Your message dated Tue, 5 Nov 2002 19:00:52 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#167902: Acknowledgement (libc6 security patch)
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 5 Nov 2002 16:16:47 +0000
>From [EMAIL PROTECTED] Tue Nov 05 10:16:46 2002
Return-path: <[EMAIL PROTECTED]>
Received: from cabal.xs4all.nl (mx1.wiggy.net) [213.84.101.140]
([qil5Ug4LljVbMGHrXiGfPWbk/rcLEaSi])
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 1896Ni-0003Re-00; Tue, 05 Nov 2002 10:16:46 -0600
Received: from wichert by mx1.wiggy.net with local (Exim 3.35 #1 (Debian))
id 1896Nf-0003hJ-00
for <[EMAIL PROTECTED]>; Tue, 05 Nov 2002 17:16:43 +0100
Date: Tue, 5 Nov 2002 17:16:43 +0100
From: Wichert Akkerman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: libc6 security patch
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-7.8 required=5.0
tests=PATCH_UNIFIED_DIFF,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_00_01,
USER_AGENT,USER_AGENT_MUTT
version=2.41
X-Spam-Level:
Package: libc6
Severity: grave
Tags: woody, patch
This patch from august is still not applied to our libc6.
Wichert.
----- Forwarded message from Solar Designer <[EMAIL PROTECTED]> -----
From: Solar Designer <[EMAIL PROTECTED]>
Subject: glibc xdr_array and calloc patches
Date: Thu, 1 Aug 2002 10:32:07 +0400
Message-ID: <[EMAIL PROTECTED]>
X-Spam-Level:
Attached are the two patches against glibc 2.1.3. Whoever first ports
them to the CVS version or 2.2.5 please post here for others to use
and also provide them to the glibc maintainers. It should be trivial
to port (the xdr_array applies with exception for the added #include
and the calloc will need some obvious manual editing).
Both problems were still not fixed in the glibc CVS as of a few hours
ago.
--
/sd
diff -ur glibc-2.1.3.orig/sunrpc/rpc/types.h glibc-2.1.3/sunrpc/rpc/types.h
--- glibc-2.1.3.orig/sunrpc/rpc/types.h Fri Oct 16 13:43:49 1998
+++ glibc-2.1.3/sunrpc/rpc/types.h Thu Aug 1 09:06:38 2002
@@ -55,6 +55,10 @@
#include <stdlib.h> /* For malloc decl. */
#define mem_alloc(bsize) malloc(bsize)
+/*
+ * XXX: This must not use the second argument, or code in xdr_array.c needs
+ * to be modified.
+ */
#define mem_free(ptr, bsize) free(ptr)
#ifndef makedev /* ie, we haven't already included it */
diff -ur glibc-2.1.3.orig/sunrpc/xdr_array.c glibc-2.1.3/sunrpc/xdr_array.c
--- glibc-2.1.3.orig/sunrpc/xdr_array.c Thu Jul 16 15:23:51 1998
+++ glibc-2.1.3/sunrpc/xdr_array.c Thu Aug 1 09:07:45 2002
@@ -44,6 +44,7 @@
#include <string.h>
#include <rpc/types.h>
#include <rpc/xdr.h>
+#include <limits.h>
#define LASTUNSIGNED ((u_int)0-1)
@@ -76,7 +77,11 @@
return FALSE;
}
c = *sizep;
- if ((c > maxsize) && (xdrs->x_op != XDR_FREE))
+ /*
+ * XXX: Let the overflow possibly happen with XDR_FREE because mem_free()
+ * doesn't actually use its second argument anyway.
+ */
+ if ((c > maxsize || c > UINT_MAX / elsize) && (xdrs->x_op != XDR_FREE))
{
return FALSE;
}
diff -ur glibc-2.1.3.orig/malloc/malloc.c glibc-2.1.3/malloc/malloc.c
--- glibc-2.1.3.orig/malloc/malloc.c Wed Feb 23 10:02:55 2000
+++ glibc-2.1.3/malloc/malloc.c Thu Aug 1 09:24:10 2002
@@ -3656,12 +3656,20 @@
{
arena *ar_ptr;
mchunkptr p, oldtop;
- INTERNAL_SIZE_T sz, csz, oldtopsize;
+ INTERNAL_SIZE_T bytes, sz, csz, oldtopsize;
Void_t* mem;
+ /* size_t is unsigned so the behavior on overflow is defined;
+ * request2size() uses similar post-checks anyway. */
+ bytes = n * elem_size;
+ if (bytes / elem_size != n) {
+ __set_errno (ENOMEM);
+ return 0;
+ }
+
#if defined _LIBC || defined MALLOC_HOOKS
if (__malloc_hook != NULL) {
- sz = n * elem_size;
+ sz = bytes;
#if defined __GNUC__ && __GNUC__ >= 2
mem = (*__malloc_hook)(sz, __builtin_return_address (0));
#else
@@ -3678,7 +3686,7 @@
}
#endif
- if(request2size(n * elem_size, sz))
+ if(request2size(bytes, sz))
return 0;
arena_get(ar_ptr, sz);
if(!ar_ptr)
----- End forwarded message -----
--
_________________________________________________________________
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED] http://www.wiggy.net/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
---------------------------------------
Received: (at 167902-done) by bugs.debian.org; 5 Nov 2002 18:00:54 +0000
>From [EMAIL PROTECTED] Tue Nov 05 12:00:54 2002
Return-path: <[EMAIL PROTECTED]>
Received: from cabal.xs4all.nl (mx1.wiggy.net) [213.84.101.140]
([yjZts0t9RyU2DKBLbA3tI6U5mdt7Ga5G])
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 18980T-00060a-00; Tue, 05 Nov 2002 12:00:54 -0600
Received: from wichert by mx1.wiggy.net with local (Exim 3.35 #1 (Debian))
id 18980S-0004hl-00
for <[EMAIL PROTECTED]>; Tue, 05 Nov 2002 19:00:52 +0100
Date: Tue, 5 Nov 2002 19:00:52 +0100
From: Wichert Akkerman <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Bug#167902: Acknowledgement (libc6 security patch)
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.3.28i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Status: No, hits=-12.5 required=5.0
tests=IN_REP_TO,REFERENCES,SIGNATURE_SHORT_DENSE,
SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT
version=2.41
X-Spam-Level:
Guess I should have add a deb-src entry for security.d.o :(
Wichert.
--
_________________________________________________________________
[EMAIL PROTECTED] This space intentionally left occupied \
| [EMAIL PROTECTED] http://www.wiggy.net/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D |
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
