: #779587.
Modified: glibc-package/branches/glibc-branch-jessie/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-jessie/debian/changelog 2015-10-19 11:18:09 UTC (rev 6661)
+++ glibc-package/branches/glibc-branch-jessie/debian/changelog 2015-10-19 11:26:14 UTC (rev 6662)
@@ -6,6 +6,10 @@
Closes: #798515.
- Fix data corruption while reading the NSS files database
(CVE-2015-5277). Closes: #799966.
+ - Fix buffer overflow (read past end of buffer) in internal_fnmatch.
+ - Fix _IO_wstr_overflow integer overflow.
+ - Fix unexpected closing of nss_files databases after lookups,
+ causing denial of service (CVE-2014-8121). Closes: #779587.
* patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691.
* patches/any/cvs-mangle-tls_dtor_list.diff: new patch from upstream to
Modified: glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff
===================================================================
--- glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff 2015-10-19 11:18:09 UTC (rev 6661)
+++ glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff 2015-10-19 11:26:14 UTC (rev 6662)
@@ -1,10 +1,30 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
diff --git a/ChangeLog b/ChangeLog
-index 81c393a..815acf0 100644
+index 81c393a..a7207b1 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,364 @@
+@@ -1,3 +1,384 @@
++2015-04-29 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #18007]
++ * nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
++ (CVE-2014-8121)
++ * nss/tst-nss-getpwent.c: New file.
++ * nss/Makefile (tests): Add new test.
++
++2015-02-22 Paul Pluzhnikov <ppluzhnikov@google.com>
++
++ [BZ #17269]
++ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
++ (enlarge_userbuf): Likewise.
++
++2015-02-26 Andreas Schwab <schwab@suse.de>
++
++ [BZ #18032]
++ * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
++ over collating symbol inside a bracket expression. Minor cleanup.
++
+2014-06-23 Andreas Schwab <schwab@suse.de>
+
+ [BZ #17079]
@@ -370,10 +390,10 @@
[BZ #16529]
diff --git a/NEWS b/NEWS
-index 98b479e..ed33f47 100644
+index 98b479e..e00543f 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,59 @@ See the end for copying conditions.
+@@ -5,6 +5,64 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
�
@@ -383,7 +403,7 @@
+
+ 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16878, 16882, 16885,
+ 16916, 16932, 16943, 16958, 17048, 17069, 17079, 17137, 17153, 17213,
-+ 17263, 17325, 17555, 18287.
++ 17263, 17269, 17325, 17555, 18007, 18032, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
@@ -429,6 +449,11 @@
+ IBM937, IBM939, IBM1364 could result in an out-of-bounds array read,
+ resulting a denial-of-service security vulnerability in applications which
+ use functions related to iconv. (CVE-2014-6040)
++
++* CVE-2014-8121 The NSS files backend would reset the file pointer used by
++ the get*ent functions if any of the query functions for the same database
++ are used during the iteration, causing a denial-of-service condition in
++ some applications.
+�
Version 2.19
@@ -866,6 +891,33 @@
attribute_hidden;
libresolv_hidden_proto (_sethtent)
+diff --git a/libio/wstrops.c b/libio/wstrops.c
+index 399a377..9218d4a 100644
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
+ wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ size_t old_wblen = _IO_wblen (fp);
+ _IO_size_t new_size = 2 * old_wblen + 100;
+- if (new_size < old_wblen)
++
++ if (__glibc_unlikely (new_size < old_wblen)
++ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
+ return EOF;
++
+ new_buf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ * sizeof (wchar_t));
+@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
+ return 1;
+
+ _IO_size_t newsize = offset + 100;
++ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
++ return 1;
++
+ wchar_t *oldbuf = wd->_IO_buf_base;
+ wchar_t *newbuf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
diff --git a/locale/findlocale.c b/locale/findlocale.c
index 0c42b99..faeee61 100644
--- a/locale/findlocale.c
@@ -1741,10 +1793,32 @@
}
enum nss_status (*endfct) (struct __netgrent *);
+diff --git a/nss/Makefile b/nss/Makefile
+index c8880c0..3f9d2d0 100644
+--- a/nss/Makefile
++++ b/nss/Makefile
+@@ -37,7 +37,7 @@ install-bin := getent makedb
+ makedb-modules = xmalloc hash-string
+ extra-objs += $(makedb-modules:=.o)
+
+-tests = test-netdb tst-nss-test1 test-digits-dots
++tests = test-netdb tst-nss-test1 test-digits-dots tst-nss-getpwent
+ xtests = bug-erange
+
+ include ../Makeconfig
diff --git a/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c
-index 36242f9..d4cd95e 100644
+index 36242f9..3b90f7e 100644
--- a/nss/nss_files/files-XXX.c
+++ b/nss/nss_files/files-XXX.c
+@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
+
+ __libc_lock_lock (lock);
+
+- status = internal_setent (stayopen);
++ status = internal_setent (1);
+
+ if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
+ {
@@ -198,10 +198,12 @@ get_contents (char *linebuf, size_t len, FILE *stream)
{
int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX
@@ -1772,6 +1846,130 @@
}
else
{
+diff --git a/nss/tst-nss-getpwent.c b/nss/tst-nss-getpwent.c
+new file mode 100644
+index 0000000..f2e8abc
+--- /dev/null
++++ b/nss/tst-nss-getpwent.c
+@@ -0,0 +1,118 @@
++/* Copyright (C) 2015 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <pwd.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++int
++do_test (void)
++{
++ /* Count the number of entries in the password database, and fetch
++ data from the first and last entries. */
++ size_t count = 0;
++ struct passwd * pw;
++ char *first_name = NULL;
++ uid_t first_uid = 0;
++ char *last_name = NULL;
++ uid_t last_uid = 0;
++ setpwent ();
++ while ((pw = getpwent ()) != NULL)
++ {
++ if (first_name == NULL)
++ {
++ first_name = strdup (pw->pw_name);
++ if (first_name == NULL)
++ {
++ printf ("strdup: %m\n");
++ return 1;
++ }
++ first_uid = pw->pw_uid;
++ }
++
++ free (last_name);
++ last_name = strdup (pw->pw_name);
++ if (last_name == NULL)
++ {
++ printf ("strdup: %m\n");
++ return 1;
++ }
++ last_uid = pw->pw_uid;
++ ++count;
++ }
++ endpwent ();
++
++ if (count == 0)
++ {
++ printf ("No entries in the password database.\n");
++ return 0;
++ }
++
++ /* Try again, this time interleaving with name-based and UID-based
++ lookup operations. The counts do not match if the interleaved
++ lookups affected the enumeration. */
++ size_t new_count = 0;
++ setpwent ();
++ while ((pw = getpwent ()) != NULL)
++ {
++ if (new_count == count)
++ {
++ printf ("Additional entry in the password database.\n");
++ return 1;
++ }
++ ++new_count;
++ struct passwd *pw2 = getpwnam (first_name);
++ if (pw2 == NULL)
++ {
++ printf ("getpwnam (%s) failed: %m\n", first_name);
++ return 1;
++ }
++ pw2 = getpwnam (last_name);
++ if (pw2 == NULL)
++ {
++ printf ("getpwnam (%s) failed: %m\n", last_name);
++ return 1;
++ }
++ pw2 = getpwuid (first_uid);
++ if (pw2 == NULL)
++ {
++ printf ("getpwuid (%llu) failed: %m\n",
++ (unsigned long long) first_uid);
++ return 1;
++ }
++ pw2 = getpwuid (last_uid);
++ if (pw2 == NULL)
++ {
++ printf ("getpwuid (%llu) failed: %m\n",
++ (unsigned long long) last_uid);
++ return 1;
++ }
++ }
++ endpwent ();
++ if (new_count < count)
++ {
++ printf ("Missing entry in the password database.\n");
++ return 1;
++ }
++
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
diff --git a/po/eo.po b/po/eo.po
index d01582d..f6ea766 100644
--- a/po/eo.po
@@ -2060,6 +2258,27 @@
+ regcomp (&r, "[a]\\|[a]\\{-2,}", 0);
+ regfree (&r);
+}
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index f79d051..f11d0f1 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ }
+ else if (c == L('[') && *p == L('.'))
+ {
+- ++p;
+ while (1)
+ {
+ c = *++p;
+- if (c == '\0')
++ if (c == L('\0'))
+ return FNM_NOMATCH;
+
+- if (*p == L('.') && p[1] == L(']'))
++ if (c == L('.') && p[1] == L(']'))
+ break;
+ }
+ p += 2;
diff --git a/posix/regcomp.c b/posix/regcomp.c
index 921d0f4..076eca3 100644
--- a/posix/regcomp.c
Reply to: