Author: aurel32 Date: 2014-07-10 19:52:34 +0000 (Thu, 10 Jul 2014) New Revision: 6202
Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog glibc-package/branches/glibc-branch-wheezy/debian/patches/series Log: Import version 2.13-38+deb7u3 from the debian-security repository Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog =================================================================== --- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2014-07-10 19:49:24 UTC (rev 6201) +++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2014-07-10 19:52:34 UTC (rev 6202) @@ -1,3 +1,11 @@ +eglibc (2.13-38+deb7u3) wheezy-security; urgency=high + + * debian/patches/any/submitted-CVE-2014-0475.diff: setlocale security fix. + * debian/patches/any/submitted-setlocale-alloca: Additional setlocale + hardening. + + -- Florian Weimer <f...@deneb.enyo.de> Tue, 08 Jul 2014 20:59:10 +0200 + eglibc (2.13-38+deb7u2) wheezy; urgency=medium [ Aurelien Jarno ] Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff =================================================================== --- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff (rev 0) +++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-CVE-2014-0475.diff 2014-07-10 19:52:34 UTC (rev 6202) @@ -0,0 +1,123 @@ +From: Florian Weimer <fwei...@redhat.com> +Date: Mon, 12 May 2014 15:24:12 +0200 +Subject: [PATCH 2/3] _nl_find_locale: Improve handling of crafted locale names + +Index: eglibc-2.13/locale/findlocale.c +=================================================================== +--- eglibc-2.13.orig/locale/findlocale.c 2010-01-26 12:27:38.000000000 +0100 ++++ eglibc-2.13/locale/findlocale.c 2014-07-08 20:57:26.329498374 +0200 +@@ -18,6 +18,7 @@ + 02111-1307 USA. */ + + #include <assert.h> ++#include <errno.h> + #include <locale.h> + #include <stdlib.h> + #include <string.h> +@@ -58,6 +59,45 @@ + + const char _nl_default_locale_path[] attribute_hidden = LOCALEDIR; + ++/* Checks if the name is actually present, that is, not NULL and not ++ empty. */ ++static inline int ++name_present (const char *name) ++{ ++ return name != NULL && name[0] != '\0'; ++} ++ ++/* Checks that the locale name neither extremely long, nor contains a ++ ".." path component (to prevent directory traversal). */ ++static inline int ++valid_locale_name (const char *name) ++{ ++ /* Not set. */ ++ size_t namelen = strlen (name); ++ /* Name too long. The limit is arbitrary and prevents stack overflow ++ issues later. */ ++ if (__glibc_unlikely (namelen > 255)) ++ return 0; ++ /* Directory traversal attempt. */ ++ static const char slashdot[4] = {'/', '.', '.', '/'}; ++ if (__glibc_unlikely (memmem (name, namelen, ++ slashdot, sizeof (slashdot)) != NULL)) ++ return 0; ++ if (namelen == 2 && __glibc_unlikely (name[0] == '.' && name [1] == '.')) ++ return 0; ++ if (namelen >= 3 ++ && __glibc_unlikely (((name[0] == '.' ++ && name[1] == '.' ++ && name[2] == '/') ++ || (name[namelen - 3] == '/' ++ && name[namelen - 2] == '.' ++ && name[namelen - 1] == '.')))) ++ return 0; ++ /* If there is a slash in the name, it must start with one. */ ++ if (__glibc_unlikely (memchr (name, '/', namelen) != NULL) && name[0] != '/') ++ return 0; ++ return 1; ++} + + struct __locale_data * + internal_function +@@ -66,7 +106,7 @@ + { + int mask; + /* Name of the locale for this category. */ +- char *loc_name; ++ char *loc_name = (char *) *name; + const char *language; + const char *modifier; + const char *territory; +@@ -74,31 +114,39 @@ + const char *normalized_codeset; + struct loaded_l10nfile *locale_file; + +- if ((*name)[0] == '\0') ++ if (loc_name[0] == '\0') + { + /* The user decides which locale to use by setting environment + variables. */ +- *name = getenv ("LC_ALL"); +- if (*name == NULL || (*name)[0] == '\0') +- *name = getenv (_nl_category_names.str ++ loc_name = getenv ("LC_ALL"); ++ if (!name_present (loc_name)) ++ loc_name = getenv (_nl_category_names.str + + _nl_category_name_idxs[category]); +- if (*name == NULL || (*name)[0] == '\0') +- *name = getenv ("LANG"); ++ if (!name_present (loc_name)) ++ loc_name = getenv ("LANG"); ++ if (!name_present (loc_name)) ++ loc_name = (char *) _nl_C_name; + } + +- if (*name == NULL || (*name)[0] == '\0' +- || (__builtin_expect (__libc_enable_secure, 0) +- && strchr (*name, '/') != NULL)) +- *name = (char *) _nl_C_name; ++ /* We used to fall back to the C locale if the name contains a slash ++ character '/', but we now check for directory traversal in ++ valid_locale_name, so this is no longer necessary. */ + +- if (__builtin_expect (strcmp (*name, _nl_C_name), 1) == 0 +- || __builtin_expect (strcmp (*name, _nl_POSIX_name), 1) == 0) ++ if (__builtin_expect (strcmp (loc_name, _nl_C_name), 1) == 0 ++ || __builtin_expect (strcmp (loc_name, _nl_POSIX_name), 1) == 0) + { + /* We need not load anything. The needed data is contained in + the library itself. */ + *name = (char *) _nl_C_name; + return _nl_C[category]; + } ++ else if (!valid_locale_name (loc_name)) ++ { ++ __set_errno (EINVAL); ++ return NULL; ++ } ++ ++ *name = loc_name; + + /* We really have to load some data. First we try the archive, + but only if there was no LOCPATH environment variable specified. */ Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff =================================================================== --- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff (rev 0) +++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/submitted-setlocale-alloca.diff 2014-07-10 19:52:34 UTC (rev 6202) @@ -0,0 +1,57 @@ +From: Florian Weimer <fwei...@redhat.com> +Date: Wed, 28 May 2014 14:41:52 +0200 +Subject: [PATCH 1/3] setlocale: Use the heap for the copy of the locale + argument + +--- + ChangeLog | 5 +++++ + locale/setlocale.c | 14 ++++++++++++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +Index: eglibc-2.13/locale/setlocale.c +=================================================================== +--- eglibc-2.13.orig/locale/setlocale.c 2014-07-08 20:49:34.000000000 +0200 ++++ eglibc-2.13/locale/setlocale.c 2014-07-08 20:52:35.307469666 +0200 +@@ -244,6 +244,8 @@ + of entries of the form `CATEGORY=VALUE'. */ + const char *newnames[__LC_LAST]; + struct __locale_data *newdata[__LC_LAST]; ++ /* Copy of the locale argument, for in-place splitting. */ ++ char *locale_copy = NULL; + + /* Set all name pointers to the argument name. */ + for (category = 0; category < __LC_LAST; ++category) +@@ -253,7 +255,13 @@ + if (__builtin_expect (strchr (locale, ';') != NULL, 0)) + { + /* This is a composite name. Make a copy and split it up. */ +- char *np = strdupa (locale); ++ locale_copy = strdup (locale); ++ if (__glibc_unlikely (locale_copy == NULL)) ++ { ++ __libc_rwlock_unlock (__libc_setlocale_lock); ++ return NULL; ++ } ++ char *np = locale_copy; + char *cp; + int cnt; + +@@ -271,6 +279,7 @@ + { + error_return: + __libc_rwlock_unlock (__libc_setlocale_lock); ++ free (locale_copy); + + /* Bogus category name. */ + ERROR_RETURN; +@@ -363,8 +372,9 @@ + /* Critical section left. */ + __libc_rwlock_unlock (__libc_setlocale_lock); + +- /* Free the resources (the locale path variable). */ ++ /* Free the resources. */ + free (locale_path); ++ free (locale_copy); + + return composite; + } Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series =================================================================== --- glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2014-07-10 19:49:24 UTC (rev 6201) +++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2014-07-10 19:52:34 UTC (rev 6202) @@ -388,3 +388,5 @@ any/local-ldconfig-ignore-ld.so.diff any/cvs-nl_langinfo-static.diff any/cvs-socketcall-syscall.diff +any/submitted-setlocale-alloca.diff +any/submitted-CVE-2014-0475.diff -- To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e1x5koq-0004h8...@moszumanska.debian.org