Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 764540@bugs.debian.org
Subject: Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
From: Aurelien Jarno <aurel32@debian.org>
Date: Thu, 16 Oct 2014 16:04:13 +0200
Message-id: <[🔎] 20141016140413.GA12683@volta.rr44.fr>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 764540@bugs.debian.org
In-reply-to: <[🔎] 927130ff9e78d4cea36a8e1032286a86@mail.adsl.funky-badger.org>
References: <[🔎] 20141008214922.28408.25527.reportbug@volta.rr44.fr> <[🔎] 1412807250.1325.15.camel@jacala.jungle.funky-badger.org> <[🔎] 20141008231650.GG24004@hall.aurel32.net> <[🔎] 927130ff9e78d4cea36a8e1032286a86@mail.adsl.funky-badger.org>

On Fri, Oct 10, 2014 at 08:37:15AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + pending
> 
> On 2014-10-09 0:16, Aurelien Jarno wrote:
> >On Wed, Oct 08, 2014 at 11:27:30PM +0100, Adam D. Barratt wrote:
> >>Control: tags -1 + confirmed
> >>
> >>On Wed, 2014-10-08 at 23:49 +0200, Aurelien Jarno wrote:
> >>> I would like to do an update of eglibc in wheezy, with the patches we
> >>> have accumulated in the SVN over the last months. I understand that
> >>> it's a bit late with the stable release schedule, that said all this
> >>> patches have been upstream and in jessie/sid for months.
> >>[...]
> >>> +eglibc (2.13-38+deb7u5) wheezy; urgency=medium
> >>> +
> >>> +  * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream
> >>> +    to fix invalid file descriptor reuse while sending DNS query.  Closes:
> >>> +    #722075, #756343.
> >>> +  * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to
> >>> +    fix stack overflow issues. Closes: #742925.
> >>> +  * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream
> >>> +    to fix a localplt regression introduced in version 2.13-38+deb7u3.
> >>> +  * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to
> >>> +    fix a memory leak with dlopen() and thread-local storage variables.
> >>> +    Closes: #763559.
> >>
> >>Please go ahead; thanks.
> >>
> >
> >Thanks! I have just uploaded it.
> 
> Flagged for acceptance; thanks.
> 

As discussed on IRC, this update introduced a serious regression when
using nscd (see bugs #765506, #765526, #765562), due to the patch 
cvs-CVE-2013-4357.diff. Sorry about that.

The upstream commit is broken and a later commit that I missed is fixing
that. I have included it in the new version 2.13-38+deb7u6. I also updated
the changelog entry for 2.13-38+deb7u5 as discussed in the bug report.

You will find the debdiff against 2.13-38+deb7u5 below. Is it fine to
upload it?

Regards,
Aurelien


diff -u eglibc-2.13/debian/changelog eglibc-2.13/debian/changelog
--- eglibc-2.13/debian/changelog
+++ eglibc-2.13/debian/changelog
@@ -1,3 +1,13 @@
+eglibc (2.13-38+deb7u6) wheezy; urgency=medium
+
+  * Update 2.13-38+deb7u5 changelog to mention that some lost glibc-doc
+    files have been re-added in this version.
+  * debian/patches/any/cvs-CVE-2013-4357.diff: update patch with upstream
+    commit c8fc0c91 to fix segmentation faults when nscd is in use.
+    Closes: #765506, #765526, #765562.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Thu, 16 Oct 2014 15:29:00 +0200
+
 eglibc (2.13-38+deb7u5) wheezy; urgency=medium
 
   * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream
@@ -10,6 +20,9 @@
   * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to
     fix a memory leak with dlopen() and thread-local storage variables.
     Closes: #763559.
+  * debian/TODO, debian/debhelper.in/glibc-doc.{install,links,manpage}:
+    re-add files lost in the deb7u3 and deb7u4 security upgrades, causing
+    the glibc-doc package to be almost empty.
 
  -- Aurelien Jarno <aurel32@debian.org>  Wed, 08 Oct 2014 22:50:01 +0200
 
diff -u eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
--- eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
+++ eglibc-2.13/debian/patches/any/cvs-CVE-2013-4357.diff
@@ -1,3 +1,8 @@
+2011-05-31  Andreas Schwab  <schwab@redhat.com>
+
+	* nscd/nscd_getserv_r.c (nscd_getserv_r): Don't free non-malloced
+	memory.  Use alloca_account.  Fix memory leak when retrying.
+
 2011-05-22  Ulrich Drepper  <drepper@gmail.com>
  
 	[BZ #12671]
@@ -134,7 +139,15 @@
    const uint32_t *aliases_len = NULL;
    const char *aliases_list = NULL;
    int retval = -1;
-@@ -136,8 +148,22 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
+@@ -112,6 +124,7 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
+ 	  s_name = (char *) (&found->data[0].servdata + 1);
+ 	  serv_resp = found->data[0].servdata;
+ 	  s_proto = s_name + serv_resp.s_name_len;
++	  alloca_aliases_len = 1;
+ 	  aliases_len = (uint32_t *) (s_proto + serv_resp.s_proto_len);
+ 	  aliases_list = ((char *) aliases_len
+ 			  + serv_resp.s_aliases_cnt * sizeof (uint32_t));
+@@ -136,8 +149,24 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
  	  if (((uintptr_t) aliases_len & (__alignof__ (*aliases_len) - 1))
  	      != 0)
  	    {
@@ -146,7 +159,9 @@
 +				     + (serv_resp.s_aliases_cnt
 +					* sizeof (uint32_t)));
 +	      if (alloca_aliases_len)
-+		tmp = __alloca (serv_resp.s_aliases_cnt * sizeof (uint32_t));
++		tmp = alloca_account (serv_resp.s_aliases_cnt
++				      * sizeof (uint32_t),
++				      alloca_used);
 +	      else
 +		{
 +		  tmp = malloc (serv_resp.s_aliases_cnt * sizeof (uint32_t));
@@ -159,7 +174,7 @@
  	      aliases_len = memcpy (tmp, aliases_len,
  				    serv_resp.s_aliases_cnt
  				    * sizeof (uint32_t));
-@@ -217,8 +243,24 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
+@@ -217,8 +246,25 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
  
  	  if (serv_resp.s_aliases_cnt > 0)
  	    {
@@ -171,8 +186,9 @@
 +				     + (serv_resp.s_aliases_cnt
 +					* sizeof (uint32_t)));
 +	      if (alloca_aliases_len)
-+		aliases_len = alloca (serv_resp.s_aliases_cnt
-+				      * sizeof (uint32_t));
++		aliases_len = alloca_account (serv_resp.s_aliases_cnt
++					      * sizeof (uint32_t),
++					      alloca_used);
 +	      else
 +		{
 +		  aliases_len = malloc (serv_resp.s_aliases_cnt
@@ -186,8 +202,16 @@
  	      vec[n].iov_base = (void *) aliases_len;
  	      vec[n].iov_len = serv_resp.s_aliases_cnt * sizeof (uint32_t);
  
-@@ -329,5 +371,10 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
- 	goto retry;
+@@ -326,8 +372,17 @@ nscd_getserv_r (const char *crit, size_t critlen, const char *proto,
+ 	}
+ 
+       if (retval != -1)
+-	goto retry;
++	{
++	  if (!alloca_aliases_len)
++	    free (aliases_len);
++	  goto retry;
++	}
      }
  
 +  if (!alloca_aliases_len)

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
  - From: Aurelien Jarno <aurel32@debian.org>
- Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Migration from cron to cron-daemon?
Next by Date: Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
Previous by thread: Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
Next by thread: Processed: Re: Bug#764540: wheezy-pu: package glibc/2.13-38+deb7u5
Index(es):
- Date
- Thread