Bug#688333: pu: package libgc/6.8-1.2

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#688333: pu: package libgc/6.8-1.2
From: Christoph Egger <christoph@debian.org>
Date: Fri, 21 Sep 2012 20:18:07 +0200
Message-id: <[🔎] 20120921181807.15384.77541.reportbug@oteiza.siccegge.de>
Reply-to: Christoph Egger <christoph@debian.org>, 688333@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

  I'd like to fix CVE-2012-2673 / #677195 in stable. I've prepared a
update using the the patch backported to 6.8 by ubuntu (debdiff
attached). I'll upload as soon as I have your OK

Regards

    Christoph

-- System Information:
Debian Release: 6.0.5
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'proposed-updates'), (500, 'unstable'), (1, 'experimental')
Architecture: mipsel (mips64)

Kernel: Linux 3.2.0-0.bpo.2-loongson-2f
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -u libgc-6.8/debian/control libgc-6.8/debian/control
--- libgc-6.8/debian/control
+++ libgc-6.8/debian/control
@@ -1,5 +1,5 @@
 Source: libgc
-Maintainer: Ryan Murray <rmurray@debian.org>
+Maintainer: Christoph Egger <christoph@debian.org>
 Section: libs
 Priority: standard
 Build-Depends: debhelper
diff -u libgc-6.8/debian/changelog libgc-6.8/debian/changelog
--- libgc-6.8/debian/changelog
+++ libgc-6.8/debian/changelog
@@ -1,3 +1,14 @@
+libgc (1:6.8-2) stable; urgency=low
+
+  * Change maintainer to myself for stable as well
+  
+  * Use patch from Steve Beattie <sbeattie@ubuntu.com> / Ubuntu to fix
+    CVE-2012-2673 (Closes: #677195):
+      malloc.c, mallocx.c: check for integer overflow in internal
+      malloc and calloc routines.
+
+ -- Christoph Egger <christoph@debian.org>  Fri, 21 Sep 2012 10:58:18 -0700
+
 libgc (1:6.8-1.2) unstable; urgency=low
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- libgc-6.8.orig/mallocx.c
+++ libgc-6.8/mallocx.c
@@ -181,6 +181,7 @@
 {
     register ptr_t result;
     word lw;
+    size_t lb_rounded;
     word n_blocks;
     GC_bool init;
     DCL_LOCK_STATE;
@@ -188,6 +189,10 @@
     if (SMALL_OBJ(lb))
         return(GC_generic_malloc((word)lb, k));
     lw = ROUNDED_UP_WORDS(lb);
+    lb_rounded = WORDS_TO_BYTES(lw);
+    if (lb_rounded < lb)
+        return((*GC_oom_fn)(lb));
+
     n_blocks = OBJ_SZ_TO_BLOCKS(lw);
     init = GC_obj_kinds[k].ok_init;
     if (GC_have_errors) GC_print_all_errors();
only in patch2:
unchanged:
--- libgc-6.8.orig/malloc.c
+++ libgc-6.8/malloc.c
@@ -197,8 +197,13 @@
     } else {
 	word lw;
 	word n_blocks;
+	size_t lb_rounded;
 	GC_bool init;
 	lw = ROUNDED_UP_WORDS(lb);
+	lb_rounded = WORDS_TO_BYTES(lw);
+	if (lb_rounded < lb)
+	  return((*GC_oom_fn)(lb));
+
 	n_blocks = OBJ_SZ_TO_BLOCKS(lw);
 	init = GC_obj_kinds[k].ok_init;
 	DISABLE_SIGNALS();
@@ -377,6 +382,15 @@
     return((GC_PTR)REDIRECT_MALLOC(lb));
   }
 
+#include <limits.h>
+#ifdef SIZE_MAX
+# define GC_SIZE_MAX SIZE_MAX
+#else
+# define GC_SIZE_MAX (~(size_t)0)
+#endif
+
+#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1)
+
 # ifdef __STDC__
     GC_PTR calloc(size_t n, size_t lb)
 # else
@@ -384,6 +398,9 @@
     size_t n, lb;
 # endif
   {
+    if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */
+        && lb && n > GC_SIZE_MAX / lb)
+      return NULL;
     return((GC_PTR)REDIRECT_MALLOC(n*lb));
   }

Reply to:

Follow-Ups:
- Bug#688333: pu: package libgc/6.8-1.2
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#688333: pu: package libgc/6.8-1.2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#688333: pu: package libgc/6.8-1.2
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#688326: marked as done (unblock: menu-l10n/0.20120730)
Next by Date: Bug#688333: pu: package libgc/6.8-1.2
Previous by thread: Bug#688326: marked as done (unblock: menu-l10n/0.20120730)
Next by thread: Bug#688333: pu: package libgc/6.8-1.2
Index(es):
- Date
- Thread