Bug#802371: wheezy-pu: package eglibc/2.13-38+deb7u9
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
Dear oldstable release team,
I would like to update the eglibc package in wheezy to fix the known
security issues for which there is a patch available. The changes match
the security bugs opened by the security team, their severity wasn't
high enough to warrant a DSA.
You'll find the corresponding diff against the current version in
wheezy below.
Thanks,
Aurelien
Index: debian/patches/any/cvs-CVE-2014-8121.diff
===================================================================
--- debian/patches/any/cvs-CVE-2014-8121.diff (révision 0)
+++ debian/patches/any/cvs-CVE-2014-8121.diff (révision 6665)
@@ -0,0 +1,17 @@
+2015-04-29 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18007]
+ * nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
+ (CVE-2014-8121)
+
+--- a/nss/nss_files/files-XXX.c
++++ b/nss/nss_files/files-XXX.c
+@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
+
+ __libc_lock_lock (lock);
+
+- status = internal_setent (stayopen);
++ status = internal_setent (1);
+
+ if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
+ {
Index: debian/patches/any/cvs-CVE-2015-1781.diff
===================================================================
--- debian/patches/any/cvs-CVE-2015-1781.diff (révision 0)
+++ debian/patches/any/cvs-CVE-2015-1781.diff (révision 6665)
@@ -0,0 +1,18 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+ int have_to_map = 0;
+ uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+ buffer += pad;
+- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
++ buflen = buflen > pad ? buflen - pad : 0;
++ if (__builtin_expect (buflen < sizeof (struct host_data), 0))
+ {
+ /* The buffer is too small. */
+ too_small:
Index: debian/patches/any/cvs-_IO_wstr_overflow.diff
===================================================================
--- debian/patches/any/cvs-_IO_wstr_overflow.diff (révision 0)
+++ debian/patches/any/cvs-_IO_wstr_overflow.diff (révision 6665)
@@ -0,0 +1,31 @@
+2015-02-22 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -96,8 +96,11 @@ _IO_wstr_overflow (fp, c)
+ wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ size_t old_wblen = _IO_wblen (fp);
+ _IO_size_t new_size = 2 * old_wblen + 100;
+- if (new_size < old_wblen)
++
++ if (__builtin_expect ((new_size < old_wblen), 0)
++ || __builtin_expect ((new_size > SIZE_MAX / sizeof (wchar_t)), 0))
+ return EOF;
++
+ new_buf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ * sizeof (wchar_t));
+@@ -187,6 +190,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
+ return 1;
+
+ _IO_size_t newsize = offset + 100;
++ if (__builtin_expect ((newsize > SIZE_MAX / sizeof (wchar_t)), 0))
++ return 1;
++
+ wchar_t *oldbuf = wd->_IO_buf_base;
+ wchar_t *newbuf
+ = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
Index: debian/patches/any/cvs-fnmatch-overflow.diff
===================================================================
--- debian/patches/any/cvs-fnmatch-overflow.diff (révision 0)
+++ debian/patches/any/cvs-fnmatch-overflow.diff (révision 6665)
@@ -0,0 +1,27 @@
+2015-02-26 Andreas Schwab <schwab@suse.de>
+
+ [BZ #18032]
+ * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+ over collating symbol inside a bracket expression. Minor cleanup.
+
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index f79d051..f11d0f1 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ }
+ else if (c == L('[') && *p == L('.'))
+ {
+- ++p;
+ while (1)
+ {
+ c = *++p;
+- if (c == '\0')
++ if (c == L('\0'))
+ return FNM_NOMATCH;
+
+- if (*p == L('.') && p[1] == L(']'))
++ if (c == L('.') && p[1] == L(']'))
+ break;
+ }
+ p += 2;
Index: debian/patches/any/cvs-ld_pointer_guard.diff
===================================================================
--- debian/patches/any/cvs-ld_pointer_guard.diff (révision 0)
+++ debian/patches/any/cvs-ld_pointer_guard.diff (révision 6665)
@@ -0,0 +1,62 @@
+2015-10-15 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -162,7 +162,6 @@
+ ._dl_hwcap_mask = HWCAP_IMPORTANT,
+ ._dl_lazy = 1,
+ ._dl_fpu_control = _FPU_DEFAULT,
+- ._dl_pointer_guard = 1,
+
+ /* Function pointers. */
+ ._dl_debug_printf = _dl_debug_printf,
+@@ -857,15 +856,12 @@
+ #endif
+
+ /* Set up the pointer guard as well, if necessary. */
+- if (GLRO(dl_pointer_guard))
+- {
+- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+- stack_chk_guard);
++ uintptr_t pointer_chk_guard
++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+- __pointer_chk_guard_local = pointer_chk_guard;
+- }
++ __pointer_chk_guard_local = pointer_chk_guard;
+
+ /* We do not need the _dl_random value anymore. The less
+ information we leave behind, the better, so clear the
+@@ -2607,9 +2603,6 @@
+ GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+ break;
+ }
+-
+- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+- GLRO(dl_pointer_guard) = envline[14] != '0';
+ break;
+
+ case 14:
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -591,9 +591,6 @@
+ /* List of auditing interfaces. */
+ struct audit_ifaces *_dl_audit;
+ unsigned int _dl_naudit;
+-
+- /* 0 if internal pointer values should not be guarded, 1 if they should. */
+- EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # ifdef IS_IN_rtld
Index: debian/patches/series
===================================================================
--- debian/patches/series (révision 6366)
+++ debian/patches/series (copie de travail)
@@ -403,3 +403,8 @@
any/cvs-posix_spawn_file_actions_addopen.diff
any/cvs-getnetbyname.diff
any/cvs-getaddrinfo-idn.diff
+any/cvs-CVE-2015-1781.diff
+any/cvs-CVE-2014-8121.diff
+any/cvs-fnmatch-overflow.diff
+any/cvs-_IO_wstr_overflow.diff
+any/cvs-ld_pointer_guard.diff
Index: debian/changelog
===================================================================
--- debian/changelog (révision 6366)
+++ debian/changelog (copie de travail)
@@ -1,3 +1,19 @@
+eglibc (2.13-38+deb7u9) wheezy; urgency=medium
+
+ * patches/any/cvs-CVE-2015-1781.diff: new patch from upstream to fix
+ a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105.
+ * patches/any/cvs-fnmatch-overflow.diff: new patch from upstream to fix
+ a buffer overflow (read past end of buffer) in internal_fnmatch.
+ * patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix
+ an integer overlow in IO_wstr_overflow.
+ * patches/any/cvs-CVE-2014-8121.diff: new patch from upstream to fix
+ an unexpected closing of nss_files databases after lookups, causing
+ denial of service (CVE-2014-8121). Closes: #779587.
+ * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
+ unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691.
+
+ -- Aurelien Jarno <aurel32@debian.org> Mon, 19 Oct 2015 20:49:40 +0200
+
eglibc (2.13-38+deb7u8) wheezy-security; urgency=medium
* debian/patches/any/cvs-wscanf.diff: new patch from upstream to fix a
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: