[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[glibc] 01/01: debian/patches/git-updates.diff: update from upstream stable branch:

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit f2a51d8c5a2e4a05320cf99e9ed7a8e58c23c412
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sun Dec 31 13:01:32 2017 +0100

    debian/patches/git-updates.diff: update from upstream stable branch:
    
    * debian/patches/git-updates.diff: update from upstream stable branch:
      - Fixes incorrect RPATH/RUNPATH handling for SUID binaries
        (CVE-2017-16997).  Closes: #884615.
---
 debian/changelog                |   3 +
 debian/patches/git-updates.diff | 131 ++++++++++++++++++++++++++++++++++++----
 2 files changed, 123 insertions(+), 11 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 2b53951..b63b805 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ glibc (2.25-6) UNRELEASED; urgency=medium
   [ Aurelien Jarno ]
   * debian/control.in/main: add mips r6 architectures to Build-Depends:
     g++-6-multilib.  Closes: #884774.
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - Fixes incorrect RPATH/RUNPATH handling for SUID binaries
+      (CVE-2017-16997).  Closes: #884615.
 
  -- Aurelien Jarno <aurel32@debian.org>  Wed, 20 Dec 2017 22:29:01 +0100
 
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 793c02f..eaba5e3 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,26 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.25/master from glibc-2.25
 
 diff --git a/ChangeLog b/ChangeLog
-index f140ee67de..1868c7a7be 100644
+index f140ee67de..a3db9c09f2 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,734 @@
+@@ -1,3 +1,750 @@
++2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
++	    Dmitry V. Levin  <ldv@altlinux.org>
++
++	[BZ #22625]
++	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
++	string token expansion. Check for NULL pointer or empty string possibly
++	returned by expand_dynamic_string_token.
++	(decompose_rpath): Check for empty path after dynamic string
++	token expansion.
++
++2017-12-18  Dmitry V. Levin  <ldv@altlinux.org>
++
++	[BZ #22627]
++	* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
++	code and invocation.
++
 +2017-12-14  Florian Weimer  <fweimer@redhat.com>
 +
 +	[BZ #22607]
@@ -843,10 +859,10 @@ index e9194e54cf..43343f03ee 100644
  	| sed -n -f $< > $@.new
  	test -s $@.new
 diff --git a/NEWS b/NEWS
-index ec15dde761..2c4c9d63aa 100644
+index ec15dde761..7c44ba2a8a 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,55 @@ See the end for copying conditions.
+@@ -5,6 +5,60 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -881,6 +897,10 @@ index ec15dde761..2c4c9d63aa 100644
 +  CVE-2017-1000366 has been applied, but it is mentioned here only because
 +  of the CVE assignment.)  Reported by Qualys.
 +
++  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
++  for AT_SECURE or SUID binaries could be used to load libraries from the
++  current directory.
++
 +The following bugs are resolved with this release:
 +
 +  [20257] sunrpc: clntudp_call does not enforce timeout when receiving data
@@ -898,6 +918,7 @@ index ec15dde761..2c4c9d63aa 100644
 +  [21778] Robust mutex may deadlock
 +  [21972] assert macro requires operator== (int) for its argument type
 +  [22322] libc: [mips64] wrong bits/long-double.h installed
++  [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice
 +
  Version 2.25
  
@@ -1157,7 +1178,7 @@ index 61abeb59ee..cc4aeb25b6 100644
  tst-env-setuid-tunables-ENV = \
  	GLIBC_TUNABLES=glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096
 diff --git a/elf/dl-load.c b/elf/dl-load.c
-index a5318f9c8d..92303b08e6 100644
+index a5318f9c8d..58e7220050 100644
 --- a/elf/dl-load.c
 +++ b/elf/dl-load.c
 @@ -37,6 +37,7 @@
@@ -1190,7 +1211,79 @@ index a5318f9c8d..92303b08e6 100644
  
  static bool
  is_trusted_path (const char *path, size_t len)
-@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+@@ -433,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
++      char *to_free = NULL;
++      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
++      /* `strsep' can pass an empty string.  */
++      if (*cp != '\0')
++	{
++	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
++	  /* expand_dynamic_string_token can return NULL in case of empty
++	     path or memory allocation failure.  */
++	  if (cp == NULL)
++	    continue;
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-	 interpreted as `use the current directory'. */
+-      if (len == 0)
+-	{
+-	  static const char curwd[] = "./";
+-	  cp = (char *) curwd;
+-	}
++	  /* Compute the length after dynamic string token expansion and
++	     ignore empty paths.  */
++	  len = strlen (cp);
++	  if (len == 0)
++	    {
++	      free (to_free);
++	      continue;
++	    }
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-	--len;
++	  /* Remove trailing slashes (except for "/").  */
++	  while (len > 1 && cp[len - 1] == '/')
++	    --len;
+ 
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-	cp[len++] = '/';
++	  /* Now add one if there is none so far.  */
++	  if (len > 0 && cp[len - 1] != '/')
++	    cp[len++] = '/';
++	}
+ 
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+@@ -621,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps,
+      necessary.  */
+   free (copy);
+ 
++  /* There is no path after expansion.  */
++  if (result[0] == NULL)
++    {
++      free (result);
++      sps->dirs = (struct r_search_path_elem **) -1;
++      return false;
++    }
++
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;
+@@ -688,9 +706,8 @@ _dl_init_paths (const char *llp)
  		 + ncapstr * sizeof (enum r_dir_status))
  		/ sizeof (struct r_search_path_elem));
  
@@ -1202,16 +1295,32 @@ index a5318f9c8d..92303b08e6 100644
    if (rtld_search_dirs.dirs[0] == NULL)
      {
        errstring = N_("cannot create cache for search path");
-@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
+@@ -776,37 +793,14 @@ _dl_init_paths (const char *llp)
  
    if (llp != NULL && *llp != '\0')
      {
 -      size_t nllp;
 -      const char *cp = llp;
-       char *llp_tmp;
- 
- #ifdef SHARED
-@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
+-      char *llp_tmp;
+-
+-#ifdef SHARED
+-      /* Expand DSTs.  */
+-      size_t cnt = DL_DST_COUNT (llp, 1);
+-      if (__glibc_likely (cnt == 0))
+-	llp_tmp = strdupa (llp);
+-      else
+-	{
+-	  /* Determine the length of the substituted string.  */
+-	  size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
+-
+-	  /* Allocate the necessary memory.  */
+-	  llp_tmp = (char *) alloca (total + 1);
+-	  llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
+-	}
+-#else
+-      llp_tmp = strdupa (llp);
+-#endif
++      char *llp_tmp = strdupa (llp);
  
        /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
  	 elements it has.  */

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: