Author: aurel32
Date: 2014-07-10 20:55:56 +0000 (Thu, 10 Jul 2014)
New Revision: 6204
Added:
glibc-package/trunk/debian/patches/any/cvs-CVE-2014-0475.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
* debian/patches/any/cvs-CVE-2014-0475.diff: fix a directory traversal in
locale environment handling (CVE-2014-0475).
* debian/patches/any/cvs-setlocale-alloca.diff: Additional setlocale
hardening.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2014-07-10 20:01:36 UTC (rev
6203)
+++ glibc-package/trunk/debian/changelog 2014-07-10 20:55:56 UTC (rev
6204)
@@ -1,5 +1,11 @@
-glibc (2.19-6) UNRELEASED; urgency=medium
+glibc (2.19-6) UNRELEASED; urgency=high
+ [ Aurelien Jarno ]
+ * debian/patches/any/cvs-CVE-2014-0475.diff: fix a directory traversal in
+ locale environment handling (CVE-2014-0475).
+ * debian/patches/any/cvs-setlocale-alloca.diff: Additional setlocale
+ hardening.
+
[ Helmut Grohne ]
* debian/rules.d/debhelper.mk: fix dh_strip call in stage1. Closes:
#754350.
Added: glibc-package/trunk/debian/patches/any/cvs-CVE-2014-0475.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/cvs-CVE-2014-0475.diff
(rev 0)
+++ glibc-package/trunk/debian/patches/any/cvs-CVE-2014-0475.diff
2014-07-10 20:55:56 UTC (rev 6204)
@@ -0,0 +1,350 @@
+2014-07-02 Florian Weimer <fwei...@redhat.com>
+
+ [BZ #17137]
+ * locale/findlocale.c (name_present, valid_locale_name): New
+ functions.
+ (_nl_find_locale): Use the loc_name variable to store name
+ candidates. Call name_present and valid_locale_name to check and
+ validate locale names. Return an error if the locale is invalid.
+
+2014-07-02 Florian Weimer <fwei...@redhat.com>
+
+ * locale/tst-setlocale3.c: New file.
+ * locale/Makefile (tests): Add tst-setlocale3.
+ (tst-setlocale3-ENV): New variable.
+
+--- a/locale/findlocale.c
++++ b/locale/findlocale.c
+@@ -17,6 +17,7 @@
+ <http://www.gnu.org/licenses/>. */
+
+ #include <assert.h>
++#include <errno.h>
+ #include <locale.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -57,6 +58,45 @@ struct loaded_l10nfile *_nl_locale_file_list[__LC_LAST];
+
+ const char _nl_default_locale_path[] attribute_hidden = LOCALEDIR;
+
++/* Checks if the name is actually present, that is, not NULL and not
++ empty. */
++static inline int
++name_present (const char *name)
++{
++ return name != NULL && name[0] != '\0';
++}
++
++/* Checks that the locale name neither extremely long, nor contains a
++ ".." path component (to prevent directory traversal). */
++static inline int
++valid_locale_name (const char *name)
++{
++ /* Not set. */
++ size_t namelen = strlen (name);
++ /* Name too long. The limit is arbitrary and prevents stack overflow
++ issues later. */
++ if (__glibc_unlikely (namelen > 255))
++ return 0;
++ /* Directory traversal attempt. */
++ static const char slashdot[4] = {'/', '.', '.', '/'};
++ if (__glibc_unlikely (memmem (name, namelen,
++ slashdot, sizeof (slashdot)) != NULL))
++ return 0;
++ if (namelen == 2 && __glibc_unlikely (name[0] == '.' && name [1] == '.'))
++ return 0;
++ if (namelen >= 3
++ && __glibc_unlikely (((name[0] == '.'
++ && name[1] == '.'
++ && name[2] == '/')
++ || (name[namelen - 3] == '/'
++ && name[namelen - 2] == '.'
++ && name[namelen - 1] == '.'))))
++ return 0;
++ /* If there is a slash in the name, it must start with one. */
++ if (__glibc_unlikely (memchr (name, '/', namelen) != NULL) && name[0] !=
'/')
++ return 0;
++ return 1;
++}
+
+ struct __locale_data *
+ internal_function
+@@ -65,7 +105,7 @@ _nl_find_locale (const char *locale_path, size_t
locale_path_len,
+ {
+ int mask;
+ /* Name of the locale for this category. */
+- char *loc_name;
++ char *loc_name = (char *) *name;
+ const char *language;
+ const char *modifier;
+ const char *territory;
+@@ -73,31 +113,39 @@ _nl_find_locale (const char *locale_path, size_t
locale_path_len,
+ const char *normalized_codeset;
+ struct loaded_l10nfile *locale_file;
+
+- if ((*name)[0] == '\0')
++ if (loc_name[0] == '\0')
+ {
+ /* The user decides which locale to use by setting environment
+ variables. */
+- *name = getenv ("LC_ALL");
+- if (*name == NULL || (*name)[0] == '\0')
+- *name = getenv (_nl_category_names.str
++ loc_name = getenv ("LC_ALL");
++ if (!name_present (loc_name))
++ loc_name = getenv (_nl_category_names.str
+ + _nl_category_name_idxs[category]);
+- if (*name == NULL || (*name)[0] == '\0')
+- *name = getenv ("LANG");
++ if (!name_present (loc_name))
++ loc_name = getenv ("LANG");
++ if (!name_present (loc_name))
++ loc_name = (char *) _nl_C_name;
+ }
+
+- if (*name == NULL || (*name)[0] == '\0'
+- || (__builtin_expect (__libc_enable_secure, 0)
+- && strchr (*name, '/') != NULL))
+- *name = (char *) _nl_C_name;
++ /* We used to fall back to the C locale if the name contains a slash
++ character '/', but we now check for directory traversal in
++ valid_locale_name, so this is no longer necessary. */
+
+- if (__builtin_expect (strcmp (*name, _nl_C_name), 1) == 0
+- || __builtin_expect (strcmp (*name, _nl_POSIX_name), 1) == 0)
++ if (__builtin_expect (strcmp (loc_name, _nl_C_name), 1) == 0
++ || __builtin_expect (strcmp (loc_name, _nl_POSIX_name), 1) == 0)
+ {
+ /* We need not load anything. The needed data is contained in
+ the library itself. */
+ *name = (char *) _nl_C_name;
+ return _nl_C[category];
+ }
++ else if (!valid_locale_name (loc_name))
++ {
++ __set_errno (EINVAL);
++ return NULL;
++ }
++
++ *name = loc_name;
+
+ /* We really have to load some data. First we try the archive,
+ but only if there was no LOCPATH environment variable specified. */
+
+--- a/localedata/Makefile
++++ b/localedata/Makefile
+@@ -74,7 +74,7 @@ locale_test_suite := tst_iswalnum tst_iswalpha tst_iswcntrl
\
+
+ tests = $(locale_test_suite) tst-digits tst-setlocale bug-iconv-trans \
+ tst-leaks tst-mbswcs6 tst-xlocale1 tst-xlocale2 bug-usesetlocale \
+- tst-strfmon1 tst-sscanf bug-setlocale1 tst-setlocale2
++ tst-strfmon1 tst-sscanf bug-setlocale1 tst-setlocale2 tst-setlocale3
+ tests-static = bug-setlocale1-static
+ tests += $(tests-static)
+ ifeq (yes,$(build-shared))
+--- /dev/null
++++ b/localedata/tst-setlocale3.c
+@@ -0,0 +1,203 @@
++/* Regression test for setlocale invalid environment variable handling.
++ Copyright (C) 2014 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <locale.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++/* The result of setlocale may be overwritten by subsequent calls, so
++ this wrapper makes a copy. */
++static char *
++setlocale_copy (int category, const char *locale)
++{
++ const char *result = setlocale (category, locale);
++ if (result == NULL)
++ return NULL;
++ return strdup (result);
++}
++
++static char *de_locale;
++
++static void
++setlocale_fail (const char *envstring)
++{
++ setenv ("LC_CTYPE", envstring, 1);
++ if (setlocale (LC_CTYPE, "") != NULL)
++ {
++ printf ("unexpected setlocale success for \"%s\" locale\n", envstring);
++ exit (1);
++ }
++ const char *newloc = setlocale (LC_CTYPE, NULL);
++ if (strcmp (newloc, de_locale) != 0)
++ {
++ printf ("failed setlocale call \"%s\" changed locale to \"%s\"\n",
++ envstring, newloc);
++ exit (1);
++ }
++}
++
++static void
++setlocale_success (const char *envstring)
++{
++ setenv ("LC_CTYPE", envstring, 1);
++ char *newloc = setlocale_copy (LC_CTYPE, "");
++ if (newloc == NULL)
++ {
++ printf ("setlocale for \"%s\": %m\n", envstring);
++ exit (1);
++ }
++ if (strcmp (newloc, de_locale) == 0)
++ {
++ printf ("setlocale with LC_CTYPE=\"%s\" left locale at \"%s\"\n",
++ envstring, de_locale);
++ exit (1);
++ }
++ if (setlocale (LC_CTYPE, de_locale) == NULL)
++ {
++ printf ("restoring locale \"%s\" with LC_CTYPE=\"%s\": %m\n",
++ de_locale, envstring);
++ exit (1);
++ }
++ char *newloc2 = setlocale_copy (LC_CTYPE, newloc);
++ if (newloc2 == NULL)
++ {
++ printf ("restoring locale \"%s\" following \"%s\": %m\n",
++ newloc, envstring);
++ exit (1);
++ }
++ if (strcmp (newloc, newloc2) != 0)
++ {
++ printf ("representation of locale \"%s\" changed from \"%s\" to \"%s\"",
++ envstring, newloc, newloc2);
++ exit (1);
++ }
++ free (newloc);
++ free (newloc2);
++
++ if (setlocale (LC_CTYPE, de_locale) == NULL)
++ {
++ printf ("restoring locale \"%s\" with LC_CTYPE=\"%s\": %m\n",
++ de_locale, envstring);
++ exit (1);
++ }
++}
++
++/* Checks that a known-good locale still works if LC_ALL contains a
++ value which should be ignored. */
++static void
++setlocale_ignore (const char *to_ignore)
++{
++ const char *fr_locale = "fr_FR.UTF-8";
++ setenv ("LC_CTYPE", fr_locale, 1);
++ char *expected_locale = setlocale_copy (LC_CTYPE, "");
++ if (expected_locale == NULL)
++ {
++ printf ("setlocale with LC_CTYPE=\"%s\" failed: %m\n", fr_locale);
++ exit (1);
++ }
++ if (setlocale (LC_CTYPE, de_locale) == NULL)
++ {
++ printf ("failed to restore locale: %m\n");
++ exit (1);
++ }
++ unsetenv ("LC_CTYPE");
++
++ setenv ("LC_ALL", to_ignore, 1);
++ setenv ("LC_CTYPE", fr_locale, 1);
++ const char *actual_locale = setlocale (LC_CTYPE, "");
++ if (actual_locale == NULL)
++ {
++ printf ("setlocale with LC_ALL, LC_CTYPE=\"%s\" failed: %m\n",
++ fr_locale);
++ exit (1);
++ }
++ if (strcmp (actual_locale, expected_locale) != 0)
++ {
++ printf ("setlocale under LC_ALL failed: got \"%s\", expected \"%s\"\n",
++ actual_locale, expected_locale);
++ exit (1);
++ }
++ unsetenv ("LC_CTYPE");
++ setlocale_success (fr_locale);
++ unsetenv ("LC_ALL");
++ free (expected_locale);
++}
++
++static int
++do_test (void)
++{
++ /* The glibc test harness sets this environment variable
++ uncondionally. */
++ unsetenv ("LC_ALL");
++
++ de_locale = setlocale_copy (LC_CTYPE, "de_DE.UTF-8");
++ if (de_locale == NULL)
++ {
++ printf ("setlocale (LC_CTYPE, \"de_DE.UTF-8\"): %m\n");
++ return 1;
++ }
++ setlocale_success ("C");
++ setlocale_success ("en_US.UTF-8");
++ setlocale_success ("/en_US.UTF-8");
++ setlocale_success ("//en_US.UTF-8");
++ setlocale_ignore ("");
++
++ setlocale_fail ("does-not-exist");
++ setlocale_fail ("/");
++ setlocale_fail ("/../localedata/en_US.UTF-8");
++ setlocale_fail ("en_US.UTF-8/");
++ setlocale_fail ("en_US.UTF-8/..");
++ setlocale_fail ("en_US.UTF-8/../en_US.UTF-8");
++ setlocale_fail ("../localedata/en_US.UTF-8");
++ {
++ size_t large_length = 1024;
++ char *large_name = malloc (large_length + 1);
++ if (large_name == NULL)
++ {
++ puts ("malloc failure");
++ return 1;
++ }
++ memset (large_name, '/', large_length);
++ const char *suffix = "en_US.UTF-8";
++ strcpy (large_name + large_length - strlen (suffix), suffix);
++ setlocale_fail (large_name);
++ free (large_name);
++ }
++ {
++ size_t huge_length = 64 * 1024 * 1024;
++ char *huge_name = malloc (huge_length + 1);
++ if (huge_name == NULL)
++ {
++ puts ("malloc failure");
++ return 1;
++ }
++ memset (huge_name, 'X', huge_length);
++ huge_name[huge_length] = '\0';
++ /* Construct a composite locale specification. */
++ const char *prefix = "LC_CTYPE=de_DE.UTF-8;LC_TIME=";
++ memcpy (huge_name, prefix, strlen (prefix));
++ setlocale_fail (huge_name);
++ free (huge_name);
++ }
++
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2014-07-10 20:01:36 UTC (rev
6203)
+++ glibc-package/trunk/debian/patches/series 2014-07-10 20:55:56 UTC (rev
6204)
@@ -254,3 +254,5 @@
any/submitted-argp-attribute.diff
any/submitted-resolv-ipv6-nameservers.diff
any/cvs-posix_spawn_file_actions_addopen.diff
+any/cvs-setlocale-alloca.diff
+any/cvs-CVE-2014-0475.diff
--
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/e1x5lnk-0005el...@moszumanska.debian.org
