[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[glibc] 01/01: Update from upstream stable branch

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch jessie
in repository glibc.

commit aee812ba99f1f0d49c93e6f4a1b08b0d95147080
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Jan 30 12:43:26 2016 +0100

    Update from upstream stable branch
    
    - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778).
      Closes: #812441.
---
 debian/changelog                |   2 +
 debian/patches/git-updates.diff | 177 +++++++++++++++++++++++++++++++++++++++-
 2 files changed, 175 insertions(+), 4 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 0931f1b..07a33a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ glibc (2.19-18+deb8u3) UNRELEASED; urgency=medium
   * Update from upstream stable branch:
     - Fix segmentation fault caused by passing out-of-range data to strftime()
       (CVE-2015-8776).  Closes: #812445.
+    - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778).
+      Closes: #812441.
     - Fix multiple unbounded stack allocations in catopen() (CVE-2015-8779).
       Closes: #812455.
 
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index ceefe46..ca3bd98 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,27 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
 
 diff --git a/ChangeLog b/ChangeLog
-index 81c393a..871c722 100644
+index 81c393a..e17bd64 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,422 @@
+@@ -1,3 +1,439 @@
++2016-01-27  Paul Eggert  <eggert@cs.ucla.edu>
++
++	[BZ #18240]
++	* misc/hsearch_r.c (isprime, __hcreate_r): Protect against
++	unsigned int wraparound.
++
++2016-01-27  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #18240]
++	* misc/bug18240.c: New test.
++	* misc/Makefile (tests): Add it.
++
++2015-08-25  Ondřej Bílka  <neleai@seznam.cz>
++
++	[BZ #18240]
++	* misc/hsearch_r.c (__hcreate_r): Handle overflow.
++
 +2015-09-26  Paul Pluzhnikov  <ppluzhnikov@google.com>
 +
 +	[BZ #18985]
@@ -428,7 +445,7 @@ index 81c393a..871c722 100644
  
  	[BZ #16529]
 diff --git a/NEWS b/NEWS
-index 98b479e..44fe916 100644
+index 98b479e..0d1952c 100644
 --- a/NEWS
 +++ b/NEWS
 @@ -5,6 +5,65 @@ See the end for copying conditions.
@@ -442,7 +459,7 @@ index 98b479e..44fe916 100644
 +  15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
 +  16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
 +  17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
-+  18032, 18287, 18905.
++  18032, 18240, 18287, 18905.
 +
 +* A buffer overflow in gethostbyname_r and related functions performing DNS
 +  requests has been fixed.  If the NSS functions were called with a
@@ -1618,6 +1635,158 @@ index 0000000..e3b21a9
 +
 +#define TEST_FUNCTION do_test ()
 +#include "../test-skeleton.c"
+diff --git a/misc/Makefile b/misc/Makefile
+index b039182..ad9e921 100644
+--- a/misc/Makefile
++++ b/misc/Makefile
+@@ -76,7 +76,8 @@ install-lib := libg.a
+ gpl2lgpl := error.c error.h
+ 
+ tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \
+-	 tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1
++	 tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \
++	 bug18240
+ ifeq ($(run-built-tests),yes)
+ tests: $(objpfx)tst-error1-mem
+ endif
+diff --git a/misc/bug18240.c b/misc/bug18240.c
+new file mode 100644
+index 0000000..4b26865
+--- /dev/null
++++ b/misc/bug18240.c
+@@ -0,0 +1,75 @@
++/* Test integer wraparound in hcreate.
++   Copyright (C) 2016 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <limits.h>
++#include <search.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++static void
++test_size (size_t size)
++{
++  int res = hcreate (size);
++  if (res == 0)
++    {
++      if (errno == ENOMEM)
++        return;
++      printf ("error: hcreate (%zu): %m\n", size);
++      exit (1);
++    }
++  char *keys[100];
++  for (int i = 0; i < 100; ++i)
++    {
++      if (asprintf (keys + i, "%d", i) < 0)
++        {
++          printf ("error: asprintf: %m\n");
++          exit (1);
++        }
++      ENTRY e = { keys[i], (char *) "value" };
++      if (hsearch (e, ENTER) == NULL)
++        {
++          printf ("error: hsearch (\"%s\"): %m\n", keys[i]);
++          exit (1);
++        }
++    }
++  hdestroy ();
++
++  for (int i = 0; i < 100; ++i)
++    free (keys[i]);
++}
++
++static int
++do_test (void)
++{
++  test_size (500);
++  test_size (-1);
++  test_size (-3);
++  test_size (INT_MAX - 2);
++  test_size (INT_MAX - 1);
++  test_size (INT_MAX);
++  test_size (((unsigned) INT_MAX) + 1);
++  test_size (UINT_MAX - 2);
++  test_size (UINT_MAX - 1);
++  test_size (UINT_MAX);
++  return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
+index 81c27d8..af55212 100644
+--- a/misc/hsearch_r.c
++++ b/misc/hsearch_r.c
+@@ -19,7 +19,7 @@
+ #include <errno.h>
+ #include <malloc.h>
+ #include <string.h>
+-
++#include <stdint.h>
+ #include <search.h>
+ 
+ /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
+@@ -46,15 +46,12 @@ static int
+ isprime (unsigned int number)
+ {
+   /* no even number will be passed */
+-  unsigned int div = 3;
+-
+-  while (div * div < number && number % div != 0)
+-    div += 2;
+-
+-  return number % div != 0;
++  for (unsigned int div = 3; div <= number / div; div += 2)
++    if (number % div == 0)
++      return 0;
++  return 1;
+ }
+ 
+-
+ /* Before using the hash table we must allocate memory for it.
+    Test for an existing table are done. We allocate one element
+    more as the found prime number says. This is done for more effective
+@@ -81,10 +78,19 @@ hcreate_r (nel, htab)
+      use will not work.  */
+   if (nel < 3)
+     nel = 3;
+-  /* Change nel to the first prime number not smaller as nel. */
+-  nel |= 1;      /* make odd */
+-  while (!isprime (nel))
+-    nel += 2;
++
++  /* Change nel to the first prime number in the range [nel, UINT_MAX - 2],
++     The '- 2' means 'nel += 2' cannot overflow.  */
++  for (nel |= 1; ; nel += 2)
++    {
++      if (UINT_MAX - 2 < nel)
++	{
++	  __set_errno (ENOMEM);
++	  return 0;
++	}
++      if (isprime (nel))
++	break;
++    }
+ 
+   htab->size = nel;
+   htab->filled = 0;
 diff --git a/misc/sys/xattr.h b/misc/sys/xattr.h
 index 929cd87..796df90 100644
 --- a/misc/sys/xattr.h

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: