Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2018-01-28 00:36:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Sun Jan 28 00:36:32 2018 rev:218 rq:568214 version:2.26 Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2017-12-16 20:44:26.487411742 +0100 +++ /work/SRC/openSUSE:Factory/.glibc.new/glibc.changes 2018-01-28 00:36:33.929512447 +0100 @@ -1,0 +2,15 @@ +Mon Jan 22 10:32:36 UTC 2018 - [email protected] + +- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an + absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) + +------------------------------------------------------------------- +Tue Jan 2 10:43:09 UTC 2018 - [email protected] + +- dl-init-paths-overflow.patch: Count components of the expanded path in + _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ + #22607, BZ #22627) +- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic + string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) + +------------------------------------------------------------------- New: ---- dl-init-paths-overflow.patch fillin-rpath-empty-tokens.patch getcwd-absolute.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.emTfSU/_old 2018-01-28 00:36:35.493439591 +0100 +++ /var/tmp/diff_new_pack.emTfSU/_new 2018-01-28 00:36:35.497439405 +0100 @@ -1,7 +1,7 @@ # # spec file for package glibc # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -326,6 +326,12 @@ Patch1025: powerpc-hwcap-bits.patch # PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375) Patch1026: malloc-tcache-check-overflow.patch +# PATCH-FIX-UPSTREAM Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627) +Patch1027: dl-init-paths-overflow.patch +# PATCH-FIX-UPSTREAM Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) +Patch1028: fillin-rpath-empty-tokens.patch +# PATCH-FIX-UPSTREAM make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, BZ #22679) +Patch1029: getcwd-absolute.patch ### # Patches awaiting upstream approval @@ -574,6 +580,9 @@ %patch1024 -p1 %patch1025 -p1 %patch1026 -p1 +%patch1027 -p1 +%patch1028 -p1 +%patch1029 -p1 %patch2000 -p1 %patch2001 -p1 ++++++ dl-init-paths-overflow.patch ++++++ 2017-12-18 Dmitry V. Levin <[email protected]> [BZ #22627] * elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory code and invocation. 2017-12-14 Florian Weimer <[email protected]> [BZ #22607] CVE-2017-1000409 * elf/dl-load.c (_dl_init_paths): Compute number of components in the expanded path string. 2017-12-14 Florian Weimer <[email protected]> [BZ #22606] CVE-2017-1000408 * elf/dl-load.c (system_dirs): Update comment. (_dl_init_paths): Use nsystem_dirs_len to compute the array size. Index: glibc-2.26/elf/dl-load.c =================================================================== --- glibc-2.26.orig/elf/dl-load.c +++ glibc-2.26/elf/dl-load.c @@ -103,7 +103,9 @@ static size_t ncapstr attribute_relro; static size_t max_capstrlen attribute_relro; -/* Get the generated information about the trusted directories. */ +/* Get the generated information about the trusted directories. Use + an array of concatenated strings to avoid relocations. See + gen-trusted-dirs.awk. */ #include "trusted-dirs.h" static const char system_dirs[] = SYSTEM_DIRS; @@ -688,9 +690,8 @@ _dl_init_paths (const char *llp) + ncapstr * sizeof (enum r_dir_status)) / sizeof (struct r_search_path_elem)); - rtld_search_dirs.dirs[0] = (struct r_search_path_elem *) - malloc ((sizeof (system_dirs) / sizeof (system_dirs[0])) - * round_size * sizeof (struct r_search_path_elem)); + rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size + * sizeof (*rtld_search_dirs.dirs[0])); if (rtld_search_dirs.dirs[0] == NULL) { errstring = N_("cannot create cache for search path"); @@ -776,37 +777,14 @@ _dl_init_paths (const char *llp) if (llp != NULL && *llp != '\0') { - size_t nllp; - const char *cp = llp; - char *llp_tmp; - -#ifdef SHARED - /* Expand DSTs. */ - size_t cnt = DL_DST_COUNT (llp, 1); - if (__glibc_likely (cnt == 0)) - llp_tmp = strdupa (llp); - else - { - /* Determine the length of the substituted string. */ - size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt); - - /* Allocate the necessary memory. */ - llp_tmp = (char *) alloca (total + 1); - llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1); - } -#else - llp_tmp = strdupa (llp); -#endif + char *llp_tmp = strdupa (llp); /* Decompose the LD_LIBRARY_PATH contents. First determine how many elements it has. */ - nllp = 1; - while (*cp) - { - if (*cp == ':' || *cp == ';') - ++nllp; - ++cp; - } + size_t nllp = 1; + for (const char *cp = llp_tmp; *cp != '\0'; ++cp) + if (*cp == ':' || *cp == ';') + ++nllp; env_path_list.dirs = (struct r_search_path_elem **) malloc ((nllp + 1) * sizeof (struct r_search_path_elem *)); ++++++ fillin-rpath-empty-tokens.patch ++++++ 2017-12-30 Aurelien Jarno <[email protected]> Dmitry V. Levin <[email protected]> [BZ #22625] * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic string token expansion. Check for NULL pointer or empty string possibly returned by expand_dynamic_string_token. (decompose_rpath): Check for empty path after dynamic string token expansion. Index: glibc-2.26/elf/dl-load.c =================================================================== --- glibc-2.26.orig/elf/dl-load.c +++ glibc-2.26/elf/dl-load.c @@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear { char *cp; size_t nelems = 0; - char *to_free; while ((cp = __strsep (&rpath, sep)) != NULL) { struct r_search_path_elem *dirp; + char *to_free = NULL; + size_t len = 0; - to_free = cp = expand_dynamic_string_token (l, cp, 1); + /* `strsep' can pass an empty string. */ + if (*cp != '\0') + { + to_free = cp = expand_dynamic_string_token (l, cp, 1); - size_t len = strlen (cp); + /* expand_dynamic_string_token can return NULL in case of empty + path or memory allocation failure. */ + if (cp == NULL) + continue; + + /* Compute the length after dynamic string token expansion and + ignore empty paths. */ + len = strlen (cp); + if (len == 0) + { + free (to_free); + continue; + } - /* `strsep' can pass an empty string. This has to be - interpreted as `use the current directory'. */ - if (len == 0) - { - static const char curwd[] = "./"; - cp = (char *) curwd; + /* Remove trailing slashes (except for "/"). */ + while (len > 1 && cp[len - 1] == '/') + --len; + + /* Now add one if there is none so far. */ + if (len > 0 && cp[len - 1] != '/') + cp[len++] = '/'; } - /* Remove trailing slashes (except for "/"). */ - while (len > 1 && cp[len - 1] == '/') - --len; - - /* Now add one if there is none so far. */ - if (len > 0 && cp[len - 1] != '/') - cp[len++] = '/'; - /* Make sure we don't use untrusted directories if we run SUID. */ if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) { @@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st necessary. */ free (copy); + /* There is no path after expansion. */ + if (result[0] == NULL) + { + free (result); + sps->dirs = (struct r_search_path_elem **) -1; + return false; + } + sps->dirs = result; /* The caller will change this value if we haven't used a real malloc. */ sps->malloced = 1; ++++++ getcwd-absolute.patch ++++++ 2018-01-12 Dmitry V. Levin <[email protected]> [BZ #22679] CVE-2018-1000001 * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to generic_getcwd if the path returned by getcwd syscall is not absolute. Index: glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c =================================================================== --- glibc-2.26.orig/sysdeps/unix/sysv/linux/getcwd.c +++ glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c @@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size) int retval; retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size); - if (retval >= 0) + if (retval > 0 && path[0] == '/') { #ifndef NO_ALLOCATION if (buf == NULL && size == 0) @@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size) return buf; } - /* The system call cannot handle paths longer than a page. - Neither can the magic symlink in /proc/self. Just use the + /* The system call either cannot handle paths longer than a page + or can succeed without returning an absolute path. Just use the generic implementation right away. */ - if (errno == ENAMETOOLONG) + if (retval >= 0 || errno == ENAMETOOLONG) { #ifndef NO_ALLOCATION if (buf == NULL && size == 0)
