r4320 - in glibc-package/branches/glibc-branch-lenny/debian: . patches patches/any

Fri, 04 Jun 2010 09:33:10 -0700 

Author: aurel32
Date: 2010-06-04 16:15:12 +0000 (Fri, 04 Jun 2010)
New Revision: 4320

Added:
   glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
Modified:
   glibc-package/branches/glibc-branch-lenny/debian/changelog
   glibc-package/branches/glibc-branch-lenny/debian/patches/series
Log:
  * patches/any/cvs-strfmon.diff: fix integer overflows in the strfmon.
    (CVE-2009-4880).



Modified: glibc-package/branches/glibc-branch-lenny/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/changelog  2010-06-04 
16:09:56 UTC (rev 4319)
+++ glibc-package/branches/glibc-branch-lenny/debian/changelog  2010-06-04 
16:15:12 UTC (rev 4320)
@@ -1,11 +1,13 @@
 glibc (2.7-18lenny3) UNRELEASED; urgency=low
 
+  * patches/any/cvs-strfmon.diff: fix integer overflows in the strfmon.
+    (CVE-2009-4880).
   * patches/any/cvs-mntent.diff: fix mntent newline processing error 
     (CVE-2010-0296).  Closes: bug#583908.
   * patches/any/cvs-ld-elf.diff: fix integer signedness error in ld.so
     (CVE-2010-0830).
 
- -- Aurelien Jarno <[email protected]>  Thu, 03 Jun 2010 09:32:40 +0200
+ -- Aurelien Jarno <[email protected]>  Fri, 04 Jun 2010 18:14:08 +0200
 
 glibc (2.7-18lenny2) stable-security; urgency=low
 

Added: 
glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff
===================================================================
--- 
glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff   
                            (rev 0)
+++ 
glibc-package/branches/glibc-branch-lenny/debian/patches/any/cvs-strfmon.diff   
    2010-06-04 16:15:12 UTC (rev 4320)
@@ -0,0 +1,71 @@
+2009-04-18  Ulrich Drepper  <[email protected]>
+ 
+       * stdlib/strfmon_l.c (__vstrfmon_l): Don't wrap when computing width.
+       Numerically stable check for valid width.
+
+diff --git a/stdlib/strfmon_l.c b/stdlib/strfmon_l.c
+index c9f3a47..8e63d45 100644
+--- a/stdlib/strfmon_l.c
++++ b/stdlib/strfmon_l.c
+@@ -1,5 +1,5 @@
+ /* Formatting a monetary value according to the given locale.
+-   Copyright (C) 1996, 1997, 2002, 2004, 2006 Free Software Foundation, Inc.
++   Copyright (C) 1996,1997,2002,2004,2006,2009 Free Software Foundation, Inc.
+    This file is part of the GNU C Library.
+    Contributed by Ulrich Drepper <[email protected]>, 1996.
+ 
+@@ -133,7 +133,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, 
const char *format,
+       int done;
+       const char *currency_symbol;
+       size_t currency_symbol_len;
+-      int width;
++      long int width;
+       char *startp;
+       const void *ptr;
+       char space_char;
+@@ -221,13 +221,21 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, 
const char *format,
+ 
+         while (isdigit (*++fmt))
+           {
+-            width *= 10;
+-            width += to_digit (*fmt);
++            int val = to_digit (*fmt);
++
++            if (width > LONG_MAX / 10
++                || (width == LONG_MAX && val > LONG_MAX % 10))
++              {
++                __set_errno (E2BIG);
++                return -1;
++              }
++
++            width = width * 10 + val;
+           }
+ 
+         /* If we don't have enough room for the demanded width we
+            can stop now and return an error.  */
+-        if (dest + width >= s + maxsize)
++        if (width >= maxsize - (dest - s))
+           {
+             __set_errno (E2BIG);
+             return -1;
+@@ -560,7 +568,7 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, 
const char *format,
+               out_char (space_char);
+             out_nstring (currency_symbol, currency_symbol_len);
+           }
+-          
++
+         if (sign_posn == 4)
+           {
+             if (sep_by_space == 2)
+@@ -589,9 +597,8 @@ __vstrfmon_l (char *s, size_t maxsize, __locale_t loc, 
const char *format,
+           while (dest - startp < width);
+         else
+           {
+-            int dist = width - (dest - startp);
+-            char *cp;
+-            for (cp = dest - 1; cp >= startp; --cp)
++            long int dist = width - (dest - startp);
++            for (char *cp = dest - 1; cp >= startp; --cp)
+               cp[dist] = cp[0];
+ 
+             dest += dist;

Modified: glibc-package/branches/glibc-branch-lenny/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-lenny/debian/patches/series     
2010-06-04 16:09:56 UTC (rev 4319)
+++ glibc-package/branches/glibc-branch-lenny/debian/patches/series     
2010-06-04 16:15:12 UTC (rev 4320)
@@ -235,3 +235,4 @@
 any/submitted-nis-shadow.diff -p1
 any/cvs-mntent.diff -p1
 any/cvs-ld-elf.diff -p1
+any/cvs-strfmon.diff -p1


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

Reply via email to