[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch:



This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit 5d5bd4b533c43d6887101493e7ffaca89ac501a1
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 16 15:37:33 2017 +0100

    debian/patches/git-updates.diff: update from upstream stable branch:
    
    * debian/patches/git-updates.diff: update from upstream stable branch:
      - Fix memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
      - Fix buffer overflow in ld.so (CVE-2017-1000409).  Closes: #884133.
---
 debian/changelog                |   3 +
 debian/patches/git-updates.diff | 165 +++++++++++++++++++++++++++++++++++++---
 2 files changed, 157 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index f23313e..340239a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ glibc (2.25-5) UNRELEASED; urgency=medium
   [ Aurelien Jarno ]
   * debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
     DEB_BUILD_OPTIONS contains nostrip.  Closes: #884524.
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - Fix memory leak in ld.so (CVE-2017-1000408).  Closes: #884132.
+    - Fix buffer overflow in ld.so (CVE-2017-1000409).  Closes: #884133.
 
  -- Aurelien Jarno <aurel32@debian.org>  Tue, 12 Dec 2017 23:52:07 +0100
 
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 234ce99..793c02f 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,30 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.25/master from glibc-2.25
 
 diff --git a/ChangeLog b/ChangeLog
-index f140ee67de..574ea60130 100644
+index f140ee67de..1868c7a7be 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,714 @@
+@@ -1,3 +1,734 @@
++2017-12-14  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #22607]
++	CVE-2017-1000409
++	* elf/dl-load.c (_dl_init_paths): Compute number of components in
++	the expanded path string.
++
++2017-12-14  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #22606]
++	CVE-2017-1000408
++	* elf/dl-load.c (system_dirs): Update comment.
++	(nsystem_dirs_len): Use array_length.
++	(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
++
++2017-11-02  Florian Weimer  <fweimer@redhat.com>
++
++	Add array_length and array_end macros.
++	* include/array_length.h: New file.
++
 +2017-12-12  James Clarke <jrtc27@jrtc27.com>
 +
 +	* sysdeps/unix/sysv/linux/ia64/ipc_priv.h: New file defining
@@ -823,10 +843,10 @@ index e9194e54cf..43343f03ee 100644
  	| sed -n -f $< > $@.new
  	test -s $@.new
 diff --git a/NEWS b/NEWS
-index ec15dde761..0a8f20e371 100644
+index ec15dde761..2c4c9d63aa 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,47 @@ See the end for copying conditions.
+@@ -5,6 +5,55 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -837,6 +857,10 @@ index ec15dde761..0a8f20e371 100644
 +* The DNS stub resolver limits the advertised UDP buffer size to 1200 bytes,
 +  to avoid fragmentation-based spoofing attacks.
 +
++  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
++  from a one-byte overflow during ~ operator processing (either on the stack
++  or the heap, depending on the length of the user name).
++
 +  CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
 +  would sometimes fail to free memory allocated during ~ operator
 +  processing, leading to a memory leak and, potentially, to a denial
@@ -846,6 +870,17 @@ index ec15dde761..0a8f20e371 100644
 +  without GLOB_NOESCAPE, could write past the end of a buffer while
 +  unescaping user names.  Reported by Tim Rühsen.
 +
++  CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
++  to the allocation of too much memory.  (This is not a security bug per se,
++  it is mentioned here only because of the CVE assignment.)  Reported by
++  Qualys.
++
++  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
++  of the number of search path components.  (This is not a security
++  vulnerability per se because no trust boundary is crossed if the fix for
++  CVE-2017-1000366 has been applied, but it is mentioned here only because
++  of the CVE assignment.)  Reported by Qualys.
++
 +The following bugs are resolved with this release:
 +
 +  [20257] sunrpc: clntudp_call does not enforce timeout when receiving data
@@ -863,13 +898,6 @@ index ec15dde761..0a8f20e371 100644
 +  [21778] Robust mutex may deadlock
 +  [21972] assert macro requires operator== (int) for its argument type
 +  [22322] libc: [mips64] wrong bits/long-double.h installed
-+
-+Security related changes:
-+
-+  CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
-+  from a one-byte overflow during ~ operator processing (either on the stack
-+  or the heap, depending on the length of the user name).
-+
 +
  Version 2.25
  
@@ -1128,6 +1156,79 @@ index 61abeb59ee..cc4aeb25b6 100644
 +		     LD_HWCAP_MASK=0xffffffff
  tst-env-setuid-tunables-ENV = \
  	GLIBC_TUNABLES=glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a5318f9c8d..92303b08e6 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -37,6 +37,7 @@
+ #include <sysdep.h>
+ #include <stap-probe.h>
+ #include <libc-internal.h>
++#include <array_length.h>
+ 
+ #include <dl-dst.h>
+ #include <dl-load.h>
+@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
+ static size_t max_capstrlen attribute_relro;
+ 
+ 
+-/* Get the generated information about the trusted directories.  */
++/* Get the generated information about the trusted directories.  Use
++   an array of concatenated strings to avoid relocations.  See
++   gen-trusted-dirs.awk.  */
+ #include "trusted-dirs.h"
+ 
+ static const char system_dirs[] = SYSTEM_DIRS;
+@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
+ {
+   SYSTEM_DIRS_LEN
+ };
+-#define nsystem_dirs_len \
+-  (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
+-
++#define nsystem_dirs_len array_length (system_dirs_len)
+ 
+ static bool
+ is_trusted_path (const char *path, size_t len)
+@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+ 		 + ncapstr * sizeof (enum r_dir_status))
+ 		/ sizeof (struct r_search_path_elem));
+ 
+-  rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
+-    malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
+-	    * round_size * sizeof (struct r_search_path_elem));
++  rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
++				     * sizeof (*rtld_search_dirs.dirs[0]));
+   if (rtld_search_dirs.dirs[0] == NULL)
+     {
+       errstring = N_("cannot create cache for search path");
+@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
+ 
+   if (llp != NULL && *llp != '\0')
+     {
+-      size_t nllp;
+-      const char *cp = llp;
+       char *llp_tmp;
+ 
+ #ifdef SHARED
+@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
+ 
+       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
+ 	 elements it has.  */
+-      nllp = 1;
+-      while (*cp)
+-	{
+-	  if (*cp == ':' || *cp == ';')
+-	    ++nllp;
+-	  ++cp;
+-	}
++      size_t nllp = 1;
++      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
++	if (*cp == ':' || *cp == ';')
++	  ++nllp;
+ 
+       env_path_list.dirs = (struct r_search_path_elem **)
+ 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
 diff --git a/elf/dl-tunable-types.h b/elf/dl-tunable-types.h
 index a986f0b593..37a4e8021f 100644
 --- a/elf/dl-tunable-types.h
@@ -1558,6 +1659,48 @@ index 04157b25c5..e4845871f5 100644
  modules.so := $(addsuffix .so, $(modules))
  
  ifeq (yes,$(build-shared))
+diff --git a/include/array_length.h b/include/array_length.h
+new file mode 100644
+index 0000000000..cb4a8b2a56
+--- /dev/null
++++ b/include/array_length.h
+@@ -0,0 +1,36 @@
++/* The array_length and array_end macros.
++   Copyright (C) 2017 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#ifndef _ARRAY_LENGTH_H
++#define _ARRAY_LENGTH_H
++
++/* array_length (VAR) is the number of elements in the array VAR.  VAR
++   must evaluate to an array, not a pointer.  */
++#define array_length(var)                                               \
++  __extension__ ({                                                      \
++    _Static_assert (!__builtin_types_compatible_p                       \
++                    (__typeof (var), __typeof (&(var)[0])),             \
++                    "argument must be an array");                       \
++    sizeof (var) / sizeof ((var)[0]);                                   \
++  })
++
++/* array_end (VAR) is a pointer one past the end of the array VAR.
++   VAR must evaluate to an array, not a pointer.  */
++#define array_end(var) (&(var)[array_length (var)])
++
++#endif /* _ARRAY_LENGTH_H */
 diff --git a/include/resolv.h b/include/resolv.h
 index 95dcd3ca37..e8f477cd86 100644
 --- a/include/resolv.h

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git


Reply to: