--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: jessie-pu: package glibc/2.19-18+deb8u8
- From: Aurelien Jarno <aurel32@debian.org>
- Date: Thu, 13 Apr 2017 23:19:45 +0200
- Message-id: <149211838517.8190.10900033059534038984.reportbug@ohm.local>
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear stable release managers,
I would like to upload a new glibc package for the next jessie release.
Here is the changelog with some additional comment:
* Update from upstream stable branch:
- Fix PowerPC sqrt inaccuracy. Closes: #855606.
This fixes a regression introduced in glibc 2.19-18+deb8u7, which
slightly lower the precision of the sqrt function on PowerPC. This
notably causes failures in the postgresql testsuite. This code is
already present in stretch/sid.
* patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
QTYPE (CVE-2015-5180). Closes: #796106.
This is a long standing security issue that has been fixed recently.
It basically change the value of a constant so that it can't only be
generated internally. The patch is already present in stretch/sid.
A full debdiff is attached. Thanks for considering.
Regards,
Aurelien
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff --git a/debian/changelog b/debian/changelog
index fdbdcc3d..5a26d07b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+glibc (2.19-18+deb8u8) UNRELEASED; urgency=medium
+
+ [ Aurelien Jarno ]
+ * Update from upstream stable branch:
+ - Fix PowerPC sqrt inaccuracy. Closes: #855606.
+ * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
+ NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
+ QTYPE (CVE-2015-5180). Closes: #796106.
+
+ -- Aurelien Jarno <aurel32@debian.org> Mon, 20 Feb 2017 23:30:47 +0100
+
glibc (2.19-18+deb8u7) stable; urgency=medium
[ Aurelien Jarno ]
diff --git a/debian/patches/any/cvs-resolv-internal-qtype.diff b/debian/patches/any/cvs-resolv-internal-qtype.diff
new file mode 100644
index 00000000..670d6711
--- /dev/null
+++ b/debian/patches/any/cvs-resolv-internal-qtype.diff
@@ -0,0 +1,78 @@
+2016-12-31 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18784]
+ CVE-2015-5180
+ * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
+ T_UNSPEC. Adjust value.
+ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
+ * resolv/res_query.c (__libc_res_nquery): Likewise.
+ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
+ QTYPEs.
+
+--- a/include/arpa/nameser_compat.h
++++ b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include <resolv/arpa/nameser_compat.h>
+
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+- T_A and T_AAAA). */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++ internally by the implementation. */
++#define T_QUERY_A_AND_AAAA 439963904
+
+ #endif
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@
+
+ int olderr = errno;
+ enum nss_status status;
+- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
++ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
+ host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+ if (n >= 0)
+--- a/resolv/res_mkquery.c
++++ b/resolv/res_mkquery.c
+@@ -103,6 +103,10 @@
+ int n;
+ u_char *dnptrs[20], **dpp, **lastdnptr;
+
++ if (class < 0 || class > 65535
++ || type < 0 || type > 65535)
++ return -1;
++
+ #ifdef DEBUG
+ if (statp->options & RES_DEBUG)
+ printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -122,7 +122,7 @@
+ int n, use_malloc = 0;
+ u_int oflags = statp->_flags;
+
+- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
++ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
+ u_char *buf = alloca (bufsize);
+ u_char *query1 = buf;
+ int nquery1 = -1;
+@@ -137,7 +137,7 @@
+ printf(";; res_query(%s, %d, %d)\n", name, class, type);
+ #endif
+
+- if (type == T_UNSPEC)
++ if (type == T_QUERY_A_AND_AAAA)
+ {
+ n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
+ query1, bufsize);
+@@ -190,7 +190,7 @@
+ if (__builtin_expect (n <= 0, 0) && !use_malloc) {
+ /* Retry just in case res_nmkquery failed because of too
+ short buffer. Shouldn't happen. */
+- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
++ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
+ buf = malloc (bufsize);
+ if (buf != NULL) {
+ query1 = buf;
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 5e3d8363..c39df17e 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,16 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
diff --git a/ChangeLog b/ChangeLog
-index 81c393a..92b8a2e 100644
+index 81c393a..a81d623 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,639 @@
+@@ -1,3 +1,645 @@
++2015-02-12 Joseph Myers <joseph@codesourcery.com>
++
++ [BZ #17964]
++ * sysdeps/powerpc/fpu/e_sqrt.c (__slow_ieee754_sqrt): Use
++ __builtin_fma instead of relying on contraction of a * b + c.
++
+2015-01-28 Adhemerval Zanellla <azanella@linux.vnet.ibm.com>
+
+ [BZ #16576]
@@ -645,7 +651,7 @@ index 81c393a..92b8a2e 100644
[BZ #16529]
diff --git a/NEWS b/NEWS
-index 98b479e..f62b876 100644
+index 98b479e..bdbf52b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,104 @@ See the end for copying conditions.
@@ -659,8 +665,8 @@ index 98b479e..f62b876 100644
+ 15946, 16009, 16545, 16574, 16576, 16623, 16657, 16695, 16743, 16758,
+ 16759, 16760, 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048,
+ 17062, 17069, 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17523,
-+ 17555, 17905, 18007, 18032, 18080, 18240, 18287, 18508, 18665, 18905,
-+ 18928, 19018, 19779, 19791, 19879, 20010, 20112.
++ 17555, 17905, 17964, 18007, 18032, 18080, 18240, 18287, 18508, 18665,
++ 18905, 18928, 19018, 19779, 19791, 19879, 20010, 20112.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
@@ -6539,7 +6545,7 @@ index 64d192a..4b7ec36 100644
va_list arg;
va_start (arg, oflag);
diff --git a/sysdeps/powerpc/fpu/e_sqrt.c b/sysdeps/powerpc/fpu/e_sqrt.c
-index 0368e57..24dfe68 100644
+index 0368e57..022d71b 100644
--- a/sysdeps/powerpc/fpu/e_sqrt.c
+++ b/sysdeps/powerpc/fpu/e_sqrt.c
@@ -24,6 +24,7 @@
@@ -6550,7 +6556,64 @@ index 0368e57..24dfe68 100644
static const double almost_half = 0.5000000000000001; /* 0.5 + 2^-53 */
static const ieee_float_shape_type a_nan = {.word = 0x7fc00000 };
static const ieee_float_shape_type a_inf = {.word = 0x7f800000 };
-@@ -152,6 +153,7 @@ __slow_ieee754_sqrt (double x)
+@@ -98,38 +99,41 @@ __slow_ieee754_sqrt (double x)
+ /* Here we have three Newton-Raphson iterations each of a
+ division and a square root and the remainder of the
+ argument reduction, all interleaved. */
+- sd = -(sg * sg - sx);
++ sd = -__builtin_fma (sg, sg, -sx);
+ fsgi = (xi0 + 0x40000000) >> 1 & 0x7ff00000;
+ sy2 = sy + sy;
+- sg = sy * sd + sg; /* 16-bit approximation to sqrt(sx). */
++ sg = __builtin_fma (sy, sd, sg); /* 16-bit approximation to
++ sqrt(sx). */
+
+ /* schedule the INSERT_WORDS (fsg, fsgi, 0) to get separation
+ between the store and the load. */
+ INSERT_WORDS (fsg, fsgi, 0);
+ iw_u.parts.msw = fsgi;
+ iw_u.parts.lsw = (0);
+- e = -(sy * sg - almost_half);
+- sd = -(sg * sg - sx);
++ e = -__builtin_fma (sy, sg, -almost_half);
++ sd = -__builtin_fma (sg, sg, -sx);
+ if ((xi0 & 0x7ff00000) == 0)
+ goto denorm;
+- sy = sy + e * sy2;
+- sg = sg + sy * sd; /* 32-bit approximation to sqrt(sx). */
++ sy = __builtin_fma (e, sy2, sy);
++ sg = __builtin_fma (sy, sd, sg); /* 32-bit approximation to
++ sqrt(sx). */
+ sy2 = sy + sy;
+ /* complete the INSERT_WORDS (fsg, fsgi, 0) operation. */
+ fsg = iw_u.value;
+- e = -(sy * sg - almost_half);
+- sd = -(sg * sg - sx);
+- sy = sy + e * sy2;
++ e = -__builtin_fma (sy, sg, -almost_half);
++ sd = -__builtin_fma (sg, sg, -sx);
++ sy = __builtin_fma (e, sy2, sy);
+ shx = sx * fsg;
+- sg = sg + sy * sd; /* 64-bit approximation to sqrt(sx),
+- but perhaps rounded incorrectly. */
++ sg = __builtin_fma (sy, sd, sg); /* 64-bit approximation to
++ sqrt(sx), but perhaps
++ rounded incorrectly. */
+ sy2 = sy + sy;
+ g = sg * fsg;
+- e = -(sy * sg - almost_half);
+- d = -(g * sg - shx);
+- sy = sy + e * sy2;
++ e = -__builtin_fma (sy, sg, -almost_half);
++ d = -__builtin_fma (g, sg, -shx);
++ sy = __builtin_fma (e, sy2, sy);
+ fesetenv_register (fe);
+- return g + sy * d;
++ return __builtin_fma (sy, d, g);
+ denorm:
+ /* For denormalised numbers, we normalise, calculate the
+ square root, and return an adjusted result. */
+@@ -152,6 +156,7 @@ __slow_ieee754_sqrt (double x)
}
return f_wash (x);
}
@@ -6558,7 +6621,7 @@ index 0368e57..24dfe68 100644
#undef __ieee754_sqrt
double
-@@ -159,16 +161,11 @@ __ieee754_sqrt (double x)
+@@ -159,16 +164,11 @@ __ieee754_sqrt (double x)
{
double z;
diff --git a/debian/patches/series b/debian/patches/series
index 746f71c7..2ef53847 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -274,3 +274,4 @@ any/cvs-wscanf.diff
any/cvs-ldconfig-aux-cache.diff
any/cvs-grantpt-pty-owner.diff
any/cvs-hesiod-resolver.diff
+any/cvs-resolv-internal-qtype.diff
--- End Message ---