Bug#675886: pu: package eglibc/2.11.3-4
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
We would like to fix some bugs in the stable eglibc version.
One bug was supposed to be fixed in the previous upload, but it was
not due to the patch not being added to patches/series. It seems this
bug is quite important to be fixed given the number of bug report or
mails we get about it.
The remaining two other bugs are security issues that the security team
asked to be fixed in stable.
Please see the corresponding debdiff below.
Aurelien
diff -u eglibc-2.11.3/debian/changelog eglibc-2.11.3/debian/changelog
--- eglibc-2.11.3/debian/changelog
+++ eglibc-2.11.3/debian/changelog
@@ -1,3 +1,15 @@
+eglibc (2.11.3-4) stable; urgency=low
+
+ * Enable patches/any/cvs-dlopen-tls.diff, not enabled by mistake. Closes:
+ #637239.
+ * patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from
+ upstream to fix FORTIFY_SOURCE format string protection bypass. Closes:
+ #660611.
+ * patches/any/local-sunrpc-dos.diff: fix a DoS in RPC implementation
+ (CVE-2011-4609). Closes: #671478.
+
+ -- Aurelien Jarno <aurel32@debian.org> Sun, 03 Jun 2012 22:42:42 +0200
+
eglibc (2.11.3-3) stable; urgency=low
* patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
diff -u eglibc-2.11.3/debian/patches/series eglibc-2.11.3/debian/patches/series
--- eglibc-2.11.3/debian/patches/series
+++ eglibc-2.11.3/debian/patches/series
@@ -274,0 +275,3 @@
+any/cvs-dlopen-tls.diff
+any/cvs-FORTIFY_SOURCE-format-strings.diff
+any/local-sunrpc-dos.diff
only in patch2:
unchanged:
--- eglibc-2.11.3.orig/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff
+++ eglibc-2.11.3/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff
@@ -0,0 +1,86 @@
+2012-03-02 Kees Cook <keescook@chromium.org>
+
+ [BZ #13656]
+ * stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
+ possibly allocate from heap instead of stack.
+
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+ 0 if unknown. */
+ int readonly_format = 0;
+
++ /* For the argument descriptions, which may be allocated on the heap. */
++ void *args_malloced = NULL;
++
+ /* This table maps a character into a number representing a
+ class. In each step there is a destination label for each
+ class. */
+@@ -1647,9 +1650,10 @@ do_positional:
+ determine the size of the array needed to store the argument
+ attributes. */
+ size_t nargs = 0;
+- int *args_type;
+- union printf_arg *args_value = NULL;
++ size_t bytes_per_arg;
++ union printf_arg *args_value;
+ int *args_size;
++ int *args_type;
+
+ /* Positional parameters refer to arguments directly. This could
+ also determine the maximum number of arguments. Track the
+@@ -1698,13 +1702,38 @@ do_positional:
+
+ /* Determine the number of arguments the format string consumes. */
+ nargs = MAX (nargs, max_ref_arg);
++ /* Calculate total size needed to represent a single argument across
++ all three argument-related arrays. */
++ bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
++ + sizeof (*args_type);
++
++ /* Check for potential integer overflow. */
++ if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
++ {
++ __set_errno (ERANGE);
++ done = -1;
++ goto all_done;
++ }
+
+- /* Allocate memory for the argument descriptions. */
+- args_type = alloca (nargs * sizeof (int));
++ /* Allocate memory for all three argument arrays. */
++ if (__libc_use_alloca (nargs * bytes_per_arg))
++ args_value = alloca (nargs * bytes_per_arg);
++ else
++ {
++ args_value = args_malloced = malloc (nargs * bytes_per_arg);
++ if (args_value == NULL)
++ {
++ done = -1;
++ goto all_done;
++ }
++ }
++
++ /* Set up the remaining two arrays to each point past the end of the
++ prior array, since space for all three has been allocated now. */
++ args_size = &args_value[nargs].pa_int;
++ args_type = &args_size[nargs];
+ memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+- nargs * sizeof (int));
+- args_value = alloca (nargs * sizeof (union printf_arg));
+- args_size = alloca (nargs * sizeof (int));
++ nargs * sizeof (*args_type));
+
+ /* XXX Could do sanity check here: If any element in ARGS_TYPE is
+ still zero after this loop, format is invalid. For now we
+@@ -1973,8 +2002,8 @@ do_positional:
+ }
+
+ all_done:
+- if (__builtin_expect (workstart != NULL, 0))
+- free (workstart);
++ free (args_malloced);
++ free (workstart);
+ /* Unlock the stream. */
+ _IO_funlockfile (s);
+ _IO_cleanup_region_end (0);
only in patch2:
unchanged:
--- eglibc-2.11.3.orig/debian/patches/any/local-sunrpc-dos.diff
+++ eglibc-2.11.3/debian/patches/any/local-sunrpc-dos.diff
@@ -0,0 +1,92 @@
+Origin: Red Hat, glibc-2.12-1.47.el6_2.5.src.rpm:glibc-rh767692-2.patch
+Bug: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716
+Subject: DoS in RPC implementation
+
+CVE-2011-4069
+
+
+---
+ sunrpc/svc_tcp.c | 6 ++++++
+ sunrpc/svc_udp.c | 13 +++++++++++--
+ sunrpc/svc_unix.c | 6 ++++++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+Index: b/sunrpc/svc_tcp.c
+===================================================================
+--- a/sunrpc/svc_tcp.c
++++ b/sunrpc/svc_tcp.c
+@@ -44,6 +44,7 @@
+ #include <sys/poll.h>
+ #include <errno.h>
+ #include <stdlib.h>
++#include <time.h>
+
+ #ifdef USE_IN_LIBIO
+ # include <wchar.h>
+@@ -243,6 +244,11 @@ again:
+ {
+ if (errno == EINTR)
+ goto again;
++ if (errno == EMFILE)
++ {
++ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
++ __nanosleep(&ts , NULL);
++ }
+ return FALSE;
+ }
+ /*
+Index: b/sunrpc/svc_udp.c
+===================================================================
+--- a/sunrpc/svc_udp.c
++++ b/sunrpc/svc_udp.c
+@@ -40,6 +40,7 @@
+ #include <sys/socket.h>
+ #include <errno.h>
+ #include <libintl.h>
++#include <time.h>
+
+ #ifdef IP_PKTINFO
+ #include <sys/uio.h>
+@@ -272,8 +273,16 @@ again:
+ (int) su->su_iosz, 0,
+ (struct sockaddr *) &(xprt->xp_raddr), &len);
+ xprt->xp_addrlen = len;
+- if (rlen == -1 && errno == EINTR)
+- goto again;
++ if (rlen == -1)
++ {
++ if (errno == EINTR)
++ goto again;
++ if (errno == EMFILE)
++ {
++ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
++ __nanosleep(&ts , NULL);
++ }
++ }
+ if (rlen < 16) /* < 4 32-bit ints? */
+ return FALSE;
+ xdrs->x_op = XDR_DECODE;
+Index: b/sunrpc/svc_unix.c
+===================================================================
+--- a/sunrpc/svc_unix.c
++++ b/sunrpc/svc_unix.c
+@@ -46,6 +46,7 @@
+ #include <errno.h>
+ #include <stdlib.h>
+ #include <libintl.h>
++#include <time.h>
+
+ #ifdef USE_IN_LIBIO
+ # include <wchar.h>
+@@ -245,6 +246,11 @@ again:
+ {
+ if (errno == EINTR)
+ goto again;
++ if (errno == EMFILE)
++ {
++ struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
++ __nanosleep(&ts , NULL);
++ }
+ return FALSE;
+ }
+ /*
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Reply to: