[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#802371: marked as done (wheezy-pu: package eglibc/2.13-38+deb7u9)

Your message dated Sat, 02 Apr 2016 14:22:42 +0100
with message-id <1459603362.2441.217.camel@adam-barratt.org.uk>
and subject line Fix included in oldstable
has caused the Debian Bug report #802371,
regarding wheezy-pu: package eglibc/2.13-38+deb7u9
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
802371: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802371
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

Dear oldstable release team,

I would like to update the eglibc package in wheezy to fix the known
security issues for which there is a patch available. The changes match
the security bugs opened by the security team, their severity wasn't
high enough to warrant a DSA.

You'll find the corresponding diff against the current version in 
wheezy below.

Thanks,
Aurelien


Index: debian/patches/any/cvs-CVE-2014-8121.diff
===================================================================
--- debian/patches/any/cvs-CVE-2014-8121.diff	(révision 0)
+++ debian/patches/any/cvs-CVE-2014-8121.diff	(révision 6665)
@@ -0,0 +1,17 @@
+2015-04-29  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18007]
+	* nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
+	(CVE-2014-8121)
+
+--- a/nss/nss_files/files-XXX.c
++++ b/nss/nss_files/files-XXX.c
+@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
+ 
+   __libc_lock_lock (lock);
+ 
+-  status = internal_setent (stayopen);
++  status = internal_setent (1);
+ 
+   if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
+     {
Index: debian/patches/any/cvs-CVE-2015-1781.diff
===================================================================
--- debian/patches/any/cvs-CVE-2015-1781.diff	(révision 0)
+++ debian/patches/any/cvs-CVE-2015-1781.diff	(révision 6665)
@@ -0,0 +1,18 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
+     {
+       /* The buffer is too small.  */
+     too_small:
Index: debian/patches/any/cvs-_IO_wstr_overflow.diff
===================================================================
--- debian/patches/any/cvs-_IO_wstr_overflow.diff	(révision 0)
+++ debian/patches/any/cvs-_IO_wstr_overflow.diff	(révision 6665)
@@ -0,0 +1,31 @@
+2015-02-22  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+	[BZ #17269]
+	* libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+	(enlarge_userbuf): Likewise.
+
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -96,8 +96,11 @@ _IO_wstr_overflow (fp, c)
+ 	  wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+ 	  size_t old_wblen = _IO_wblen (fp);
+ 	  _IO_size_t new_size = 2 * old_wblen + 100;
+-	  if (new_size < old_wblen)
++
++	  if (__builtin_expect ((new_size < old_wblen), 0)
++	      || __builtin_expect ((new_size > SIZE_MAX / sizeof (wchar_t)), 0))
+ 	    return EOF;
++
+ 	  new_buf
+ 	    = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+ 									* sizeof (wchar_t));
+@@ -187,6 +190,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
+     return 1;
+ 
+   _IO_size_t newsize = offset + 100;
++  if (__builtin_expect ((newsize > SIZE_MAX / sizeof (wchar_t)), 0))
++    return 1;
++
+   wchar_t *oldbuf = wd->_IO_buf_base;
+   wchar_t *newbuf
+     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
Index: debian/patches/any/cvs-fnmatch-overflow.diff
===================================================================
--- debian/patches/any/cvs-fnmatch-overflow.diff	(révision 0)
+++ debian/patches/any/cvs-fnmatch-overflow.diff	(révision 6665)
@@ -0,0 +1,27 @@
+2015-02-26  Andreas Schwab  <schwab@suse.de>
+
+	[BZ #18032]
+	* posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+	over collating symbol inside a bracket expression.  Minor cleanup.
+
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index f79d051..f11d0f1 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
+ 		  }
+ 		else if (c == L('[') && *p == L('.'))
+ 		  {
+-		    ++p;
+ 		    while (1)
+ 		      {
+ 			c = *++p;
+-			if (c == '\0')
++			if (c == L('\0'))
+ 			  return FNM_NOMATCH;
+ 
+-			if (*p == L('.') && p[1] == L(']'))
++			if (c == L('.') && p[1] == L(']'))
+ 			  break;
+ 		      }
+ 		    p += 2;
Index: debian/patches/any/cvs-ld_pointer_guard.diff
===================================================================
--- debian/patches/any/cvs-ld_pointer_guard.diff	(révision 0)
+++ debian/patches/any/cvs-ld_pointer_guard.diff	(révision 6665)
@@ -0,0 +1,62 @@
+2015-10-15  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18928]
+	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+	_dl_pointer_guard member.
+	* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+	initializer.
+	(security_init): Always set up pointer guard.
+	(process_envvars): Do not process LD_POINTER_GUARD.
+
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -162,7 +162,6 @@
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+ 
+     /* Function pointers.  */
+     ._dl_debug_printf = _dl_debug_printf,
+@@ -857,15 +856,12 @@
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-							     stack_chk_guard);
++  uintptr_t pointer_chk_guard
++    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
++  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2607,9 +2603,6 @@
+ 	      GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+ 	      break;
+ 	    }
+-
+-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-	    GLRO(dl_pointer_guard) = envline[14] != '0';
+ 	  break;
+ 
+ 	case 14:
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -591,9 +591,6 @@
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # ifdef IS_IN_rtld
Index: debian/patches/series
===================================================================
--- debian/patches/series	(révision 6366)
+++ debian/patches/series	(copie de travail)
@@ -403,3 +403,8 @@
 any/cvs-posix_spawn_file_actions_addopen.diff
 any/cvs-getnetbyname.diff
 any/cvs-getaddrinfo-idn.diff
+any/cvs-CVE-2015-1781.diff
+any/cvs-CVE-2014-8121.diff
+any/cvs-fnmatch-overflow.diff
+any/cvs-_IO_wstr_overflow.diff
+any/cvs-ld_pointer_guard.diff
Index: debian/changelog
===================================================================
--- debian/changelog	(révision 6366)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,19 @@
+eglibc (2.13-38+deb7u9) wheezy; urgency=medium
+
+  * patches/any/cvs-CVE-2015-1781.diff: new patch from upstream to fix
+    a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105.
+  * patches/any/cvs-fnmatch-overflow.diff: new patch from upstream to fix
+    a buffer overflow (read past end of buffer) in internal_fnmatch.
+  * patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix
+    an integer overlow in IO_wstr_overflow.
+  * patches/any/cvs-CVE-2014-8121.diff: new patch from upstream to fix
+    an unexpected closing of nss_files databases after lookups, causing
+    denial of service (CVE-2014-8121).  Closes: #779587.
+  * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
+    unconditionally disable LD_POINTER_GUARD.  Closes: #798316, #801691.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Mon, 19 Oct 2015 20:49:40 +0200
+
 eglibc (2.13-38+deb7u8) wheezy-security; urgency=medium
 
   * debian/patches/any/cvs-wscanf.diff: new patch from upstream to fix a

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Version: 7.10

Hi,

The updates referenced in these bugs were included in today's wheezy
point release.

Regards,

Adam

--- End Message ---
Reply to: