Bug#681145: marked as done (unblock: libgc/7.1-9)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Wed, 11 Jul 2012 13:12:07 +0200
with message-id <4FFD5F87.3050103@dogguy.org>
and subject line Re: Bug#681145: unblock: libgc/7.1-9
has caused the Debian Bug report #681145,
regarding unblock: libgc/7.1-9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
681145: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681145
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: libgc/7.1-9
• From: Christoph Egger <christoph@debian.org>
• Date: Wed, 11 Jul 2012 00:35:50 +0200
• Message-id: <20120710223550.8558.93602.reportbug@hepworth.siccegge.de>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Please unblock package libgc

This upload fixes CVE-2012-2673. It is only using the patches approved
upstream to fix this issue (the -malloc.diff one backported to out 7.1
package, rest does work as is).

unblock libgc/7.1-9

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.4-trunk-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru libgc-7.1/debian/changelog libgc-7.1/debian/changelog
--- libgc-7.1/debian/changelog	2011-05-29 18:55:21.000000000 +0200
+++ libgc-7.1/debian/changelog	2012-07-11 00:30:07.000000000 +0200
@@ -1,3 +1,9 @@
+libgc (1:7.1-9) unstable; urgency=medium
+
+  * Import patches to fix CVE-2012-2673 from upstream git (Closes: #677195)
+
+ -- Christoph Egger <christoph@debian.org>  Sun, 08 Jul 2012 18:27:48 +0200
+
 libgc (1:7.1-8) unstable; urgency=low
 
   * Import patch by Thorsten Glaser
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,29 @@
+From e10c1eb9908c2774c16b3148b30d2f3823d66a9a Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Thu, 15 Mar 2012 04:46:49 +0800
+Subject: [PATCH] Fix calloc() overflow
+
+* malloc.c (calloc): Check multiplication overflow in calloc(),
+assuming REDIRECT_MALLOC.
+---
+ malloc.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2008-03-10 06:33:41.000000000 +0100
++++ libgc/malloc.c	2012-07-08 18:08:40.030368600 +0200
+@@ -344,8 +344,13 @@
+   }
+ #endif
+ 
++#ifndef SIZE_MAX
++#define SIZE_MAX (~(size_t)0)
++#endif
+ void * calloc(size_t n, size_t lb)
+ {
++    if (lb && n > SIZE_MAX / lb)
++      return NULL;
+ #   if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
+ 	/* libpthread allocated some memory that is only pointed to by	*/
+ 	/* mmapped thread stacks.  Make sure it's not collectable.	*/
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,36 @@
+From 6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 Mon Sep 17 00:00:00 2001
+From: Ivan Maidanski <ivmai@mail.ru>
+Date: Thu, 15 Mar 2012 20:30:11 +0400
+Subject: [PATCH] Fix calloc-related code to prevent SIZE_MAX redefinition in
+ sys headers
+
+* malloc.c: Include limits.h for SIZE_MAX.
+* malloc.c (SIZE_MAX, calloc): Define GC_SIZE_MAX instead of SIZE_MAX.
+---
+ malloc.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2012-07-08 18:08:40.030368600 +0200
++++ libgc/malloc.c	2012-07-08 18:08:45.420373752 +0200
+@@ -344,12 +344,16 @@
+   }
+ #endif
+ 
+-#ifndef SIZE_MAX
+-#define SIZE_MAX (~(size_t)0)
++#include <limits.h>
++#ifdef SIZE_MAX
++# define GC_SIZE_MAX SIZE_MAX
++#else
++# define GC_SIZE_MAX (~(size_t)0)
+ #endif
++
+ void * calloc(size_t n, size_t lb)
+ {
+-    if (lb && n > SIZE_MAX / lb)
++    if (lb && n > GC_SIZE_MAX / lb)
+       return NULL;
+ #   if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
+ 	/* libpthread allocated some memory that is only pointed to by	*/
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,31 @@
+From 83231d0ab5ed60015797c3d1ad9056295ac3b2bb Mon Sep 17 00:00:00 2001
+From: Hans Boehm <Hans.Boehm@hp.com>
+Date: Thu, 15 Mar 2012 21:09:05 +0400
+Subject: [PATCH] Speedup calloc size overflow check by preventing division if
+ small values
+
+* malloc.c (GC_SQRT_SIZE_MAX): New macro.
+* malloc.c (calloc): Add fast initial size overflow check to avoid
+integer division for reasonably small values passed.
+---
+ malloc.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2012-07-08 17:54:21.530370090 +0200
++++ libgc/malloc.c	2012-07-08 17:54:21.000000000 +0200
+@@ -351,9 +351,12 @@
+ # define GC_SIZE_MAX (~(size_t)0)
+ #endif
+ 
++#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1)
++
+ void * calloc(size_t n, size_t lb)
+ {
+-    if (lb && n > GC_SIZE_MAX / lb)
++    if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */
++        && lb && n > GC_SIZE_MAX / lb)
+       return NULL;
+ #   if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
+ 	/* libpthread allocated some memory that is only pointed to by	*/
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,41 @@
+From be9df82919960214ee4b9d3313523bff44fd99e1 Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.wang@gmail.com>
+Date: Thu, 15 Mar 2012 04:55:08 +0800
+Subject: [PATCH] Fix allocation size overflows due to rounding.
+
+* malloc.c (GC_generic_malloc): Check if the allocation size is
+rounded to a smaller value.
+* mallocx.c (GC_generic_malloc_ignore_off_page): Likewise.
+---
+ malloc.c  |    2 ++
+ mallocx.c |    2 ++
+ 2 files changed, 4 insertions(+)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2012-07-08 18:23:03.980370526 +0200
++++ libgc/malloc.c	2012-07-08 18:24:58.640366221 +0200
+@@ -165,6 +165,9 @@
+ 	GC_bool init;
+ 	lw = ROUNDED_UP_WORDS(lb);
+ 	lb_rounded = WORDS_TO_BYTES(lw);
++	if (lb_rounded < lb)
++	  return((*GC_oom_fn)(lb));
++
+ 	n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded);
+ 	init = GC_obj_kinds[k].ok_init;
+ 	LOCK();
+Index: libgc/mallocx.c
+===================================================================
+--- libgc.orig/mallocx.c	2012-07-08 18:21:54.800368132 +0200
++++ libgc/mallocx.c	2012-07-08 18:25:13.620365430 +0200
+@@ -179,6 +179,9 @@
+         return(GC_generic_malloc((word)lb, k));
+     lw = ROUNDED_UP_WORDS(lb);
+     lb_rounded = WORDS_TO_BYTES(lw);
++    if (lb_rounded < lb)
++	  return((*GC_oom_fn)(lb));
++
+     n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded);
+     init = GC_obj_kinds[k].ok_init;
+     if (GC_have_errors) GC_print_all_errors();
diff -Nru libgc-7.1/debian/patches/series libgc-7.1/debian/patches/series
--- libgc-7.1/debian/patches/series	2011-05-29 15:19:45.000000000 +0200
+++ libgc-7.1/debian/patches/series	2012-07-11 00:26:57.000000000 +0200
@@ -5,3 +5,7 @@
 #05-s390-includes.diff
 enable-threads.diff
 06-m68k-no-getcontext.diff
+CVE-2012-2673-calloc-1.diff
+CVE-2012-2673-calloc-2.diff
+CVE-2012-2673-calloc-3.diff
+CVE-2012-2673-malloc.diff

--- End Message ---

--- Begin Message ---

• To: Christoph Egger <christoph@debian.org>, 681145-done@bugs.debian.org
• Subject: Re: Bug#681145: unblock: libgc/7.1-9
• From: Mehdi Dogguy <mehdi@dogguy.org>
• Date: Wed, 11 Jul 2012 13:12:07 +0200
• Message-id: <4FFD5F87.3050103@dogguy.org>
• In-reply-to: <20120710223550.8558.93602.reportbug@hepworth.siccegge.de>
• References: <20120710223550.8558.93602.reportbug@hepworth.siccegge.de>

On 11/07/12 00:35, Christoph Egger wrote:

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: freeze-exception

Please unblock package libgc

This upload fixes CVE-2012-2673. It is only using the patches approved
upstream to fix this issue (the -malloc.diff one backported to out 7.1
package, rest does work as is).

unblock libgc/7.1-9

Unblocked.

Regards,

--
Mehdi Dogguy مهدي الدڤي
http://dogguy.org/

--- End Message ---