Hello community,

here is the log from the commit of package glibc for openSUSE:Factory checked 
in at 2013-07-23 20:30:54
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/glibc (Old)
 and      /work/SRC/openSUSE:Factory/.glibc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "glibc"

Changes:
--------
--- /work/SRC/openSUSE:Factory/glibc/glibc-testsuite.changes    2013-07-11 
13:28:21.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.glibc.new/glibc-testsuite.changes       
2013-07-23 20:30:55.000000000 +0200
@@ -1,0 +2,8 @@
+Mon Jul 22 12:32:34 UTC 2013 - sch...@suse.de
+
+- disable-pt-chown.patch: disable use of pt_chown (CVE-2013-2207,
+  bnc#830257)
+- nonascii-case.patch: fix strcasecmp in tr_TR.ISO-8859-9 locale
+- glibc-2.14-crypt.diff: fix incomplete dependencies for libowcrypt
+
+-------------------------------------------------------------------
glibc-utils.changes: same change
glibc.changes: same change

New:
----
  disable-pt-chown.patch
  nonascii-case.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ glibc-testsuite.spec ++++++
--- /var/tmp/diff_new_pack.brZ5QJ/_old  2013-07-23 20:30:56.000000000 +0200
+++ /var/tmp/diff_new_pack.brZ5QJ/_new  2013-07-23 20:30:56.000000000 +0200
@@ -253,6 +253,8 @@
 Patch1005:      getaddrinfo-overflow.patch
 # PATCH-FIX-UPSTREAM Fix handling of netgroup cache in nscd
 Patch1006:      nscd-netgroup.patch
+# PATCH-FIX-UPSTREAM Disable use of pt_chown (CVE-2013-2207)
+Patch1007:      disable-pt-chown.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -273,6 +275,8 @@
 Patch2015:      printf-overrun.patch
 # PATCH-FIX-UPSTREAM AArch64: Don't clobber argument for tail call to 
__sigjmp_save in sigsetjmp
 Patch2016:      aarch64-sigsetjmp.patch
+# PATCH-FIX-UPSTREAM Fix strcasecmp for tr_TR.ISO-8859-9
+Patch2017:      nonascii-case.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -480,6 +484,7 @@
 %patch1004 -p1
 %patch1005 -p1
 %patch1006 -p1
+%patch1007 -p1
 
 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
@@ -490,6 +495,7 @@
 %patch2014 -p1
 %patch2015 -p1
 %patch2016 -p1
+%patch2017 -p1
 
 %patch3000
 
@@ -979,23 +985,8 @@
 #######################################################################
 
 %if %{normal_build}
-# Note: glibc_post_upgrade does:
-# %%set_permissions %%{_libexecdir}/pt_chown
-# since we cannot do it in our own post section
-
 %post -p %{_sbindir}/glibc_post_upgrade
 
-%if 0
-# Enabling the following lines will generate a 
-# requires on /bin/sh but glibc should not require any other binary
-# packages. Therefore we do the change with the built-in lua:
-# %%verifyscript
-# %%verify_permissions -e %%{_libexecdir}/pt_chown
-%endif
-
-%verifyscript -p <lua>
-os.execute("/usr/bin/chkstat -n --warn --system -e %{_libexecdir}/pt_chown")
-
 %postun -p /sbin/ldconfig
 
 %endif # %{normal_build}
@@ -1177,7 +1168,6 @@
 %endif
 %{_bindir}/locale
 %{_bindir}/localedef
-%verify(not mode caps) %attr(4755,root,root) %{_libexecdir}/pt_chown
 %dir %attr(0755,root,root) %{_libexecdir}/getconf
 %{_libexecdir}/getconf/*
 %{_sbindir}/glibc_post_upgrade

glibc-utils.spec: same change
++++++ glibc.spec ++++++
--- /var/tmp/diff_new_pack.brZ5QJ/_old  2013-07-23 20:30:56.000000000 +0200
+++ /var/tmp/diff_new_pack.brZ5QJ/_new  2013-07-23 20:30:56.000000000 +0200
@@ -253,6 +253,8 @@
 Patch1005:      getaddrinfo-overflow.patch
 # PATCH-FIX-UPSTREAM Fix handling of netgroup cache in nscd
 Patch1006:      nscd-netgroup.patch
+# PATCH-FIX-UPSTREAM Disable use of pt_chown (CVE-2013-2207)
+Patch1007:      disable-pt-chown.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -273,6 +275,8 @@
 Patch2015:      printf-overrun.patch
 # PATCH-FIX-UPSTREAM AArch64: Don't clobber argument for tail call to 
__sigjmp_save in sigsetjmp
 Patch2016:      aarch64-sigsetjmp.patch
+# PATCH-FIX-UPSTREAM Fix strcasecmp for tr_TR.ISO-8859-9
+Patch2017:      nonascii-case.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -480,6 +484,7 @@
 %patch1004 -p1
 %patch1005 -p1
 %patch1006 -p1
+%patch1007 -p1
 
 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 
 # %patch2008 -p1
@@ -490,6 +495,7 @@
 %patch2014 -p1
 %patch2015 -p1
 %patch2016 -p1
+%patch2017 -p1
 
 %patch3000
 
@@ -979,23 +985,8 @@
 #######################################################################
 
 %if %{normal_build}
-# Note: glibc_post_upgrade does:
-# %%set_permissions %%{_libexecdir}/pt_chown
-# since we cannot do it in our own post section
-
 %post -p %{_sbindir}/glibc_post_upgrade
 
-%if 0
-# Enabling the following lines will generate a 
-# requires on /bin/sh but glibc should not require any other binary
-# packages. Therefore we do the change with the built-in lua:
-# %%verifyscript
-# %%verify_permissions -e %%{_libexecdir}/pt_chown
-%endif
-
-%verifyscript -p <lua>
-os.execute("/usr/bin/chkstat -n --warn --system -e %{_libexecdir}/pt_chown")
-
 %postun -p /sbin/ldconfig
 
 %endif # %{normal_build}
@@ -1177,7 +1168,6 @@
 %endif
 %{_bindir}/locale
 %{_bindir}/localedef
-%verify(not mode caps) %attr(4755,root,root) %{_libexecdir}/pt_chown
 %dir %attr(0755,root,root) %{_libexecdir}/getconf
 %{_libexecdir}/getconf/*
 %{_sbindir}/glibc_post_upgrade


++++++ disable-pt-chown.patch ++++++
2013-07-21  Siddhesh Poyarekar  <siddh...@redhat.com>
            Andreas Schwab  <sch...@suse.de>
            Roland McGrath  <rol...@hack.frob.com>
            Joseph Myers  <jos...@codesourcery.com>
            Carlos O'Donell  <car...@redhat.com>

        [BZ #15755]
        * config.h.in: Define HAVE_PT_CHOWN.
        * config.make.in (build-pt-chown): New variable.
        * configure.in (--enable-pt_chown): New configure option.
        * configure: Regenerate.
        * login/Makefile: Include Makeconfig.  Build pt_chown only if
        build-pt-chown is enabled.
        * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn
        pt_chown to fix pty ownership.
        * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define
        CLOSE_ALL_FDS.
        * manual/install.texi (Configuring and compiling): Mention
        --enable-pt_chown. Add @findex for grantpt.
        * INSTALL: Regenerate.

Index: glibc-2.17/INSTALL
===================================================================
--- glibc-2.17.orig/INSTALL
+++ glibc-2.17/INSTALL
@@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati
      this can be prevented though there generally is no reason since it
      creates compatibility problems.
 
+`--enable-pt_chown'
+     The file `pt_chown' is a helper binary for `grantpt' (*note
+     Pseudo-Terminals: Allocation.) that is installed setuid root to
+     fix up pseudo-terminal ownership.  It is not built by default
+     because systems using the Linux kernel are commonly built with the
+     `devpts' filesystem enabled and mounted at `/dev/pts', which
+     manages pseudo-terminal ownership automatically.  By using
+     `--enable-pt_chown', you may build `pt_chown' and install it
+     setuid and owned by `root'.  The use of `pt_chown' introduces
+     additional security risks to the system and you should enable it
+     only if you understand and accept those risks.
+
 `--build=BUILD-SYSTEM'
 `--host=HOST-SYSTEM'
      These options are for cross-compiling.  If you specify both
Index: glibc-2.17/config.h.in
===================================================================
--- glibc-2.17.orig/config.h.in
+++ glibc-2.17/config.h.in
@@ -232,4 +232,7 @@
 /* The ARM hard-float ABI is being used.  */
 #undef HAVE_ARM_PCS_VFP
 
+/* The pt_chown binary is being built and used by grantpt.  */
+#undef HAVE_PT_CHOWN
+
 #endif
Index: glibc-2.17/config.make.in
===================================================================
--- glibc-2.17.orig/config.make.in
+++ glibc-2.17/config.make.in
@@ -102,6 +102,7 @@ force-install = @force_install@
 link-obsolete-rpc = @link_obsolete_rpc@
 build-nscd = @build_nscd@
 use-nscd = @use_nscd@
+build-pt-chown = @build_pt_chown@
 
 # Build tools.
 CC = @CC@
Index: glibc-2.17/configure
===================================================================
--- glibc-2.17.orig/configure
+++ glibc-2.17/configure
@@ -654,6 +654,7 @@ multi_arch
 base_machine
 add_on_subdirs
 add_ons
+build_pt_chown
 build_nscd
 link_obsolete_rpc
 libc_cv_nss_crypt
@@ -760,6 +761,7 @@ enable_obsolete_rpc
 enable_systemtap
 enable_build_nscd
 enable_nscd
+enable_pt_chown
 with_cpu
 '
       ac_precious_vars='build_alias
@@ -1420,6 +1422,7 @@ Optional Features:
   --enable-systemtap      enable systemtap static probe points [default=no]
   --disable-build-nscd    disable building and installing the nscd daemon
   --disable-nscd          library functions will not contact the nscd daemon
+  --enable-pt_chown       Enable building and installing pt_chown
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -3935,6 +3938,19 @@ else
 fi
 
 
+# Check whether --enable-pt_chown was given.
+if test "${enable_pt_chown+set}" = set; then :
+  enableval=$enable_pt_chown; build_pt_chown=$enableval
+else
+  build_pt_chown=no
+fi
+
+
+if test $build_pt_chown = yes; then
+  $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h
+
+fi
+
 # The way shlib-versions is used to generate soversions.mk uses a
 # fairly simplistic model for name recognition that can't distinguish
 # i486-pc-linux-gnu fully from i486-pc-gnu.  So we mutate a $host_os
Index: glibc-2.17/configure.in
===================================================================
--- glibc-2.17.orig/configure.in
+++ glibc-2.17/configure.in
@@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd],
              [use_nscd=$enableval],
              [use_nscd=yes])
 
+AC_ARG_ENABLE([pt_chown],
+             [AS_HELP_STRING([--enable-pt_chown],
+              [Enable building and installing pt_chown])],
+             [build_pt_chown=$enableval],
+             [build_pt_chown=no])
+AC_SUBST(build_pt_chown)
+if test $build_pt_chown = yes; then
+  AC_DEFINE(HAVE_PT_CHOWN)
+fi
+
 # The way shlib-versions is used to generate soversions.mk uses a
 # fairly simplistic model for name recognition that can't distinguish
 # i486-pc-linux-gnu fully from i486-pc-gnu.  So we mutate a $host_os
Index: glibc-2.17/login/Makefile
===================================================================
--- glibc-2.17.orig/login/Makefile
+++ glibc-2.17/login/Makefile
@@ -29,9 +29,15 @@ routines := getutent getutent_r getutid
 
 CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"'
 
-others = utmpdump pt_chown
+others = utmpdump
+
+include ../Makeconfig
+
+ifeq (yes,$(build-pt-chown))
+others += pt_chown
 others-pie = pt_chown
 install-others-programs = $(inst_libexecdir)/pt_chown
+endif
 
 subdir-dirs = programs
 vpath %.c programs
Index: glibc-2.17/manual/install.texi
===================================================================
--- glibc-2.17.orig/manual/install.texi
+++ glibc-2.17/manual/install.texi
@@ -155,6 +155,20 @@ if the used tools support it.  By using
 prevented though there generally is no reason since it creates
 compatibility problems.
 
+@pindex pt_chown
+@findex grantpt
+@item --enable-pt_chown
+The file @file{pt_chown} is a helper binary for @code{grantpt}
+(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to
+fix up pseudo-terminal ownership.  It is not built by default because
+systems using the Linux kernel are commonly built with the @code{devpts}
+filesystem enabled and mounted at @file{/dev/pts}, which manages
+pseudo-terminal ownership automatically.  By using
+@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it
+setuid and owned by @code{root}.  The use of @file{pt_chown} introduces
+additional security risks to the system and you should enable it only if
+you understand and accept those risks.
+
 @item --build=@var{build-system}
 @itemx --host=@var{host-system}
 These options are for cross-compiling.  If you specify both options and
Index: glibc-2.17/sysdeps/unix/grantpt.c
===================================================================
--- glibc-2.17.orig/sysdeps/unix/grantpt.c
+++ glibc-2.17/sysdeps/unix/grantpt.c
@@ -173,9 +173,10 @@ grantpt (int fd)
   retval = 0;
   goto cleanup;
 
-  /* We have to use the helper program.  */
+  /* We have to use the helper program if it is available.  */
  helper:;
 
+#ifdef HAVE_PT_CHOWN
   pid_t pid = __fork ();
   if (pid == -1)
     goto cleanup;
@@ -190,9 +191,9 @@ grantpt (int fd)
        if (__dup2 (fd, PTY_FILENO) < 0)
          _exit (FAIL_EBADF);
 
-#ifdef CLOSE_ALL_FDS
+# ifdef CLOSE_ALL_FDS
       CLOSE_ALL_FDS ();
-#endif
+# endif
 
       execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL);
       _exit (FAIL_EXEC);
@@ -231,6 +232,7 @@ grantpt (int fd)
            assert(! "getpt: internal error: invalid exit code from pt_chown");
          }
     }
+#endif
 
  cleanup:
   if (buf != _buf)
Index: glibc-2.17/sysdeps/unix/sysv/linux/grantpt.c
===================================================================
--- glibc-2.17.orig/sysdeps/unix/sysv/linux/grantpt.c
+++ glibc-2.17/sysdeps/unix/sysv/linux/grantpt.c
@@ -11,7 +11,7 @@
 
 #include "pty-private.h"
 
-
+#if HAVE_PT_CHOWN
 /* Close all file descriptors except the one specified.  */
 static void
 close_all_fds (void)
@@ -38,6 +38,7 @@ close_all_fds (void)
       __dup2 (STDOUT_FILENO, STDERR_FILENO);
     }
 }
-#define CLOSE_ALL_FDS() close_all_fds()
+# define CLOSE_ALL_FDS() close_all_fds()
+#endif
 
 #include <sysdeps/unix/grantpt.c>
++++++ glibc-2.14-crypt.diff ++++++
--- /var/tmp/diff_new_pack.brZ5QJ/_old  2013-07-23 20:30:56.000000000 +0200
+++ /var/tmp/diff_new_pack.brZ5QJ/_new  2013-07-23 20:30:56.000000000 +0200
@@ -39,6 +39,11 @@
  
  include ../Makeconfig
  
+@@ -77,3 +82,4 @@ endif
+ # This ensures they will load libc.so for needed symbols if loaded by
+ # a statically-linked program that hasn't already loaded it.
+ $(objpfx)libcrypt.so: $(common-objpfx)libc.so $(common-objpfx)libc_nonshared.a
++$(objpfx)libowcrypt.so: $(common-objpfx)libc.so 
$(common-objpfx)libc_nonshared.a
 Index: glibc-2.17/crypt/Versions
 ===================================================================
 --- glibc-2.17.orig/crypt/Versions

++++++ nonascii-case.patch ++++++
        [BZ #15736]
        * locale/categories.def (LC_CTYPE): Add "nonascii-case" element.
        * string/Makefile (test-strcasecmp-ENV)
        (test-strcasecmp-ifunc-ENV): Define.
        * string/test-strcasecmp.c (test_main): Run tests in several
        locales.

Index: glibc-2.17/locale/categories.def
===================================================================
--- glibc-2.17.orig/locale/categories.def
+++ glibc-2.17/locale/categories.def
@@ -133,6 +133,7 @@ DEFINE_CATEGORY
   DEFINE_ELEMENT (_NL_CTYPE_TRANSLIT_IGNORE_LEN, "ctype-translit-ignore-len", 
std, word)
   DEFINE_ELEMENT (_NL_CTYPE_TRANSLIT_IGNORE, "ctype-translit-ignore", std, 
string)
   DEFINE_ELEMENT (_NL_CTYPE_MAP_TO_NONASCII, "map-to-nonascii", std, word)
+  DEFINE_ELEMENT (_NL_CTYPE_NONASCII_CASE, "nonascii-case", std, word)
   ), _nl_postload_ctype)
 
 
Index: glibc-2.17/string/Makefile
===================================================================
--- glibc-2.17.orig/string/Makefile
+++ glibc-2.17/string/Makefile
@@ -69,6 +69,8 @@ noinl-tester-ENV = LANGUAGE=C
 tst-strxfrm-ENV = LOCPATH=$(common-objpfx)localedata
 tst-strxfrm2-ENV = LOCPATH=$(common-objpfx)localedata
 bug-strcoll1-ENV = LOCPATH=$(common-objpfx)localedata
+test-strcasecmp-ENV = LOCPATH=$(common-objpfx)localedata
+test-strcasecmp-ifunc-ENV = LOCPATH=$(common-objpfx)localedata
 CFLAGS-inl-tester.c = -fno-builtin
 CFLAGS-noinl-tester.c = -fno-builtin
 CFLAGS-tst-strlen.c = -fno-builtin
Index: glibc-2.17/string/test-strcasecmp.c
===================================================================
--- glibc-2.17.orig/string/test-strcasecmp.c
+++ glibc-2.17/string/test-strcasecmp.c
@@ -17,6 +17,7 @@
    License along with the GNU C Library; if not, see
    <http://www.gnu.org/licenses/>.  */
 
+#include <locale.h>
 #include <ctype.h>
 #define TEST_MAIN
 #define TEST_NAME "strcasecmp"
@@ -230,14 +231,18 @@ do_random_tests (void)
     }
 }
 
-int
-test_main (void)
+static void
+test_locale (const char *locale)
 {
   size_t i;
 
-  test_init ();
+  if (setlocale (LC_CTYPE, locale) == NULL)
+    {
+      error (0, 0, "cannot set locale \"%s\"", locale);
+      ret = 1;
+    }
 
-  printf ("%23s", "");
+  printf ("%-23s", locale);
   FOR_EACH_IMPL (impl, 0)
     printf ("\t%s", impl->name);
   putchar ('\n');
@@ -270,6 +275,19 @@ test_main (void)
     }
 
   do_random_tests ();
+}
+
+int
+test_main (void)
+{
+  test_init ();
+
+  test_locale ("C");
+  test_locale ("en_US.ISO-8859-1");
+  test_locale ("en_US.UTF-8");
+  test_locale ("tr_TR.ISO-8859-9");
+  test_locale ("tr_TR.UTF-8");
+
   return ret;
 }
 
-- 
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org

Reply via email to