[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch.

To: debian-glibc@lists.debian.org
Subject: [glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch.
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Sat, 16 Dec 2017 18:20:27 +0000
Message-id: <[🔎] E1eQH4V-0004H3-BP@moszumanska.debian.org>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>
In-reply-to: <[🔎] 20171216182027.16331.911@moszumanska.debian.org>
References: <[🔎] 20171216182027.16331.911@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch glibc-2.26
in repository glibc.

commit 807ce52ae4106c3dc2a6a98a88b4558a7f31d381
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 16 19:20:07 2017 +0100

    debian/patches/git-updates.diff: update from upstream stable branch.
---
 debian/patches/git-updates.diff | 200 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 196 insertions(+), 4 deletions(-)

diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 61dbf17..e112efc 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,35 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.26/master from glibc-2.26
 
 diff --git a/ChangeLog b/ChangeLog
-index 8dbfc7eaff..b90e7eb827 100644
+index 8dbfc7eaff..55a17414ab 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,1032 @@
+@@ -1,3 +1,1057 @@
++2017-12-14  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #22607]
++	CVE-2017-1000409
++	* elf/dl-load.c (_dl_init_paths): Compute number of components in
++	the expanded path string.
++
++2017-12-14  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #22606]
++	CVE-2017-1000408
++	* elf/dl-load.c (system_dirs): Update comment.
++	(nsystem_dirs_len): Use array_length.
++	(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
++
++2017-11-02  Florian Weimer  <fweimer@redhat.com>
++
++	Add array_length and array_end macros.
++	* include/array_length.h: New file.
++
++2017-10-27  H.J. Lu  <hongjiu.lu@intel.com>
++
++	* sysdeps/i386/fpu/libm-test-ulps: Regenerated for GCC 7 with
++	"-O2 -march=i586".
++
 +2017-12-13  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 +
 +	* sysdeps/ia64/fpu/libm-test-ulps: Update.
@@ -1061,10 +1086,10 @@ index 9bb707c168..828a445f24 100644
  # Don't try to use -lc when making libc.so itself.
  # Also omits crti.o and crtn.o, which we do not want
 diff --git a/NEWS b/NEWS
-index 8295f20c0a..8810b57cd9 100644
+index 8295f20c0a..2c49212cb5 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,81 @@ See the end for copying conditions.
+@@ -5,6 +5,92 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -1107,6 +1132,17 @@ index 8295f20c0a..8810b57cd9 100644
 +  instead of NULL.  This was a regression introduced with the new malloc
 +  thread cache in glibc 2.26.  Reported by Iain Buclaw.
 +
++  CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
++  to the allocation of too much memory.  (This is not a security bug per se,
++  it is mentioned here only because of the CVE assignment.)  Reported by
++  Qualys.
++
++  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
++  of the number of search path components.  (This is not a security
++  vulnerability per se because no trust boundary is crossed if the fix for
++  CVE-2017-1000366 has been applied, but it is mentioned here only because
++  of the CVE assignment.)  Reported by Qualys.
++
 +The following bugs are resolved with this release:
 +
 +  [16750] ldd: Never run file directly.
@@ -1377,6 +1413,79 @@ index 0280fba8a7..8bbbf2a121 100644
  LDLIBS-crypt.so = -lfreebl3
  else
  libcrypt-routines += md5 sha256 sha512
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index c1b6d4ba0f..621403c05f 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -37,6 +37,7 @@
+ #include <sysdep.h>
+ #include <stap-probe.h>
+ #include <libc-pointer-arith.h>
++#include <array_length.h>
+ 
+ #include <dl-dst.h>
+ #include <dl-load.h>
+@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
+ static size_t max_capstrlen attribute_relro;
+ 
+ 
+-/* Get the generated information about the trusted directories.  */
++/* Get the generated information about the trusted directories.  Use
++   an array of concatenated strings to avoid relocations.  See
++   gen-trusted-dirs.awk.  */
+ #include "trusted-dirs.h"
+ 
+ static const char system_dirs[] = SYSTEM_DIRS;
+@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
+ {
+   SYSTEM_DIRS_LEN
+ };
+-#define nsystem_dirs_len \
+-  (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
+-
++#define nsystem_dirs_len array_length (system_dirs_len)
+ 
+ static bool
+ is_trusted_path (const char *path, size_t len)
+@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+ 		 + ncapstr * sizeof (enum r_dir_status))
+ 		/ sizeof (struct r_search_path_elem));
+ 
+-  rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
+-    malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
+-	    * round_size * sizeof (struct r_search_path_elem));
++  rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
++				     * sizeof (*rtld_search_dirs.dirs[0]));
+   if (rtld_search_dirs.dirs[0] == NULL)
+     {
+       errstring = N_("cannot create cache for search path");
+@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
+ 
+   if (llp != NULL && *llp != '\0')
+     {
+-      size_t nllp;
+-      const char *cp = llp;
+       char *llp_tmp;
+ 
+ #ifdef SHARED
+@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
+ 
+       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
+ 	 elements it has.  */
+-      nllp = 1;
+-      while (*cp)
+-	{
+-	  if (*cp == ':' || *cp == ';')
+-	    ++nllp;
+-	  ++cp;
+-	}
++      size_t nllp = 1;
++      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
++	if (*cp == ':' || *cp == ';')
++	  ++nllp;
+ 
+       env_path_list.dirs = (struct r_search_path_elem **)
+ 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
 diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
 index 231fb8ca93..d9975ef2d0 100644
 --- a/elf/dl-tunables.c
@@ -1454,6 +1563,48 @@ index 7dd1fccf24..686785e235 100644
        try_trace "$RTLD" "$file" || result=1
        ;;
      *)
+diff --git a/include/array_length.h b/include/array_length.h
+new file mode 100644
+index 0000000000..cb4a8b2a56
+--- /dev/null
++++ b/include/array_length.h
+@@ -0,0 +1,36 @@
++/* The array_length and array_end macros.
++   Copyright (C) 2017 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <http://www.gnu.org/licenses/>.  */
++
++#ifndef _ARRAY_LENGTH_H
++#define _ARRAY_LENGTH_H
++
++/* array_length (VAR) is the number of elements in the array VAR.  VAR
++   must evaluate to an array, not a pointer.  */
++#define array_length(var)                                               \
++  __extension__ ({                                                      \
++    _Static_assert (!__builtin_types_compatible_p                       \
++                    (__typeof (var), __typeof (&(var)[0])),             \
++                    "argument must be an array");                       \
++    sizeof (var) / sizeof ((var)[0]);                                   \
++  })
++
++/* array_end (VAR) is a pointer one past the end of the array VAR.
++   VAR must evaluate to an array, not a pointer.  */
++#define array_end(var) (&(var)[array_length (var)])
++
++#endif /* _ARRAY_LENGTH_H */
 diff --git a/include/libc-symbols.h b/include/libc-symbols.h
 index 3310e3a678..5bf57703a9 100644
 --- a/include/libc-symbols.h
@@ -11550,6 +11701,47 @@ index 0000000000..8ae01b9d95
 +#define __PTHREAD_MUTEX_SPINS_OFFSET    36
 +#define __PTHREAD_MUTEX_ELISION_OFFSET  22
 +#define __PTHREAD_MUTEX_LIST_OFFSET     36
+diff --git a/sysdeps/i386/fpu/libm-test-ulps b/sysdeps/i386/fpu/libm-test-ulps
+index ed685de35d..a269c7c343 100644
+--- a/sysdeps/i386/fpu/libm-test-ulps
++++ b/sysdeps/i386/fpu/libm-test-ulps
+@@ -2693,30 +2693,30 @@ ldouble: 2
+ 
+ Function: "y1_downward":
+ double: 2
+-float: 2
++float: 3
+ float128: 4
+ idouble: 2
+-ifloat: 2
++ifloat: 3
+ ifloat128: 4
+ ildouble: 7
+ ldouble: 7
+ 
+ Function: "y1_towardzero":
+ double: 2
+-float: 2
++float: 3
+ float128: 2
+ idouble: 2
+-ifloat: 2
++ifloat: 3
+ ifloat128: 2
+ ildouble: 5
+ ldouble: 5
+ 
+ Function: "y1_upward":
+ double: 1
+-float: 2
++float: 3
+ float128: 5
+ idouble: 1
+-ifloat: 2
++ifloat: 3
+ ifloat128: 5
+ ildouble: 7
+ ldouble: 7
 diff --git a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps b/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps
 index 81dd1a09ea..053f5ec972 100644
 --- a/sysdeps/i386/i686/fpu/multiarch/libm-test-ulps

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git

Reply to:

References:
- [glibc] branch glibc-2.26 updated (ec4e849 -> 807ce52)
  - From: Aurelien Jarno <aurel32@moszumanska.debian.org>

Prev by Date: [glibc] 01/01: Merge branch 'sid' into glibc-2.26
Next by Date: [glibc] branch glibc-2.26 updated (10c432c -> ec4e849)
Previous by thread: [glibc] branch glibc-2.26 updated (ec4e849 -> 807ce52)
Next by thread: [glibc] branch glibc-2.26 updated (807ce52 -> 1c67795)
Index(es):
- Date
- Thread