Bug#802371: wheezy-pu: package eglibc/2.13-38+deb7u9

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#802371: wheezy-pu: package eglibc/2.13-38+deb7u9
From: Aurelien Jarno <aurel32@debian.org>
Date: Mon, 19 Oct 2015 21:07:40 +0200
Message-id: <[🔎] 20151019190740.23380.5230.reportbug@weber.rr44.fr>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 802371@bugs.debian.org
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Dear oldstable release team,

I would like to update the eglibc package in wheezy to fix the known
security issues for which there is a patch available. The changes match
the security bugs opened by the security team, their severity wasn't
high enough to warrant a DSA.

You'll find the corresponding diff against the current version in 
wheezy below.

Thanks,
Aurelien


Index: debian/patches/any/cvs-CVE-2014-8121.diff
===================================================================
--- debian/patches/any/cvs-CVE-2014-8121.diff	(révision 0)
+++ debian/patches/any/cvs-CVE-2014-8121.diff	(révision 6665)
@@ -0,0 +1,17 @@
+2015-04-29  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18007]
+	* nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
+	(CVE-2014-8121)
+
+--- a/nss/nss_files/files-XXX.c
++++ b/nss/nss_files/files-XXX.c
+@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
+ 
+   __libc_lock_lock (lock);
+ 
+-  status = internal_setent (stayopen);
++  status = internal_setent (1);
+ 
+   if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
+     {
Index: debian/patches/any/cvs-CVE-2015-1781.diff
===================================================================
--- debian/patches/any/cvs-CVE-2015-1781.diff	(révision 0)
+++ debian/patches/any/cvs-CVE-2015-1781.diff	(révision 6665)
@@ -0,0 +1,18 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
+     {
+       /* The buffer is too small.  */
+     too_small:
Index: debian/patches/any/cvs-_IO_wstr_overflow.diff
===================================================================
--- debian/patches/any/cvs-_IO_wstr_overflow.diff	(révision 0)
+++ debian/patches/any/cvs-_IO_wstr_overflow.diff	(révision 6665)
@@ -0,0 +1,31 @@
+2015-02-22  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #17269]
+	* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+	(enlarge_userbuf): Likewise.
+
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -96,8 +96,11 @@ _IO_wstr_overflow (fp, c)
+ 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ 	  size_t old_wblen = _IO_wblen (fp);
+ 	  _IO_size_t new_size = 2 * old_wblen + 100;
+-	  if (new_size < old_wblen)
++
++	  if (__builtin_expect ((new_size < old_wblen), 0)
++	      || __builtin_expect ((new_size > SIZE_MAX / sizeof (wchar_t)), 0))
+ 	    return EOF;
++
+ 	  new_buf
+ 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ 									* sizeof (wchar_t));
+@@ -187,6 +190,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
+     return 1;
+ 
+   _IO_size_t newsize = offset + 100;
++  if (__builtin_expect ((newsize > SIZE_MAX / sizeof (wchar_t)), 0))
++    return 1;
++
+   wchar_t *oldbuf = wd->_IO_buf_base;
+   wchar_t *newbuf
+     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
Index: debian/patches/any/cvs-fnmatch-overflow.diff
===================================================================
--- debian/patches/any/cvs-fnmatch-overflow.diff	(révision 0)
+++ debian/patches/any/cvs-fnmatch-overflow.diff	(révision 6665)
@@ -0,0 +1,27 @@
+2015-02-26  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18032]
+	* posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+	over collating symbol inside a bracket expression.  Minor cleanup.
+
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index f79d051..f11d0f1 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ 		  }
+ 		else if (c == L('[') && *p == L('.'))
+ 		  {
+-		    ++p;
+ 		    while (1)
+ 		      {
+ 			c = *++p;
+-			if (c == '\0')
++			if (c == L('\0'))
+ 			  return FNM_NOMATCH;
+ 
+-			if (*p == L('.') && p[1] == L(']'))
++			if (c == L('.') && p[1] == L(']'))
+ 			  break;
+ 		      }
+ 		    p += 2;
Index: debian/patches/any/cvs-ld_pointer_guard.diff
===================================================================
--- debian/patches/any/cvs-ld_pointer_guard.diff	(révision 0)
+++ debian/patches/any/cvs-ld_pointer_guard.diff	(révision 6665)
@@ -0,0 +1,62 @@
+2015-10-15  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18928]
+	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+	_dl_pointer_guard member.
+	* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+	initializer.
+	(security_init): Always set up pointer guard.
+	(process_envvars): Do not process LD_POINTER_GUARD.
+
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -162,7 +162,6 @@
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+ 
+     /* Function pointers.  */
+     ._dl_debug_printf = _dl_debug_printf,
+@@ -857,15 +856,12 @@
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-							     stack_chk_guard);
++  uintptr_t pointer_chk_guard
++    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
++  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2607,9 +2603,6 @@
+ 	      GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+ 	      break;
+ 	    }
+-
+-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-	    GLRO(dl_pointer_guard) = envline[14] != '0';
+ 	  break;
+ 
+ 	case 14:
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -591,9 +591,6 @@
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # ifdef IS_IN_rtld
Index: debian/patches/series
===================================================================
--- debian/patches/series	(révision 6366)
+++ debian/patches/series	(copie de travail)
@@ -403,3 +403,8 @@
 any/cvs-posix_spawn_file_actions_addopen.diff
 any/cvs-getnetbyname.diff
 any/cvs-getaddrinfo-idn.diff
+any/cvs-CVE-2015-1781.diff
+any/cvs-CVE-2014-8121.diff
+any/cvs-fnmatch-overflow.diff
+any/cvs-_IO_wstr_overflow.diff
+any/cvs-ld_pointer_guard.diff
Index: debian/changelog
===================================================================
--- debian/changelog	(révision 6366)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,19 @@
+eglibc (2.13-38+deb7u9) wheezy; urgency=medium
+
+  * patches/any/cvs-CVE-2015-1781.diff: new patch from upstream to fix
+    a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105.
+  * patches/any/cvs-fnmatch-overflow.diff: new patch from upstream to fix
+    a buffer overflow (read past end of buffer) in internal_fnmatch.
+  * patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix
+    an integer overlow in IO_wstr_overflow.
+  * patches/any/cvs-CVE-2014-8121.diff: new patch from upstream to fix
+    an unexpected closing of nss_files databases after lookups, causing
+    denial of service (CVE-2014-8121).  Closes: #779587.
+  * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
+    unconditionally disable LD_POINTER_GUARD.  Closes: #798316, #801691.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Mon, 19 Oct 2015 20:49:40 +0200
+
 eglibc (2.13-38+deb7u8) wheezy-security; urgency=medium
 
   * debian/patches/any/cvs-wscanf.diff: new patch from upstream to fix a

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to:
Prev by Date: r6665 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Next by Date: r6666 - in glibc-package/branches/glibc-2.21/debian: . testsuite-checking
Previous by thread: r6665 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Next by thread: r6666 - in glibc-package/branches/glibc-2.21/debian: . testsuite-checking
Index(es):
- Date
- Thread