commit glibc for openSUSE:11.3

h_root Mon, 19 Dec 2011 07:28:37 -0800

Hello community,

here is the log from the commit of package glibc for openSUSE:11.3
checked in at Mon Dec 19 16:28:34 CET 2011.




--------
--- old-versions/11.3/UPDATES/all/glibc/glibc.changes   2011-07-27 
10:18:03.000000000 +0200
+++ 11.3/glibc/glibc.changes    2011-12-19 11:55:07.000000000 +0100
@@ -1,0 +2,6 @@
+Mon Dec 19 10:52:50 UTC 2011 - [email protected]
+
+- Fix timezone loader overflow (bnc#735850,CVE-2009-5029) (patch
+  tzfile-corruption-fix.patch)
+
+-------------------------------------------------------------------

calling whatdependson for 11.3-i586


Old:
----
  minmem

New:
----
  tzfile-corruption-fix.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ glibc.spec ++++++
--- /var/tmp/diff_new_pack.8gmdAd/_old  2011-12-19 16:09:52.000000000 +0100
+++ /var/tmp/diff_new_pack.8gmdAd/_new  2011-12-19 16:09:52.000000000 +0100
@@ -65,7 +65,7 @@
 Provides:       rtld(GNU_HASH)
 AutoReqProv:    on
 Version:        2.11.2
-Release:        3.<RELEASE5>
+Release:        3.<RELEASE7>
 Url:            http://www.gnu.org/software/libc/libc.html
 PreReq:         filesystem
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -144,6 +144,7 @@
 Patch67:        glibc-nis-initgroups.diff
 Patch68:        glibc-nscd-hconf.diff
 Patch69:        glibc-2.11.3-audit.diff
+Patch70:        tzfile-corruption-fix.patch
 Patch500:       ARM_glibc-2.10.1-local-eabi-wchar.diff
 Patch501:       ARM_glibc-2.10.1-local-hwcap-updates.diff 
 Patch502:       ARM_glibc-2.10.1-local-lowlevellock.diff
@@ -371,6 +372,7 @@
 %patch67 -p1
 %patch68 -p1
 %patch69 -p1
+%patch70 -p1
 %ifarch %arm armv5tel armv7l
 %patch500
 %patch501


++++++ tzfile-corruption-fix.patch ++++++
2011-12-17  Ulrich Drepper  <[email protected]>

        [BZ #13506]
        * time/tzfile.c (__tzfile_read): Check values from file header.

diff --git a/time/tzfile.c b/time/tzfile.c
index 144e20b..402389c 100644
--- a/time/tzfile.c
+++ b/time/tzfile.c
@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char 
**extrap)
       goto read_again;
     }
 
+  if (__builtin_expect (num_transitions
+                       > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
+                          / (sizeof (time_t) + 1)), 0))
+    goto lose;
   total_size = num_transitions * (sizeof (time_t) + 1);
   total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
                & ~(__alignof__ (struct ttinfo) - 1));
   types_idx = total_size;
-  total_size += num_types * sizeof (struct ttinfo) + chars;
+  if (__builtin_expect (num_types
+                       > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
+    goto lose;
+  total_size += num_types * sizeof (struct ttinfo);
+  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
+    goto lose;
+  total_size += chars;
+  if (__builtin_expect (__alignof__ (struct leap) - 1
+                       > SIZE_MAX - total_size, 0))
+    goto lose;
   total_size = ((total_size + __alignof__ (struct leap) - 1)
                & ~(__alignof__ (struct leap) - 1));
   leaps_idx = total_size;
+  if (__builtin_expect (num_leaps
+                       > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
+    goto lose;
   total_size += num_leaps * sizeof (struct leap);
-  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
-               ? st.st_size - (ftello (f)
-                               + num_transitions * (8 + 1)
-                               + num_types * 6
-                               + chars
-                               + num_leaps * 12
-                               + num_isstd
-                               + num_isgmt) - 1 : 0);
+  tzspec_len = 0;
+  if (sizeof (time_t) == 8 && trans_width == 8)
+    {
+      off_t rem = st.st_size - ftello (f);
+      if (__builtin_expect (rem < 0
+                           || (size_t) rem < (num_transitions * (8 + 1)
+                                              + num_types * 6
+                                              + chars), 0))
+       goto lose;
+      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
+                                  + num_types * 6
+                                  + chars);
+      if (__builtin_expect (num_leaps > SIZE_MAX / 12
+                           || tzspec_len < num_leaps * 12, 0))
+       goto lose;
+      tzspec_len -= num_leaps * 12;
+      if (__builtin_expect (tzspec_len < num_isstd, 0))
+       goto lose;
+      tzspec_len -= num_isstd;
+      if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
+       goto lose;
+      tzspec_len -= num_isgmt + 1;
+      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
+       goto lose;
+    }
+  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
+    goto lose;
 
   /* Allocate enough memory including the extra block requested by the
      caller.  */


And fix the previous patch ...

--- a/time/tzfile.c.orig        2011-12-19 10:58:26.000000000 +0100
+++ b/time/tzfile.c     2011-12-19 10:59:35.000000000 +0100
@@ -19,6 +19,7 @@
 
 #include <assert.h>
 #include <limits.h>
+#include <stdint.h>
 #include <stdio.h>
 #include <stdio_ext.h>
 #include <stdlib.h>
@@ -278,7 +279,7 @@
       if (__builtin_expect (tzspec_len < num_isstd, 0))
        goto lose;
       tzspec_len -= num_isstd;
-      if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
+      if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
        goto lose;
       tzspec_len -= num_isgmt + 1;
       if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
continue with "q"...



Remember to have fun...

-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

commit glibc for openSUSE:11.3

Reply via email to