[glibc] 01/01: Update from upstream stable branch
This is an automated email from the git hooks/post-receive script.
aurel32 pushed a commit to branch sid
in repository glibc.
commit 6a0c9c0a8e4c94e7028cf908482e0224664db510
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat Jan 30 12:32:19 2016 +0100
Update from upstream stable branch
- Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778).
Closes: #812441.
---
debian/changelog | 4 +-
debian/patches/git-updates.diff | 169 ++++++++++++++++++++++++++++++++++++++--
2 files changed, 165 insertions(+), 8 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 22de19a..5ca2880 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
glibc (2.21-8) UNRELEASED; urgency=medium
- *
+ * Update from upstream stable branch:
+ - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778).
+ Closes: #812441.
-- Aurelien Jarno <aurel32@debian.org> Sun, 24 Jan 2016 00:32:22 +0100
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index f01bba3..72b1427 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,27 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.21/master from glibc-2.21
diff --git a/ChangeLog b/ChangeLog
-index dc1ed1b..a3182f0 100644
+index dc1ed1b..a38da43 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,87 @@
+@@ -1,3 +1,104 @@
++2016-01-27 Paul Eggert <eggert@cs.ucla.edu>
++
++ [BZ #18240]
++ * misc/hsearch_r.c (isprime, __hcreate_r): Protect against
++ unsigned int wraparound.
++
++2016-01-27 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #18240]
++ * misc/bug18240.c: New test.
++ * misc/Makefile (tests): Add it.
++
++2015-08-25 Ondřej Bílka <neleai@seznam.cz>
++
++ [BZ #18240]
++ * misc/hsearch_r.c (__hcreate_r): Handle overflow.
++
+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #18985]
@@ -92,7 +109,7 @@ index dc1ed1b..a3182f0 100644
2015-02-06 Carlos O'Donell <carlos@systemhalted.org>
* version.h (RELEASE): Set to "stable".
-@@ -7,6 +91,7 @@
+@@ -7,6 +108,7 @@
* sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
@@ -101,7 +118,7 @@ index dc1ed1b..a3182f0 100644
[BZ #16618]
* stdio-common/tst-sscanf.c (main): Test for buffer overflow.
diff --git a/NEWS b/NEWS
-index 617cdbb..e659b75 100644
+index 617cdbb..40f8c90 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,28 @@ See the end for copying conditions.
@@ -112,7 +129,7 @@ index 617cdbb..e659b75 100644
+
+* The following bugs are resolved with this release:
+
-+ 17269, 17905, 17949, 18007, 18032, 18287, 18694, 18887, 18985.
++ 17269, 17905, 17949, 18007, 18032, 18240, 18287, 18694, 18887, 18985.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
@@ -415,7 +432,7 @@ index 43d847d..3993579 100644
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
diff --git a/misc/Makefile b/misc/Makefile
-index aecb0da..2f5edf6 100644
+index aecb0da..12055ce 100644
--- a/misc/Makefile
+++ b/misc/Makefile
@@ -76,7 +76,8 @@ install-lib := libg.a
@@ -424,10 +441,148 @@ index aecb0da..2f5edf6 100644
tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \
- tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1
+ tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \
-+ tst-mntent-blank-corrupt tst-mntent-blank-passno
++ tst-mntent-blank-corrupt tst-mntent-blank-passno bug18240
ifeq ($(run-built-tests),yes)
tests-special += $(objpfx)tst-error1-mem.out
endif
+diff --git a/misc/bug18240.c b/misc/bug18240.c
+new file mode 100644
+index 0000000..4b26865
+--- /dev/null
++++ b/misc/bug18240.c
+@@ -0,0 +1,75 @@
++/* Test integer wraparound in hcreate.
++ Copyright (C) 2016 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <limits.h>
++#include <search.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++
++static void
++test_size (size_t size)
++{
++ int res = hcreate (size);
++ if (res == 0)
++ {
++ if (errno == ENOMEM)
++ return;
++ printf ("error: hcreate (%zu): %m\n", size);
++ exit (1);
++ }
++ char *keys[100];
++ for (int i = 0; i < 100; ++i)
++ {
++ if (asprintf (keys + i, "%d", i) < 0)
++ {
++ printf ("error: asprintf: %m\n");
++ exit (1);
++ }
++ ENTRY e = { keys[i], (char *) "value" };
++ if (hsearch (e, ENTER) == NULL)
++ {
++ printf ("error: hsearch (\"%s\"): %m\n", keys[i]);
++ exit (1);
++ }
++ }
++ hdestroy ();
++
++ for (int i = 0; i < 100; ++i)
++ free (keys[i]);
++}
++
++static int
++do_test (void)
++{
++ test_size (500);
++ test_size (-1);
++ test_size (-3);
++ test_size (INT_MAX - 2);
++ test_size (INT_MAX - 1);
++ test_size (INT_MAX);
++ test_size (((unsigned) INT_MAX) + 1);
++ test_size (UINT_MAX - 2);
++ test_size (UINT_MAX - 1);
++ test_size (UINT_MAX);
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
+index 3a7c526..91fa63f 100644
+--- a/misc/hsearch_r.c
++++ b/misc/hsearch_r.c
+@@ -19,7 +19,7 @@
+ #include <errno.h>
+ #include <malloc.h>
+ #include <string.h>
+-
++#include <stdint.h>
+ #include <search.h>
+
+ /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
+@@ -46,15 +46,12 @@ static int
+ isprime (unsigned int number)
+ {
+ /* no even number will be passed */
+- unsigned int div = 3;
+-
+- while (div * div < number && number % div != 0)
+- div += 2;
+-
+- return number % div != 0;
++ for (unsigned int div = 3; div <= number / div; div += 2)
++ if (number % div == 0)
++ return 0;
++ return 1;
+ }
+
+-
+ /* Before using the hash table we must allocate memory for it.
+ Test for an existing table are done. We allocate one element
+ more as the found prime number says. This is done for more effective
+@@ -81,10 +78,19 @@ hcreate_r (nel, htab)
+ use will not work. */
+ if (nel < 3)
+ nel = 3;
+- /* Change nel to the first prime number not smaller as nel. */
+- nel |= 1; /* make odd */
+- while (!isprime (nel))
+- nel += 2;
++
++ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2],
++ The '- 2' means 'nel += 2' cannot overflow. */
++ for (nel |= 1; ; nel += 2)
++ {
++ if (UINT_MAX - 2 < nel)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++ if (isprime (nel))
++ break;
++ }
+
+ htab->size = nel;
+ htab->filled = 0;
diff --git a/misc/mntent_r.c b/misc/mntent_r.c
index 6159873..4f26998 100644
--- a/misc/mntent_r.c
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: