Bug#688333: pu: package libgc/6.8-1.2
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi!
I'd like to fix CVE-2012-2673 / #677195 in stable. I've prepared a
update using the the patch backported to 6.8 by ubuntu (debdiff
attached). I'll upload as soon as I have your OK
Regards
Christoph
-- System Information:
Debian Release: 6.0.5
APT prefers stable
APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: mipsel (mips64)
Kernel: Linux 3.2.0-0.bpo.2-loongson-2f
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u libgc-6.8/debian/control libgc-6.8/debian/control
--- libgc-6.8/debian/control
+++ libgc-6.8/debian/control
@@ -1,5 +1,5 @@
Source: libgc
-Maintainer: Ryan Murray <rmurray@debian.org>
+Maintainer: Christoph Egger <christoph@debian.org>
Section: libs
Priority: standard
Build-Depends: debhelper
diff -u libgc-6.8/debian/changelog libgc-6.8/debian/changelog
--- libgc-6.8/debian/changelog
+++ libgc-6.8/debian/changelog
@@ -1,3 +1,14 @@
+libgc (1:6.8-2) stable; urgency=low
+
+ * Change maintainer to myself for stable as well
+
+ * Use patch from Steve Beattie <sbeattie@ubuntu.com> / Ubuntu to fix
+ CVE-2012-2673 (Closes: #677195):
+ malloc.c, mallocx.c: check for integer overflow in internal
+ malloc and calloc routines.
+
+ -- Christoph Egger <christoph@debian.org> Fri, 21 Sep 2012 10:58:18 -0700
+
libgc (1:6.8-1.2) unstable; urgency=low
* Non-maintainer upload.
only in patch2:
unchanged:
--- libgc-6.8.orig/mallocx.c
+++ libgc-6.8/mallocx.c
@@ -181,6 +181,7 @@
{
register ptr_t result;
word lw;
+ size_t lb_rounded;
word n_blocks;
GC_bool init;
DCL_LOCK_STATE;
@@ -188,6 +189,10 @@
if (SMALL_OBJ(lb))
return(GC_generic_malloc((word)lb, k));
lw = ROUNDED_UP_WORDS(lb);
+ lb_rounded = WORDS_TO_BYTES(lw);
+ if (lb_rounded < lb)
+ return((*GC_oom_fn)(lb));
+
n_blocks = OBJ_SZ_TO_BLOCKS(lw);
init = GC_obj_kinds[k].ok_init;
if (GC_have_errors) GC_print_all_errors();
only in patch2:
unchanged:
--- libgc-6.8.orig/malloc.c
+++ libgc-6.8/malloc.c
@@ -197,8 +197,13 @@
} else {
word lw;
word n_blocks;
+ size_t lb_rounded;
GC_bool init;
lw = ROUNDED_UP_WORDS(lb);
+ lb_rounded = WORDS_TO_BYTES(lw);
+ if (lb_rounded < lb)
+ return((*GC_oom_fn)(lb));
+
n_blocks = OBJ_SZ_TO_BLOCKS(lw);
init = GC_obj_kinds[k].ok_init;
DISABLE_SIGNALS();
@@ -377,6 +382,15 @@
return((GC_PTR)REDIRECT_MALLOC(lb));
}
+#include <limits.h>
+#ifdef SIZE_MAX
+# define GC_SIZE_MAX SIZE_MAX
+#else
+# define GC_SIZE_MAX (~(size_t)0)
+#endif
+
+#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1)
+
# ifdef __STDC__
GC_PTR calloc(size_t n, size_t lb)
# else
@@ -384,6 +398,9 @@
size_t n, lb;
# endif
{
+ if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */
+ && lb && n > GC_SIZE_MAX / lb)
+ return NULL;
return((GC_PTR)REDIRECT_MALLOC(n*lb));
}
Reply to: