Hello community, here is the log from the commit of package glibc for openSUSE:Leap:15.2 checked in at 2020-04-08 12:47:43 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/glibc (Old) and /work/SRC/openSUSE:Leap:15.2/.glibc.new.3248 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Wed Apr 8 12:47:43 2020 rev:73 rq:790171 version:2.26 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/glibc/glibc.changes 2020-03-24 19:05:13.413438067 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.glibc.new.3248/glibc.changes 2020-04-08 12:47:44.422323005 +0200 @@ -1,0 +2,6 @@ +Wed Mar 25 11:47:44 UTC 2020 - Andreas Schwab <[email protected]> + +- glob-use-after-free.patch: Fix use-after-free in glob when expanding + ~user (CVE-2020-1752, bsc#1167631, BZ #25414) + +------------------------------------------------------------------- @@ -25 +31 @@ - (bsc#1158996, BZ #25423) + (CVE-2020-1751, bsc#1158996, BZ #25423) New: ---- glob-use-after-free.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.P951wV/_old 2020-04-08 12:47:46.470324038 +0200 +++ /var/tmp/diff_new_pack.P951wV/_new 2020-04-08 12:47:46.474324039 +0200 @@ -417,7 +417,7 @@ # PATCH-FIX-UPSTREAM Use posix_spawn on popen (BZ #22834) Patch1073: posix-Add-internal-symbols-for-posix_spawn-interface.patch Patch1074: glibc-2.29-posix-Use-posix_spawn-on-popen.patch -# PATCH-FIX-UPSTREAM Fix array overflow in backtrace on PowerPC (BZ #25423) +# PATCH-FIX-UPSTREAM Fix array overflow in backtrace on PowerPC (CVE-2020-1751, BZ #25423) Patch1075: backtrace-powerpc.patch # PATCH-FIX-UPSTREAM Fix rwlock stall with PREFER_WRITER_NONRECURSIVE_NP (BZ #23861) Patch1076: pthread-rwlock-pwn.patch @@ -428,6 +428,8 @@ # PATCH-FIX-UPSTREAM elf: Allow dlopen of filter object to work (BZ #16272) Patch1079: dl-sort-maps.patch Patch1080: dlopen-filter-object.patch +# PATCH-FIX-UPSTREAM Fix use-after-free in glob when expanding ~user (CVE-2020-1752, BZ #25414) +Patch1081: glob-use-after-free.patch ### # Patches awaiting upstream approval @@ -743,6 +745,7 @@ %patch1078 -p1 %patch1079 -p1 %patch1080 -p1 +%patch1081 -p1 %patch2000 -p1 %patch2001 -p1 ++++++ glob-use-after-free.patch ++++++ >From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001 From: Andreas Schwab <[email protected]> Date: Wed, 19 Feb 2020 17:21:46 +0100 Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414) The value of `end_name' points into the value of `dirname', thus don't deallocate the latter before the last use of the former. --- posix/glob.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) Index: glibc-2.26/posix/glob.c =================================================================== --- glibc-2.26.orig/posix/glob.c +++ glibc-2.26/posix/glob.c @@ -946,28 +946,30 @@ glob (const char *pattern, int flags, in { size_t home_len = strlen (p->pw_dir); size_t rest_len = end_name == NULL ? 0 : strlen (end_name); + char *newp; + bool use_alloca = glob_use_alloca (alloca_used, + home_len + rest_len + 1); - if (__glibc_unlikely (malloc_dirname)) - free (dirname); - malloc_dirname = 0; - - if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) - dirname = alloca_account (home_len + rest_len + 1, - alloca_used); + if (use_alloca) + newp = alloca_account (home_len + rest_len + 1, alloca_used); else { - dirname = malloc (home_len + rest_len + 1); - if (dirname == NULL) + newp = malloc (home_len + rest_len + 1); + if (newp == NULL) { free (malloc_pwtmpbuf); retval = GLOB_NOSPACE; goto out; } - malloc_dirname = 1; } - *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len), + *((char *) mempcpy (mempcpy (newp, p->pw_dir, home_len), end_name, rest_len)) = '\0'; + if (__glibc_unlikely (malloc_dirname)) + free (dirname); + dirname = newp; + malloc_dirname = !use_alloca; + dirlen = home_len + rest_len; dirname_modified = 1;
