Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2011-12-21 14:56:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2011-12-02 09:26:52.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.glibc.new/glibc.changes 2011-12-21 14:56:43.000000000 +0100 @@ -1,0 +2,6 @@ +Mon Dec 19 10:01:56 UTC 2011 - [email protected] + +- Fix timezone loader overflow (bnc#735850,CVE-2009-5029) (patch + tzfile-corruption-fix.patch) + +------------------------------------------------------------------- New: ---- tzfile-corruption-fix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.gZ8OA4/_old 2011-12-21 14:56:46.000000000 +0100 +++ /var/tmp/diff_new_pack.gZ8OA4/_new 2011-12-21 14:56:46.000000000 +0100 @@ -225,6 +225,8 @@ Patch84: nscd-avoid-gcc-warning.diff # PATCH-FIX-OPENSUSE fix printf with > 32 args and printf specifiers bnc#733140, bso#13446 Patch85: glibc-2.14-32args-printf.patch +# PATCH-FIX-UPSTREAM fix tzfile heap overrun bnc#735850 - [email protected] +Patch86: tzfile-corruption-fix.patch %description The GNU C Library provides the most important standard libraries used @@ -466,6 +468,7 @@ %patch75 -p1 %patch84 %patch85 +%patch86 -p1 # # Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed! ++++++ tzfile-corruption-fix.patch ++++++ 2011-12-17 Ulrich Drepper <[email protected]> [BZ #13506] * time/tzfile.c (__tzfile_read): Check values from file header. diff --git a/time/tzfile.c b/time/tzfile.c index 144e20b..402389c 100644 --- a/time/tzfile.c +++ b/time/tzfile.c @@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap) goto read_again; } + if (__builtin_expect (num_transitions + > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1)) + / (sizeof (time_t) + 1)), 0)) + goto lose; total_size = num_transitions * (sizeof (time_t) + 1); total_size = ((total_size + __alignof__ (struct ttinfo) - 1) & ~(__alignof__ (struct ttinfo) - 1)); types_idx = total_size; - total_size += num_types * sizeof (struct ttinfo) + chars; + if (__builtin_expect (num_types + > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0)) + goto lose; + total_size += num_types * sizeof (struct ttinfo); + if (__builtin_expect (chars > SIZE_MAX - total_size, 0)) + goto lose; + total_size += chars; + if (__builtin_expect (__alignof__ (struct leap) - 1 + > SIZE_MAX - total_size, 0)) + goto lose; total_size = ((total_size + __alignof__ (struct leap) - 1) & ~(__alignof__ (struct leap) - 1)); leaps_idx = total_size; + if (__builtin_expect (num_leaps + > (SIZE_MAX - total_size) / sizeof (struct leap), 0)) + goto lose; total_size += num_leaps * sizeof (struct leap); - tzspec_len = (sizeof (time_t) == 8 && trans_width == 8 - ? st.st_size - (ftello (f) - + num_transitions * (8 + 1) - + num_types * 6 - + chars - + num_leaps * 12 - + num_isstd - + num_isgmt) - 1 : 0); + tzspec_len = 0; + if (sizeof (time_t) == 8 && trans_width == 8) + { + off_t rem = st.st_size - ftello (f); + if (__builtin_expect (rem < 0 + || (size_t) rem < (num_transitions * (8 + 1) + + num_types * 6 + + chars), 0)) + goto lose; + tzspec_len = (size_t) rem - (num_transitions * (8 + 1) + + num_types * 6 + + chars); + if (__builtin_expect (num_leaps > SIZE_MAX / 12 + || tzspec_len < num_leaps * 12, 0)) + goto lose; + tzspec_len -= num_leaps * 12; + if (__builtin_expect (tzspec_len < num_isstd, 0)) + goto lose; + tzspec_len -= num_isstd; + if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0)) + goto lose; + tzspec_len -= num_isgmt + 1; + if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0)) + goto lose; + } + if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0)) + goto lose; /* Allocate enough memory including the extra block requested by the caller. */ And fix the previous patch ... --- a/time/tzfile.c.orig 2011-12-19 10:58:26.000000000 +0100 +++ b/time/tzfile.c 2011-12-19 10:59:35.000000000 +0100 @@ -19,6 +19,7 @@ #include <assert.h> #include <limits.h> +#include <stdint.h> #include <stdio.h> #include <stdio_ext.h> #include <stdlib.h> @@ -278,7 +279,7 @@ if (__builtin_expect (tzspec_len < num_isstd, 0)) goto lose; tzspec_len -= num_isstd; - if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0)) + if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0)) goto lose; tzspec_len -= num_isgmt + 1; if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0)) -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
