This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch wheezy in repository glibc.
commit 01d769fb761f0cbd9d07af20ec7ba407b61dd54d Author: Aurelien Jarno <[email protected]> Date: Mon Feb 1 08:21:28 2016 +0100 patches/any/cvs-hcreate.diff: new patch from upstream to fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. --- debian/changelog | 2 + debian/patches/any/cvs-hcreate.diff | 161 ++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 164 insertions(+) diff --git a/debian/changelog b/debian/changelog index dc60326..a3ca112 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,8 @@ eglibc (2.13-38+deb7u10) UNRELEASED; urgency=medium * patches/any/cvs-strftime.diff: new patch from upstream to fix segmentation fault caused by passing out-of-range data to strftime() (CVE-2015-8776). Closes: #812445. + * patches/any/cvs-hcreate.diff: new patch from upstream to fix an integer + overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. -- Aurelien Jarno <[email protected]> Sun, 31 Jan 2016 12:55:29 +0100 diff --git a/debian/patches/any/cvs-hcreate.diff b/debian/patches/any/cvs-hcreate.diff new file mode 100644 index 0000000..22d7fe3 --- /dev/null +++ b/debian/patches/any/cvs-hcreate.diff @@ -0,0 +1,161 @@ +2016-01-27 Paul Eggert <[email protected]> + + [BZ #18240] + * misc/hsearch_r.c (isprime, __hcreate_r): Protect against + unsigned int wraparound. + +2016-01-27 Florian Weimer <[email protected]> + + [BZ #18240] + * misc/bug18240.c: New test. + * misc/Makefile (tests): Add it. + +2015-08-25 Ondřej Bílka <[email protected]> + + [BZ #18240] + * misc/hsearch_r.c (__hcreate_r): Handle overflow. + +--- a/misc/hsearch_r.c ++++ b/misc/hsearch_r.c +@@ -21,7 +21,7 @@ + #include <errno.h> + #include <malloc.h> + #include <string.h> +- ++#include <stdint.h> + #include <search.h> + + /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986 +@@ -48,15 +48,12 @@ + isprime (unsigned int number) + { + /* no even number will be passed */ +- unsigned int div = 3; +- +- while (div * div < number && number % div != 0) +- div += 2; +- +- return number % div != 0; ++ for (unsigned int div = 3; div <= number / div; div += 2) ++ if (number % div == 0) ++ return 0; ++ return 1; + } + +- + /* Before using the hash table we must allocate memory for it. + Test for an existing table are done. We allocate one element + more as the found prime number says. This is done for more effective +@@ -83,10 +80,19 @@ + use will not work. */ + if (nel < 3) + nel = 3; +- /* Change nel to the first prime number not smaller as nel. */ +- nel |= 1; /* make odd */ +- while (!isprime (nel)) +- nel += 2; ++ ++ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2], ++ The '- 2' means 'nel += 2' cannot overflow. */ ++ for (nel |= 1; ; nel += 2) ++ { ++ if (UINT_MAX - 2 < nel) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ if (isprime (nel)) ++ break; ++ } + + htab->size = nel; + htab->filled = 0; +--- a/misc/Makefile ++++ b/misc/Makefile +@@ -86,7 +86,7 @@ + gpl2lgpl := error.c error.h + + tests := tst-dirname tst-tsearch tst-fdset tst-mntent tst-hsearch \ +- tst-pselect tst-insremque tst-mntent2 bug-hsearch1 ++ tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240 + tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) += tst-error1 + tests-$(OPTION_EGLIBC_FCVT) += tst-efgcvt + # eglibc: ifeq (no,$(cross-compiling)) +--- /dev/null ++++ b/misc/bug18240.c +@@ -0,0 +1,75 @@ ++/* Test integer wraparound in hcreate. ++ Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <limits.h> ++#include <search.h> ++#include <stdbool.h> ++#include <stdio.h> ++#include <stdlib.h> ++ ++static void ++test_size (size_t size) ++{ ++ int res = hcreate (size); ++ if (res == 0) ++ { ++ if (errno == ENOMEM) ++ return; ++ printf ("error: hcreate (%zu): %m\n", size); ++ exit (1); ++ } ++ char *keys[100]; ++ for (int i = 0; i < 100; ++i) ++ { ++ if (asprintf (keys + i, "%d", i) < 0) ++ { ++ printf ("error: asprintf: %m\n"); ++ exit (1); ++ } ++ ENTRY e = { keys[i], (char *) "value" }; ++ if (hsearch (e, ENTER) == NULL) ++ { ++ printf ("error: hsearch (\"%s\"): %m\n", keys[i]); ++ exit (1); ++ } ++ } ++ hdestroy (); ++ ++ for (int i = 0; i < 100; ++i) ++ free (keys[i]); ++} ++ ++static int ++do_test (void) ++{ ++ test_size (500); ++ test_size (-1); ++ test_size (-3); ++ test_size (INT_MAX - 2); ++ test_size (INT_MAX - 1); ++ test_size (INT_MAX); ++ test_size (((unsigned) INT_MAX) + 1); ++ test_size (UINT_MAX - 2); ++ test_size (UINT_MAX - 1); ++ test_size (UINT_MAX); ++ return 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" diff --git a/debian/patches/series b/debian/patches/series index 668cc56..dc846f8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -410,3 +410,4 @@ any/cvs-_IO_wstr_overflow.diff any/cvs-ld_pointer_guard.diff any/cvs-strxfrm-buffer-overflows.diff any/cvs-strftime.diff +any/cvs-hcreate.diff -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
