This is an automated email from the git hooks/post-receive script.
aurel32 pushed a commit to branch sid
in repository glibc.
commit 5d5bd4b533c43d6887101493e7ffaca89ac501a1
Author: Aurelien Jarno <aurel...@aurel32.net>
Date: Sat Dec 16 15:37:33 2017 +0100
debian/patches/git-updates.diff: update from upstream stable branch:
* debian/patches/git-updates.diff: update from upstream stable branch:
- Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132.
- Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133.
---
debian/changelog | 3 +
debian/patches/git-updates.diff | 165 +++++++++++++++++++++++++++++++++++++---
2 files changed, 157 insertions(+), 11 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index f23313e..340239a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,9 @@ glibc (2.25-5) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
* debian/rules.d/debhelper.mk: strip all *crt*.o files, unless
DEB_BUILD_OPTIONS contains nostrip. Closes: #884524.
+ * debian/patches/git-updates.diff: update from upstream stable branch:
+ - Fix memory leak in ld.so (CVE-2017-1000408). Closes: #884132.
+ - Fix buffer overflow in ld.so (CVE-2017-1000409). Closes: #884133.
-- Aurelien Jarno <aure...@debian.org> Tue, 12 Dec 2017 23:52:07 +0100
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index 234ce99..793c02f 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,30 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.25/master from
glibc-2.25
diff --git a/ChangeLog b/ChangeLog
-index f140ee67de..574ea60130 100644
+index f140ee67de..1868c7a7be 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,714 @@
+@@ -1,3 +1,734 @@
++2017-12-14 Florian Weimer <fwei...@redhat.com>
++
++ [BZ #22607]
++ CVE-2017-1000409
++ * elf/dl-load.c (_dl_init_paths): Compute number of components in
++ the expanded path string.
++
++2017-12-14 Florian Weimer <fwei...@redhat.com>
++
++ [BZ #22606]
++ CVE-2017-1000408
++ * elf/dl-load.c (system_dirs): Update comment.
++ (nsystem_dirs_len): Use array_length.
++ (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
++
++2017-11-02 Florian Weimer <fwei...@redhat.com>
++
++ Add array_length and array_end macros.
++ * include/array_length.h: New file.
++
+2017-12-12 James Clarke <jrt...@jrtc27.com>
+
+ * sysdeps/unix/sysv/linux/ia64/ipc_priv.h: New file defining
@@ -823,10 +843,10 @@ index e9194e54cf..43343f03ee 100644
| sed -n -f $< > $@.new
test -s $@.new
diff --git a/NEWS b/NEWS
-index ec15dde761..0a8f20e371 100644
+index ec15dde761..2c4c9d63aa 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,47 @@ See the end for copying conditions.
+@@ -5,6 +5,55 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
�
@@ -837,6 +857,10 @@ index ec15dde761..0a8f20e371 100644
+* The DNS stub resolver limits the advertised UDP buffer size to 1200 bytes,
+ to avoid fragmentation-based spoofing attacks.
+
++ CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
++ from a one-byte overflow during ~ operator processing (either on the stack
++ or the heap, depending on the length of the user name).
++
+ CVE-2017-15671: The glob function, when invoked with GLOB_TILDE,
+ would sometimes fail to free memory allocated during ~ operator
+ processing, leading to a memory leak and, potentially, to a denial
@@ -846,6 +870,17 @@ index ec15dde761..0a8f20e371 100644
+ without GLOB_NOESCAPE, could write past the end of a buffer while
+ unescaping user names. Reported by Tim Rühsen.
+
++ CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
++ to the allocation of too much memory. (This is not a security bug per se,
++ it is mentioned here only because of the CVE assignment.) Reported by
++ Qualys.
++
++ CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
++ of the number of search path components. (This is not a security
++ vulnerability per se because no trust boundary is crossed if the fix for
++ CVE-2017-1000366 has been applied, but it is mentioned here only because
++ of the CVE assignment.) Reported by Qualys.
++
+The following bugs are resolved with this release:
+
+ [20257] sunrpc: clntudp_call does not enforce timeout when receiving data
@@ -863,13 +898,6 @@ index ec15dde761..0a8f20e371 100644
+ [21778] Robust mutex may deadlock
+ [21972] assert macro requires operator== (int) for its argument type
+ [22322] libc: [mips64] wrong bits/long-double.h installed
-+
-+Security related changes:
-+
-+ CVE-2017-15670: The glob function, when invoked with GLOB_TILDE, suffered
-+ from a one-byte overflow during ~ operator processing (either on the stack
-+ or the heap, depending on the length of the user name).
-+
+�
Version 2.25
@@ -1128,6 +1156,79 @@ index 61abeb59ee..cc4aeb25b6 100644
+ LD_HWCAP_MASK=0xffffffff
tst-env-setuid-tunables-ENV = \
GLIBC_TUNABLES=glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a5318f9c8d..92303b08e6 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -37,6 +37,7 @@
+ #include <sysdep.h>
+ #include <stap-probe.h>
+ #include <libc-internal.h>
++#include <array_length.h>
+
+ #include <dl-dst.h>
+ #include <dl-load.h>
+@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
+ static size_t max_capstrlen attribute_relro;
+
+
+-/* Get the generated information about the trusted directories. */
++/* Get the generated information about the trusted directories. Use
++ an array of concatenated strings to avoid relocations. See
++ gen-trusted-dirs.awk. */
+ #include "trusted-dirs.h"
+
+ static const char system_dirs[] = SYSTEM_DIRS;
+@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
+ {
+ SYSTEM_DIRS_LEN
+ };
+-#define nsystem_dirs_len \
+- (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
+-
++#define nsystem_dirs_len array_length (system_dirs_len)
+
+ static bool
+ is_trusted_path (const char *path, size_t len)
+@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+ + ncapstr * sizeof (enum r_dir_status))
+ / sizeof (struct r_search_path_elem));
+
+- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
+- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
+- * round_size * sizeof (struct r_search_path_elem));
++ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
++ * sizeof (*rtld_search_dirs.dirs[0]));
+ if (rtld_search_dirs.dirs[0] == NULL)
+ {
+ errstring = N_("cannot create cache for search path");
+@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
+
+ if (llp != NULL && *llp != '\0')
+ {
+- size_t nllp;
+- const char *cp = llp;
+ char *llp_tmp;
+
+ #ifdef SHARED
+@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
+
+ /* Decompose the LD_LIBRARY_PATH contents. First determine how many
+ elements it has. */
+- nllp = 1;
+- while (*cp)
+- {
+- if (*cp == ':' || *cp == ';')
+- ++nllp;
+- ++cp;
+- }
++ size_t nllp = 1;
++ for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
++ if (*cp == ':' || *cp == ';')
++ ++nllp;
+
+ env_path_list.dirs = (struct r_search_path_elem **)
+ malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
diff --git a/elf/dl-tunable-types.h b/elf/dl-tunable-types.h
index a986f0b593..37a4e8021f 100644
--- a/elf/dl-tunable-types.h
@@ -1558,6 +1659,48 @@ index 04157b25c5..e4845871f5 100644
modules.so := $(addsuffix .so, $(modules))
ifeq (yes,$(build-shared))
+diff --git a/include/array_length.h b/include/array_length.h
+new file mode 100644
+index 0000000000..cb4a8b2a56
+--- /dev/null
++++ b/include/array_length.h
+@@ -0,0 +1,36 @@
++/* The array_length and array_end macros.
++ Copyright (C) 2017 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#ifndef _ARRAY_LENGTH_H
++#define _ARRAY_LENGTH_H
++
++/* array_length (VAR) is the number of elements in the array VAR. VAR
++ must evaluate to an array, not a pointer. */
++#define array_length(var) \
++ __extension__ ({ \
++ _Static_assert (!__builtin_types_compatible_p \
++ (__typeof (var), __typeof (&(var)[0])), \
++ "argument must be an array"); \
++ sizeof (var) / sizeof ((var)[0]); \
++ })
++
++/* array_end (VAR) is a pointer one past the end of the array VAR.
++ VAR must evaluate to an array, not a pointer. */
++#define array_end(var) (&(var)[array_length (var)])
++
++#endif /* _ARRAY_LENGTH_H */
diff --git a/include/resolv.h b/include/resolv.h
index 95dcd3ca37..e8f477cd86 100644
--- a/include/resolv.h
--
Alioth's /usr/local/bin/git-commit-notice on
/srv/git.debian.org/git/pkg-glibc/glibc.git
