This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch sid in repository glibc.
commit 5d5bd4b533c43d6887101493e7ffaca89ac501a1 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Sat Dec 16 15:37:33 2017 +0100 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132. - Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133. --- debian/changelog | 3 + debian/patches/git-updates.diff | 165 +++++++++++++++++++++++++++++++++++++--- 2 files changed, 157 insertions(+), 11 deletions(-) diff --git a/debian/changelog b/debian/changelog index f23313e..340239a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,9 @@ glibc (2.25-5) UNRELEASED; urgency=medium [ Aurelien Jarno ] * debian/rules.d/debhelper.mk: strip all *crt*.o files, unless DEB_BUILD_OPTIONS contains nostrip. Closes: #884524. + * debian/patches/git-updates.diff: update from upstream stable branch: + - Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132. + - Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133. -- Aurelien Jarno <aure...@debian.org> Tue, 12 Dec 2017 23:52:07 +0100 diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index 234ce99..793c02f 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,30 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.25/master from glibc-2.25 diff --git a/ChangeLog b/ChangeLog -index f140ee67de..574ea60130 100644 +index f140ee67de..1868c7a7be 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,714 @@ +@@ -1,3 +1,734 @@ ++2017-12-14 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #22607] ++ CVE-2017-1000409 ++ * elf/dl-load.c (_dl_init_paths): Compute number of components in ++ the expanded path string. ++ ++2017-12-14 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #22606] ++ CVE-2017-1000408 ++ * elf/dl-load.c (system_dirs): Update comment. ++ (nsystem_dirs_len): Use array_length. ++ (_dl_init_paths): Use nsystem_dirs_len to compute the array size. ++ ++2017-11-02 Florian Weimer <fwei...@redhat.com> ++ ++ Add array_length and array_end macros. ++ * include/array_length.h: New file. ++ +2017-12-12 James Clarke <jrt...@jrtc27.com> + + * sysdeps/unix/sysv/linux/ia64/ipc_priv.h: New file defining @@ -823,10 +843,10 @@ index e9194e54cf..43343f03ee 100644 | sed -n -f $< > $@.new test -s $@.new diff --git a/NEWS b/NEWS -index ec15dde761..0a8f20e371 100644 +index ec15dde761..2c4c9d63aa 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,47 @@ See the end for copying conditions. +@@ -5,6 +5,55 @@ See the end for copying conditions. Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> using `glibc' in the "product" field. @@ -837,6 +857,10 @@ index ec15dde761..0a8f20e371 100644 +* The DNS stub resolver limits the advertised UDP buffer size to 1200 bytes, + to avoid fragmentation-based spoofing attacks. + ++ CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered ++ from a one-byte overflow during ~ operator processing (either on the stack ++ or the heap, depending on the length of the user name). ++ + CVE-2017-15671: The glob function, when invoked with GLOB_TILDE, + would sometimes fail to free memory allocated during ~ operator + processing, leading to a memory leak and, potentially, to a denial @@ -846,6 +870,17 @@ index ec15dde761..0a8f20e371 100644 + without GLOB_NOESCAPE, could write past the end of a buffer while + unescaping user names. Reported by Tim Rühsen. + ++ CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads ++ to the allocation of too much memory. (This is not a security bug per se, ++ it is mentioned here only because of the CVE assignment.) Reported by ++ Qualys. ++ ++ CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation ++ of the number of search path components. (This is not a security ++ vulnerability per se because no trust boundary is crossed if the fix for ++ CVE-2017-1000366 has been applied, but it is mentioned here only because ++ of the CVE assignment.) Reported by Qualys. ++ +The following bugs are resolved with this release: + + [20257] sunrpc: clntudp_call does not enforce timeout when receiving data @@ -863,13 +898,6 @@ index ec15dde761..0a8f20e371 100644 + [21778] Robust mutex may deadlock + [21972] assert macro requires operator== (int) for its argument type + [22322] libc: [mips64] wrong bits/long-double.h installed -+ -+Security related changes: -+ -+ CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered -+ from a one-byte overflow during ~ operator processing (either on the stack -+ or the heap, depending on the length of the user name). -+ + Version 2.25 @@ -1128,6 +1156,79 @@ index 61abeb59ee..cc4aeb25b6 100644 + LD_HWCAP_MASK=0xffffffff tst-env-setuid-tunables-ENV = \ GLIBC_TUNABLES=glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096 +diff --git a/elf/dl-load.c b/elf/dl-load.c +index a5318f9c8d..92303b08e6 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -37,6 +37,7 @@ + #include <sysdep.h> + #include <stap-probe.h> + #include <libc-internal.h> ++#include <array_length.h> + + #include <dl-dst.h> + #include <dl-load.h> +@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro; + static size_t max_capstrlen attribute_relro; + + +-/* Get the generated information about the trusted directories. */ ++/* Get the generated information about the trusted directories. Use ++ an array of concatenated strings to avoid relocations. See ++ gen-trusted-dirs.awk. */ + #include "trusted-dirs.h" + + static const char system_dirs[] = SYSTEM_DIRS; +@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] = + { + SYSTEM_DIRS_LEN + }; +-#define nsystem_dirs_len \ +- (sizeof (system_dirs_len) / sizeof (system_dirs_len[0])) +- ++#define nsystem_dirs_len array_length (system_dirs_len) + + static bool + is_trusted_path (const char *path, size_t len) +@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp) + + ncapstr * sizeof (enum r_dir_status)) + / sizeof (struct r_search_path_elem)); + +- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *) +- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0])) +- * round_size * sizeof (struct r_search_path_elem)); ++ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size ++ * sizeof (*rtld_search_dirs.dirs[0])); + if (rtld_search_dirs.dirs[0] == NULL) + { + errstring = N_("cannot create cache for search path"); +@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp) + + if (llp != NULL && *llp != '\0') + { +- size_t nllp; +- const char *cp = llp; + char *llp_tmp; + + #ifdef SHARED +@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp) + + /* Decompose the LD_LIBRARY_PATH contents. First determine how many + elements it has. */ +- nllp = 1; +- while (*cp) +- { +- if (*cp == ':' || *cp == ';') +- ++nllp; +- ++cp; +- } ++ size_t nllp = 1; ++ for (const char *cp = llp_tmp; *cp != '\0'; ++cp) ++ if (*cp == ':' || *cp == ';') ++ ++nllp; + + env_path_list.dirs = (struct r_search_path_elem **) + malloc ((nllp + 1) * sizeof (struct r_search_path_elem *)); diff --git a/elf/dl-tunable-types.h b/elf/dl-tunable-types.h index a986f0b593..37a4e8021f 100644 --- a/elf/dl-tunable-types.h @@ -1558,6 +1659,48 @@ index 04157b25c5..e4845871f5 100644 modules.so := $(addsuffix .so, $(modules)) ifeq (yes,$(build-shared)) +diff --git a/include/array_length.h b/include/array_length.h +new file mode 100644 +index 0000000000..cb4a8b2a56 +--- /dev/null ++++ b/include/array_length.h +@@ -0,0 +1,36 @@ ++/* The array_length and array_end macros. ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#ifndef _ARRAY_LENGTH_H ++#define _ARRAY_LENGTH_H ++ ++/* array_length (VAR) is the number of elements in the array VAR. VAR ++ must evaluate to an array, not a pointer. */ ++#define array_length(var) \ ++ __extension__ ({ \ ++ _Static_assert (!__builtin_types_compatible_p \ ++ (__typeof (var), __typeof (&(var)[0])), \ ++ "argument must be an array"); \ ++ sizeof (var) / sizeof ((var)[0]); \ ++ }) ++ ++/* array_end (VAR) is a pointer one past the end of the array VAR. ++ VAR must evaluate to an array, not a pointer. */ ++#define array_end(var) (&(var)[array_length (var)]) ++ ++#endif /* _ARRAY_LENGTH_H */ diff --git a/include/resolv.h b/include/resolv.h index 95dcd3ca37..e8f477cd86 100644 --- a/include/resolv.h -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git