Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2018-05-28 08:06:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Mon May 28 08:06:11 2018 rev:223 rq:611653 version:2.27 Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2018-04-04 11:02:08.575163157 +0200 +++ /work/SRC/openSUSE:Factory/.glibc.new/glibc.changes 2018-05-28 08:06:13.621683797 +0200 @@ -1,0 +2,14 @@ +Wed May 23 08:18:00 UTC 2018 - sch...@suse.de + +- mempcpy-avx512.patch: Don't write beyond destination in + __mempcpy_avx512_no_vzeroupper (CVE-2018-11237, bsc#1094154) +- realpath-ssize-max-overflow.patch: Fix overflow in path length + computation (CVE-2018-11236, bsc#1094161, BZ #22786) +- Use %license also for COPYING, COPYING.LIB + +------------------------------------------------------------------- +Thu Apr 12 08:12:30 UTC 2018 - sch...@suse.de + +- Readd nis to netgroup and automount nss config (bsc#1088860) + +------------------------------------------------------------------- @@ -5 +19 @@ - 2GB boundary (BZ #22644) + 2GB boundary (CVE-2017-18269, bnc#1094150, BZ #22644) New: ---- mempcpy-avx512.patch realpath-ssize-max-overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.oYTe3c/_old 2018-05-28 08:06:20.665424163 +0200 +++ /var/tmp/diff_new_pack.oYTe3c/_new 2018-05-28 08:06:20.665424163 +0200 @@ -302,8 +302,12 @@ Patch1009: riscv-fmax-fmin-nan.patch # PATCH-FIX-UPSTREAM Fix crash in resolver on memory allocation failure (BZ #23005) Patch1010: res-send-enomem.patch -# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (BZ #22644) +# PATCH-FIX-UPSTREAM memmove-sse2-unaligned on 32bit x86 produces garbage when crossing 2GB threshold (CVE-2017-18269, BZ #22644) Patch1011: i386-memmove-sse2-unaligned.patch +# PATCH-FIX-UPSTREAM __mempcpy_avx512_no_vzeroupper mishandles large copies (CVE-2018-11237, BZ #23196) +Patch1012: mempcpy-avx512.patch +# PATCH-FIX-UPSTREAM realpath-ssize-max-overflow.patch: Fix overflow in path length computation (CVE-2018-11236, BZ #22786) +Patch1013: realpath-ssize-max-overflow.patch ### # Patches awaiting upstream approval @@ -525,6 +529,8 @@ %patch1009 -p1 %patch1010 -p1 %patch1011 -p1 +%patch1012 -p1 +%patch1013 -p1 %patch2000 -p1 %patch2004 -p1 @@ -1252,7 +1258,8 @@ %files devel %defattr(-,root,root) -%doc COPYING COPYING.LIB NEWS README +%license COPYING COPYING.LIB +%doc NEWS README %doc %{_mandir}/man1/catchsegv.1.gz %doc %{_mandir}/man3/* %{_bindir}/catchsegv ++++++ mempcpy-avx512.patch ++++++ [BZ #23196] CVE-2018-11237 * sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S (L(preloop_large)): Save initial destination pointer in %r11 and use it instead of %rax after the loop. * string/test-mempcpy.c (MIN_PAGE_SIZE): Define. Index: glibc-2.27/string/test-mempcpy.c =================================================================== --- glibc-2.27.orig/string/test-mempcpy.c +++ glibc-2.27/string/test-mempcpy.c @@ -18,6 +18,7 @@ <http://www.gnu.org/licenses/>. */ #define MEMCPY_RESULT(dst, len) (dst) + (len) +#define MIN_PAGE_SIZE 131072 #define TEST_MAIN #define TEST_NAME "mempcpy" #include "test-string.h" Index: glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S =================================================================== --- glibc-2.27.orig/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S +++ glibc-2.27/sysdeps/x86_64/multiarch/memmove-avx512-no-vzeroupper.S @@ -336,6 +336,7 @@ L(preloop_large): vmovups (%rsi), %zmm4 vmovups 0x40(%rsi), %zmm5 + mov %rdi, %r11 /* Align destination for access with non-temporal stores in the loop. */ mov %rdi, %r8 and $-0x80, %rdi @@ -366,8 +367,8 @@ L(gobble_256bytes_nt_loop): cmp $256, %rdx ja L(gobble_256bytes_nt_loop) sfence - vmovups %zmm4, (%rax) - vmovups %zmm5, 0x40(%rax) + vmovups %zmm4, (%r11) + vmovups %zmm5, 0x40(%r11) jmp L(check) L(preloop_large_bkw): ++++++ nsswitch.conf ++++++ --- /var/tmp/diff_new_pack.oYTe3c/_old 2018-05-28 08:06:20.905415317 +0200 +++ /var/tmp/diff_new_pack.oYTe3c/_new 2018-05-28 08:06:20.905415317 +0200 @@ -34,9 +34,9 @@ rpc: files ethers: files netmasks: files -netgroup: files +netgroup: files nis publickey: files bootparams: files -automount: files +automount: files nis aliases: files ++++++ realpath-ssize-max-overflow.patch ++++++ 2018-05-09 Paul Pluzhnikov <ppluzhni...@google.com> [BZ #22786] * stdlib/canonicalize.c (__realpath): Fix overflow in path length computation. * stdlib/Makefile (test-bz22786): New test. * stdlib/test-bz22786.c: New test. Index: glibc-2.27/stdlib/Makefile =================================================================== --- glibc-2.27.orig/stdlib/Makefile +++ glibc-2.27/stdlib/Makefile @@ -84,7 +84,7 @@ tests := tst-strtol tst-strtod testmb t tst-cxa_atexit tst-on_exit test-atexit-race \ test-at_quick_exit-race test-cxa_atexit-race \ test-on_exit-race test-dlclose-exit-race \ - tst-makecontext-align + tst-makecontext-align test-bz22786 tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ tst-tls-atexit tst-tls-atexit-nodelete Index: glibc-2.27/stdlib/canonicalize.c =================================================================== --- glibc-2.27.orig/stdlib/canonicalize.c +++ glibc-2.27/stdlib/canonicalize.c @@ -181,7 +181,7 @@ __realpath (const char *name, char *reso extra_buf = __alloca (path_max); len = strlen (end); - if ((long int) (n + len) >= path_max) + if (path_max - n <= len) { __set_errno (ENAMETOOLONG); goto error; Index: glibc-2.27/stdlib/test-bz22786.c =================================================================== --- /dev/null +++ glibc-2.27/stdlib/test-bz22786.c @@ -0,0 +1,90 @@ +/* Bug 22786: test for buffer overflow in realpath. + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +/* This file must be run from within a directory called "stdlib". */ + +#include <errno.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <support/test-driver.h> +#include <libc-diag.h> + +static int +do_test (void) +{ + const char dir[] = "bz22786"; + const char lnk[] = "bz22786/symlink"; + + rmdir (dir); + if (mkdir (dir, 0755) != 0 && errno != EEXIST) + { + printf ("mkdir %s: %m\n", dir); + return EXIT_FAILURE; + } + if (symlink (".", lnk) != 0 && errno != EEXIST) + { + printf ("symlink (%s, %s): %m\n", dir, lnk); + return EXIT_FAILURE; + } + + const size_t path_len = (size_t) INT_MAX + 1; + + DIAG_PUSH_NEEDS_COMMENT; +#if __GNUC_PREREQ (7, 0) + /* GCC 7 warns about too-large allocations; here we need such + allocation to succeed for the test to work. */ + DIAG_IGNORE_NEEDS_COMMENT (7, "-Walloc-size-larger-than="); +#endif + char *path = malloc (path_len); + DIAG_POP_NEEDS_COMMENT; + + if (path == NULL) + { + printf ("malloc (%zu): %m\n", path_len); + return EXIT_UNSUPPORTED; + } + + /* Construct very long path = "bz22786/symlink/aaaa....." */ + char *p = mempcpy (path, lnk, sizeof (lnk) - 1); + *(p++) = '/'; + memset (p, 'a', path_len - (path - p) - 2); + p[path_len - (path - p) - 1] = '\0'; + + /* This call crashes before the fix for bz22786 on 32-bit platforms. */ + p = realpath (path, NULL); + + if (p != NULL || errno != ENAMETOOLONG) + { + printf ("realpath: %s (%m)", p); + return EXIT_FAILURE; + } + + /* Cleanup. */ + unlink (lnk); + rmdir (dir); + + return 0; +} + +#define TEST_FUNCTION do_test +#include <support/test-driver.c>