r6826 - in glibc-package/branches/glibc-branch-jessie/debian: . patches
Author: aurel32
Date: 2015-12-20 22:20:42 +0000 (Sun, 20 Dec 2015)
New Revision: 6826
Modified:
glibc-package/branches/glibc-branch-jessie/debian/changelog
glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff
Log:
Update from upstream stable branch:
- Fix getaddrinfo sometimes returning uninitialized data with nscd.
Closes: #798515.
- Fix data corruption while reading the NSS files database
(CVE-2015-5277). Closes: #799966.
- Fix buffer overflow (read past end of buffer) in internal_fnmatch.
- Fix _IO_wstr_overflow integer overflow.
- Fix unexpected closing of nss_files databases after lookups,
causing denial of service (CVE-2014-8121). Closes: #779587.
- Fix NSCD netgroup cache. Closes: #800523.
Modified: glibc-package/branches/glibc-branch-jessie/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-jessie/debian/changelog 2015-12-20 16:26:25 UTC (rev 6825)
+++ glibc-package/branches/glibc-branch-jessie/debian/changelog 2015-12-20 22:20:42 UTC (rev 6826)
@@ -10,6 +10,7 @@
- Fix _IO_wstr_overflow integer overflow.
- Fix unexpected closing of nss_files databases after lookups,
causing denial of service (CVE-2014-8121). Closes: #779587.
+ - Fix NSCD netgroup cache. Closes: #800523.
* patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
unconditionally disable LD_POINTER_GUARD. Closes: #798316, #801691.
* patches/any/cvs-mangle-tls_dtor_list.diff: new patch from upstream to
Modified: glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff
===================================================================
--- glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff 2015-12-20 16:26:25 UTC (rev 6825)
+++ glibc-package/branches/glibc-branch-jessie/debian/patches/git-updates.diff 2015-12-20 22:20:42 UTC (rev 6826)
@@ -1,10 +1,32 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
diff --git a/ChangeLog b/ChangeLog
-index 81c393a..a7207b1 100644
+index 81c393a..e82ba7d 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,384 @@
+@@ -1,3 +1,406 @@
++2015-12-20 Siddhesh Poyarekar <siddhesh@redhat.com>
++
++ [BZ #16758]
++ * nscd/netgroupcache.c (addinnetgrX): Succeed if triplet has
++ blank values.
++
++ [BZ #16759]
++ * inet/getnetgrent_r.c (get_nonempty_val): New function.
++ (nscd_getnetgrent): Use it.
++
++ [BZ #16760]
++ * nscd/netgroupcache.c (addgetnetgrentX): Use memmove instead
++ of stpcpy.
++
++2015-11-24 Andreas Schwab <schwab@suse.de>
++
++ [BZ #17062]
++ * posix/fnmatch_loop.c (FCT): Rerrange loop for skipping over rest
++ of a bracket expr not to run off the end of the string.
++ * posix/Makefile (tests): Add tst-fnmatch3.
++ * posix/tst-fnmatch3.c: New file.
++
+2015-04-29 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18007]
@@ -390,10 +412,10 @@
[BZ #16529]
diff --git a/NEWS b/NEWS
-index 98b479e..e00543f 100644
+index 98b479e..2972c4a 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,64 @@ See the end for copying conditions.
+@@ -5,6 +5,65 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
@@ -401,9 +423,10 @@
+
+* The following bugs are resolved with this release:
+
-+ 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16878, 16882, 16885,
-+ 16916, 16932, 16943, 16958, 17048, 17069, 17079, 17137, 17153, 17213,
-+ 17263, 17269, 17325, 17555, 18007, 18032, 18287.
++ 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
++ 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
++ 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 18007, 18032,
++ 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
@@ -891,6 +914,40 @@
attribute_hidden;
libresolv_hidden_proto (_sethtent)
+diff --git a/inet/getnetgrent_r.c b/inet/getnetgrent_r.c
+index 62cdfda..f6d064d 100644
+--- a/inet/getnetgrent_r.c
++++ b/inet/getnetgrent_r.c
+@@ -235,6 +235,14 @@ endnetgrent (void)
+ }
+
+ #ifdef USE_NSCD
++static const char *
++get_nonempty_val (const char *in)
++{
++ if (*in == '\0')
++ return NULL;
++ return in;
++}
++
+ static enum nss_status
+ nscd_getnetgrent (struct __netgrent *datap, char *buffer, size_t buflen,
+ int *errnop)
+@@ -243,11 +251,11 @@ nscd_getnetgrent (struct __netgrent *datap, char *buffer, size_t buflen,
+ return NSS_STATUS_UNAVAIL;
+
+ datap->type = triple_val;
+- datap->val.triple.host = datap->cursor;
++ datap->val.triple.host = get_nonempty_val (datap->cursor);
+ datap->cursor = (char *) __rawmemchr (datap->cursor, '\0') + 1;
+- datap->val.triple.user = datap->cursor;
++ datap->val.triple.user = get_nonempty_val (datap->cursor);
+ datap->cursor = (char *) __rawmemchr (datap->cursor, '\0') + 1;
+- datap->val.triple.domain = datap->cursor;
++ datap->val.triple.domain = get_nonempty_val (datap->cursor);
+ datap->cursor = (char *) __rawmemchr (datap->cursor, '\0') + 1;
+
+ return NSS_STATUS_SUCCESS;
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 399a377..9218d4a 100644
--- a/libio/wstrops.c
@@ -1337,6 +1394,8 @@
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
+diff --git a/manual/locale.texi b/manual/locale.texi
+index 8bfd653..ee1c3a1 100644
diff --git a/misc/sys/xattr.h b/misc/sys/xattr.h
index 929cd87..796df90 100644
--- a/misc/sys/xattr.h
@@ -1756,7 +1815,7 @@
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
-index be01fe8..084f74d 100644
+index be01fe8..c61d10b 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -202,12 +202,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
@@ -1773,9 +1832,46 @@
if (status == NSS_STATUS_SUCCESS)
{
if (data.type == triple_val)
-@@ -322,11 +317,18 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+@@ -216,6 +211,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ const char *nuser = data.val.triple.user;
+ const char *ndomain = data.val.triple.domain;
+
++ size_t hostlen = strlen (nhost ?: "") + 1;
++ size_t userlen = strlen (nuser ?: "") + 1;
++ size_t domainlen = strlen (ndomain ?: "") + 1;
++
+ if (nhost == NULL || nuser == NULL || ndomain == NULL
+ || nhost > nuser || nuser > ndomain)
+ {
+@@ -233,9 +232,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ : last + strlen (last) + 1 - buffer);
+
+ /* We have to make temporary copies. */
+- size_t hostlen = strlen (nhost ?: "") + 1;
+- size_t userlen = strlen (nuser ?: "") + 1;
+- size_t domainlen = strlen (ndomain ?: "") + 1;
+ size_t needed = hostlen + userlen + domainlen;
+
+ if (buflen - req->key_len - bufused < needed)
+@@ -269,9 +265,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
}
+
+ char *wp = buffer + buffilled;
+- wp = stpcpy (wp, nhost) + 1;
+- wp = stpcpy (wp, nuser) + 1;
+- wp = stpcpy (wp, ndomain) + 1;
++ wp = memmove (wp, nhost ?: "", hostlen);
++ wp += hostlen;
++ wp = memmove (wp, nuser ?: "", userlen);
++ wp += userlen;
++ wp = memmove (wp, ndomain ?: "", domainlen);
++ wp += domainlen;
+ buffilled = wp - buffer;
+ ++nentries;
}
+@@ -322,11 +321,18 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ }
+ }
}
- else if (status == NSS_STATUS_UNAVAIL && e == ERANGE)
+ else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
@@ -1793,6 +1889,29 @@
}
enum nss_status (*endfct) (struct __netgrent *);
+@@ -560,15 +566,19 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
+ {
+ bool success = true;
+
+- if (host != NULL)
++ /* For the host, user and domain in each triplet, we assume success
++ if the value is blank because that is how the wildcard entry to
++ match anything is stored in the netgroup cache. */
++ if (host != NULL && *triplets != '\0')
+ success = strcmp (host, triplets) == 0;
+ triplets = (const char *) rawmemchr (triplets, '\0') + 1;
+
+- if (success && user != NULL)
++ if (success && user != NULL && *triplets != '\0')
+ success = strcmp (user, triplets) == 0;
+ triplets = (const char *) rawmemchr (triplets, '\0') + 1;
+
+- if (success && (domain == NULL || strcmp (domain, triplets) == 0))
++ if (success && (domain == NULL || *triplets == '\0'
++ || strcmp (domain, triplets) == 0))
+ {
+ dataset->resp.result = 1;
+ break;
diff --git a/nss/Makefile b/nss/Makefile
index c8880c0..3f9d2d0 100644
--- a/nss/Makefile
@@ -2189,7 +2308,7 @@
# endif
# endif
diff --git a/posix/Makefile b/posix/Makefile
-index 6709900..9dd5fa4 100644
+index 6709900..8f6e6b5 100644
--- a/posix/Makefile
+++ b/posix/Makefile
@@ -86,7 +86,7 @@ tests := tstgetopt testfnm runtests runptests \
@@ -2197,7 +2316,7 @@
bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
bug-getopt5 tst-getopt_long1 bug-regex34 bug-regex35 \
- tst-pathconf tst-getaddrinfo4
-+ tst-pathconf tst-getaddrinfo4 bug-regex36
++ tst-pathconf tst-getaddrinfo4 bug-regex36 tst-fnmatch3
xtests := bug-ga2
ifeq (yes,$(build-shared))
test-srcs := globtest
@@ -2259,11 +2378,43 @@
+ regfree (&r);
+}
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
-index f79d051..f11d0f1 100644
+index f79d051..733cccb 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
-@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+@@ -899,11 +899,8 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+
+ matched:
+ /* Skip the rest of the [...] that already matched. */
+- do
++ while ((c = *p++) != L (']'))
+ {
+- ignore_next:
+- c = *p++;
+-
+ if (c == L('\0'))
+ /* [... (unterminated) loses. */
+ return FNM_NOMATCH;
+@@ -931,12 +928,11 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+
+ if (c < L('a') || c >= L('z'))
+ {
+- p = startp;
+- goto ignore_next;
++ p = startp - 2;
++ break;
+ }
+ }
+ p += 2;
+- c = *p++;
}
+ else if (c == L('[') && *p == L('='))
+ {
+@@ -947,25 +943,21 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ if (c != L('=') || p[1] != L(']'))
+ return FNM_NOMATCH;
+ p += 2;
+- c = *p++;
+ }
else if (c == L('[') && *p == L('.'))
{
- ++p;
@@ -2279,6 +2430,13 @@
break;
}
p += 2;
+- c = *p++;
+ }
+ }
+- while (c != L(']'));
+ if (not)
+ return FNM_NOMATCH;
+ }
diff --git a/posix/regcomp.c b/posix/regcomp.c
index 921d0f4..076eca3 100644
--- a/posix/regcomp.c
@@ -2410,6 +2568,42 @@
int oflag;
mode_t mode;
} open_action;
+diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
+new file mode 100644
+index 0000000..2a83c1b
+--- /dev/null
++++ b/posix/tst-fnmatch3.c
+@@ -0,0 +1,30 @@
++/* Test for fnmatch not reading past the end of the pattern.
++ Copyright (C) 2014 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <fnmatch.h>
++
++int
++do_test (void)
++{
++ const char *pattern = "[[:alpha:]'[:alpha:]\0]";
++
++ return fnmatch (pattern, "a", 0) != FNM_NOMATCH;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
diff --git a/posix/tst-spawn.c b/posix/tst-spawn.c
index 84cecf2..6cd874a 100644
--- a/posix/tst-spawn.c
Reply to: