Author: aurel32
Date: 2014-07-10 19:52:34 +0000 (Thu, 10 Jul 2014)
New Revision: 6202
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff
Modified:
glibc-package/branches/glibc-branch-wheezy/debian/changelog
glibc-package/branches/glibc-branch-wheezy/debian/patches/series
Log:
Import version 2.13-38+deb7u3 from the debian-security repository
Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2014-07-10
19:49:24 UTC (rev 6201)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2014-07-10
19:52:34 UTC (rev 6202)
@@ -1,3 +1,11 @@
+eglibc (2.13-38+deb7u3) wheezy-security; urgency=high
+
+ * debian/patches/any/submitted-CVE-2014-0475.diff: setlocale security fix.
+ * debian/patches/any/submitted-setlocale-alloca: Additional setlocale
+ hardening.
+
+ -- Florian Weimer <f...@deneb.enyo.de> Tue, 08 Jul 2014 20:59:10 +0200
+
eglibc (2.13-38+deb7u2) wheezy; urgency=medium
[ Aurelien Jarno ]
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff
===================================================================
---
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff
(rev 0)
+++
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff
2014-07-10 19:52:34 UTC (rev 6202)
@@ -0,0 +1,123 @@
+From: Florian Weimer <fwei...@redhat.com>
+Date: Mon, 12 May 2014 15:24:12 +0200
+Subject: [PATCH 2/3] _nl_find_locale: Improve handling of crafted locale names
+
+Index: eglibc-2.13/locale/findlocale.c
+===================================================================
+--- eglibc-2.13.orig/locale/findlocale.c 2010-01-26 12:27:38.000000000
+0100
++++ eglibc-2.13/locale/findlocale.c 2014-07-08 20:57:26.329498374 +0200
+@@ -18,6 +18,7 @@
+ 02111-1307 USA. */
+
+ #include <assert.h>
++#include <errno.h>
+ #include <locale.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -58,6 +59,45 @@
+
+ const char _nl_default_locale_path[] attribute_hidden = LOCALEDIR;
+
++/* Checks if the name is actually present, that is, not NULL and not
++ empty. */
++static inline int
++name_present (const char *name)
++{
++ return name != NULL && name[0] != '\0';
++}
++
++/* Checks that the locale name neither extremely long, nor contains a
++ ".." path component (to prevent directory traversal). */
++static inline int
++valid_locale_name (const char *name)
++{
++ /* Not set. */
++ size_t namelen = strlen (name);
++ /* Name too long. The limit is arbitrary and prevents stack overflow
++ issues later. */
++ if (__glibc_unlikely (namelen > 255))
++ return 0;
++ /* Directory traversal attempt. */
++ static const char slashdot[4] = {'/', '.', '.', '/'};
++ if (__glibc_unlikely (memmem (name, namelen,
++ slashdot, sizeof (slashdot)) != NULL))
++ return 0;
++ if (namelen == 2 && __glibc_unlikely (name[0] == '.' && name [1] == '.'))
++ return 0;
++ if (namelen >= 3
++ && __glibc_unlikely (((name[0] == '.'
++ && name[1] == '.'
++ && name[2] == '/')
++ || (name[namelen - 3] == '/'
++ && name[namelen - 2] == '.'
++ && name[namelen - 1] == '.'))))
++ return 0;
++ /* If there is a slash in the name, it must start with one. */
++ if (__glibc_unlikely (memchr (name, '/', namelen) != NULL) && name[0] !=
'/')
++ return 0;
++ return 1;
++}
+
+ struct __locale_data *
+ internal_function
+@@ -66,7 +106,7 @@
+ {
+ int mask;
+ /* Name of the locale for this category. */
+- char *loc_name;
++ char *loc_name = (char *) *name;
+ const char *language;
+ const char *modifier;
+ const char *territory;
+@@ -74,31 +114,39 @@
+ const char *normalized_codeset;
+ struct loaded_l10nfile *locale_file;
+
+- if ((*name)[0] == '\0')
++ if (loc_name[0] == '\0')
+ {
+ /* The user decides which locale to use by setting environment
+ variables. */
+- *name = getenv ("LC_ALL");
+- if (*name == NULL || (*name)[0] == '\0')
+- *name = getenv (_nl_category_names.str
++ loc_name = getenv ("LC_ALL");
++ if (!name_present (loc_name))
++ loc_name = getenv (_nl_category_names.str
+ + _nl_category_name_idxs[category]);
+- if (*name == NULL || (*name)[0] == '\0')
+- *name = getenv ("LANG");
++ if (!name_present (loc_name))
++ loc_name = getenv ("LANG");
++ if (!name_present (loc_name))
++ loc_name = (char *) _nl_C_name;
+ }
+
+- if (*name == NULL || (*name)[0] == '\0'
+- || (__builtin_expect (__libc_enable_secure, 0)
+- && strchr (*name, '/') != NULL))
+- *name = (char *) _nl_C_name;
++ /* We used to fall back to the C locale if the name contains a slash
++ character '/', but we now check for directory traversal in
++ valid_locale_name, so this is no longer necessary. */
+
+- if (__builtin_expect (strcmp (*name, _nl_C_name), 1) == 0
+- || __builtin_expect (strcmp (*name, _nl_POSIX_name), 1) == 0)
++ if (__builtin_expect (strcmp (loc_name, _nl_C_name), 1) == 0
++ || __builtin_expect (strcmp (loc_name, _nl_POSIX_name), 1) == 0)
+ {
+ /* We need not load anything. The needed data is contained in
+ the library itself. */
+ *name = (char *) _nl_C_name;
+ return _nl_C[category];
+ }
++ else if (!valid_locale_name (loc_name))
++ {
++ __set_errno (EINVAL);
++ return NULL;
++ }
++
++ *name = loc_name;
+
+ /* We really have to load some data. First we try the archive,
+ but only if there was no LOCPATH environment variable specified. */
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff
===================================================================
---
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff
(rev 0)
+++
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff
2014-07-10 19:52:34 UTC (rev 6202)
@@ -0,0 +1,57 @@
+From: Florian Weimer <fwei...@redhat.com>
+Date: Wed, 28 May 2014 14:41:52 +0200
+Subject: [PATCH 1/3] setlocale: Use the heap for the copy of the locale
+ argument
+
+---
+ ChangeLog | 5 +++++
+ locale/setlocale.c | 14 ++++++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+Index: eglibc-2.13/locale/setlocale.c
+===================================================================
+--- eglibc-2.13.orig/locale/setlocale.c 2014-07-08 20:49:34.000000000
+0200
++++ eglibc-2.13/locale/setlocale.c 2014-07-08 20:52:35.307469666 +0200
+@@ -244,6 +244,8 @@
+ of entries of the form `CATEGORY=VALUE'. */
+ const char *newnames[__LC_LAST];
+ struct __locale_data *newdata[__LC_LAST];
++ /* Copy of the locale argument, for in-place splitting. */
++ char *locale_copy = NULL;
+
+ /* Set all name pointers to the argument name. */
+ for (category = 0; category < __LC_LAST; ++category)
+@@ -253,7 +255,13 @@
+ if (__builtin_expect (strchr (locale, ';') != NULL, 0))
+ {
+ /* This is a composite name. Make a copy and split it up. */
+- char *np = strdupa (locale);
++ locale_copy = strdup (locale);
++ if (__glibc_unlikely (locale_copy == NULL))
++ {
++ __libc_rwlock_unlock (__libc_setlocale_lock);
++ return NULL;
++ }
++ char *np = locale_copy;
+ char *cp;
+ int cnt;
+
+@@ -271,6 +279,7 @@
+ {
+ error_return:
+ __libc_rwlock_unlock (__libc_setlocale_lock);
++ free (locale_copy);
+
+ /* Bogus category name. */
+ ERROR_RETURN;
+@@ -363,8 +372,9 @@
+ /* Critical section left. */
+ __libc_rwlock_unlock (__libc_setlocale_lock);
+
+- /* Free the resources (the locale path variable). */
++ /* Free the resources. */
+ free (locale_path);
++ free (locale_copy);
+
+ return composite;
+ }
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series
2014-07-10 19:49:24 UTC (rev 6201)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series
2014-07-10 19:52:34 UTC (rev 6202)
@@ -388,3 +388,5 @@
any/local-ldconfig-ignore-ld.so.diff
any/cvs-nl_langinfo-static.diff
any/cvs-socketcall-syscall.diff
+any/submitted-setlocale-alloca.diff
+any/submitted-CVE-2014-0475.diff
--
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1x5koq-0004h8...@moszumanska.debian.org
