From 42c30fa8bd9f1c1875c9bc07f4b6273b98852e30 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Fri, 29 Apr 2016 23:33:42 +0200 Subject: [PATCH] - rel 2; fixes CVE-2016-3075; update from upstream git --- glibc-git.patch | 201 ++++++++++++++++++++++++++++++++++++++++++++++-- glibc.spec | 2 +- 2 files changed, 195 insertions(+), 8 deletions(-) diff --git a/glibc-git.patch b/glibc-git.patch index 1d5ad4b..3acd9dd 100644 --- a/glibc-git.patch +++ b/glibc-git.patch @@ -1,8 +1,27 @@ diff --git a/ChangeLog b/ChangeLog -index 2e4afb7..64a2746 100644 +index 2e4afb7..29b7cf5 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,5 +1,163 @@ +@@ -1,5 +1,182 @@ ++2016-04-20 Yvan Roux ++ ++ * stdlib/setenv.c (unsetenv): Fix ambiguous 'else'. ++ * nis/nis_call.c (nis_server_cache_add): Likewise. ++ ++2016-04-09 Mike Frysinger ++ ++ * sysdeps/i386/configure.ac: Change == to = when calling test. ++ * sysdeps/x86_64/configure.ac: Likewise. ++ * sysdeps/i386/configure: Regenerated. ++ * sysdeps/x86_64/configure: Likewise. ++ ++2016-04-01 Florian Weimer ++ ++ [BZ #19879] ++ CVE-2016-3075 ++ * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not ++ copy name. ++ +2016-04-01 Stefan Liebler + + * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef. @@ -167,10 +186,10 @@ index 2e4afb7..64a2746 100644 (VERSION): Set to 2.23. * include/feature.h (__GLIBC_MINOR__): Set to 23. diff --git a/NEWS b/NEWS -index c0276cf..674d217 100644 +index c0276cf..a08f96b 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,23 @@ See the end for copying conditions. +@@ -5,6 +5,29 @@ See the end for copying conditions. Please send GNU C library bug reports via using `glibc' in the "product" field. @@ -178,7 +197,10 @@ index c0276cf..674d217 100644 + +Security related changes: + -+ [Add security related changes here] ++* The getnetbyname implementation in nss_dns had a potentially unbounded ++ alloca call (in the form of a call to strdupa), leading to a stack ++ overflow (stack exhaustion) and a crash if getnetbyname is invoked ++ on a very long name. (CVE-2016-3075) + +The following bugs are resolved with this release: + @@ -186,15 +208,18 @@ index c0276cf..674d217 100644 + [19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS + [19759] Don't inline mempcpy for x86 + [19762] Use HAS_ARCH_FEATURE with Fast_Rep_String -+ [19791] Assertion failure in res_query.c with un-connectable name server addresses ++ [19791] Assertion failure in res_query.c with un-connectable name server ++ addresses + [19792] MIPS: backtrace yields infinite backtrace with makecontext + [19822] libm.so install clobbers old version ++ [19879] network: nss_dns: Stack overflow in getnetbyname implementation ++ (CVE-2016-3075) + + Version 2.23 * Unicode 8.0.0 Support: Character encoding, character type info, and -@@ -38,7 +55,7 @@ Version 2.23 +@@ -38,7 +61,7 @@ Version 2.23 unnecessary serialization of memory allocation requests across threads. The defect is now corrected. Users should see a substantial increase in the concurent throughput of allocation requests for applications which @@ -278,6 +303,38 @@ index 195d753..ecff1dc 100644 { printf ("FAIL: Failed to call is* functions.\n"); exit (1); +diff --git a/nis/nis_call.c b/nis/nis_call.c +index 3fa37e4..cb7839a 100644 +--- a/nis/nis_call.c ++++ b/nis/nis_call.c +@@ -680,16 +680,18 @@ nis_server_cache_add (const_nis_name name, int search_parent, + /* Choose which entry should be evicted from the cache. */ + loc = &nis_server_cache[0]; + if (*loc != NULL) +- for (i = 1; i < 16; ++i) +- if (nis_server_cache[i] == NULL) +- { ++ { ++ for (i = 1; i < 16; ++i) ++ if (nis_server_cache[i] == NULL) ++ { ++ loc = &nis_server_cache[i]; ++ break; ++ } ++ else if ((*loc)->uses > nis_server_cache[i]->uses ++ || ((*loc)->uses == nis_server_cache[i]->uses ++ && (*loc)->expires > nis_server_cache[i]->expires)) + loc = &nis_server_cache[i]; +- break; +- } +- else if ((*loc)->uses > nis_server_cache[i]->uses +- || ((*loc)->uses == nis_server_cache[i]->uses +- && (*loc)->expires > nis_server_cache[i]->expires)) +- loc = &nis_server_cache[i]; ++ } + old = *loc; + *loc = new; + diff --git a/po/be.po b/po/be.po index 66d1235..ffb39b4 100644 --- a/po/be.po @@ -55270,6 +55327,29 @@ index 90c47e4..9ca8cb1 100644 #~ msgid "compile-time support for database policy missing" #~ msgstr "compile-time 支援用於資料庫策略缺少" +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 2eb2f67..8f301a7 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, + } net_buffer; + querybuf *orig_net_buffer; + int anslen; +- char *qbuf; + enum nss_status status; + + if (__res_maybe_init (&_res, 0) == -1) + return NSS_STATUS_UNAVAIL; + +- qbuf = strdupa (name); +- + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); + +- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, ++ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, + 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); + if (anslen < 0) + { diff --git a/resolv/res_init.c b/resolv/res_init.c index e0b6a80..6c951f5 100644 --- a/resolv/res_init.c @@ -55449,6 +55529,43 @@ index 25c19f1..b4efcb6 100644 else { /* poll should not have returned > 0 in this case. */ abort (); +diff --git a/stdlib/setenv.c b/stdlib/setenv.c +index da61ee0..e66045f 100644 +--- a/stdlib/setenv.c ++++ b/stdlib/setenv.c +@@ -278,18 +278,20 @@ unsetenv (const char *name) + ep = __environ; + if (ep != NULL) + while (*ep != NULL) +- if (!strncmp (*ep, name, len) && (*ep)[len] == '=') +- { +- /* Found it. Remove this pointer by moving later ones back. */ +- char **dp = ep; +- +- do +- dp[0] = dp[1]; +- while (*dp++); +- /* Continue the loop in case NAME appears again. */ +- } +- else +- ++ep; ++ { ++ if (!strncmp (*ep, name, len) && (*ep)[len] == '=') ++ { ++ /* Found it. Remove this pointer by moving later ones back. */ ++ char **dp = ep; ++ ++ do ++ dp[0] = dp[1]; ++ while (*dp++); ++ /* Continue the loop in case NAME appears again. */ ++ } ++ else ++ ++ep; ++ } + + UNLOCK; + diff --git a/sysdeps/arm/nacl/libc.abilist b/sysdeps/arm/nacl/libc.abilist index 561441e..0560510 100644 --- a/sysdeps/arm/nacl/libc.abilist @@ -55463,6 +55580,32 @@ index 561441e..0560510 100644 +GLIBC_2.23 fts64_open F +GLIBC_2.23 fts64_read F +GLIBC_2.23 fts64_set F +diff --git a/sysdeps/i386/configure b/sysdeps/i386/configure +index 9515719..5b55c5a 100644 +--- a/sysdeps/i386/configure ++++ b/sysdeps/i386/configure +@@ -72,7 +72,7 @@ rm -f conftest* + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5 + $as_echo "$libc_cv_asm_mpx" >&6; } +-if test $libc_cv_asm_mpx == yes; then ++if test $libc_cv_asm_mpx = yes; then + $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h + + fi +diff --git a/sysdeps/i386/configure.ac b/sysdeps/i386/configure.ac +index f8f9e44..19ef33f 100644 +--- a/sysdeps/i386/configure.ac ++++ b/sysdeps/i386/configure.ac +@@ -41,7 +41,7 @@ else + libc_cv_asm_mpx=no + fi + rm -f conftest*]) +-if test $libc_cv_asm_mpx == yes; then ++if test $libc_cv_asm_mpx = yes; then + AC_DEFINE(HAVE_MPX_SUPPORT) + fi + diff --git a/sysdeps/i386/i686/multiarch/bcopy.S b/sysdeps/i386/i686/multiarch/bcopy.S index d5b408d..ce6661b 100644 --- a/sysdeps/i386/i686/multiarch/bcopy.S @@ -56569,6 +56712,50 @@ index e4e019f..8dfce05 100644 /* Enable inline functions only for i486 or better when compiling for ia32. */ #if !defined __x86_64__ && (defined __i486__ || defined __pentium__ \ +diff --git a/sysdeps/x86_64/configure b/sysdeps/x86_64/configure +index c72b9d3..88fbfe4 100644 +--- a/sysdeps/x86_64/configure ++++ b/sysdeps/x86_64/configure +@@ -24,7 +24,7 @@ rm -f conftest* + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_avx512" >&5 + $as_echo "$libc_cv_asm_avx512" >&6; } +-if test $libc_cv_asm_avx512 == yes; then ++if test $libc_cv_asm_avx512 = yes; then + $as_echo "#define HAVE_AVX512_ASM_SUPPORT 1" >>confdefs.h + + fi +@@ -77,7 +77,7 @@ rm -f conftest* + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5 + $as_echo "$libc_cv_asm_mpx" >&6; } +-if test $libc_cv_asm_mpx == yes; then ++if test $libc_cv_asm_mpx = yes; then + $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h + + fi +diff --git a/sysdeps/x86_64/configure.ac b/sysdeps/x86_64/configure.ac +index 37b1059..b39309e 100644 +--- a/sysdeps/x86_64/configure.ac ++++ b/sysdeps/x86_64/configure.ac +@@ -13,7 +13,7 @@ else + libc_cv_asm_avx512=no + fi + rm -f conftest*]) +-if test $libc_cv_asm_avx512 == yes; then ++if test $libc_cv_asm_avx512 = yes; then + AC_DEFINE(HAVE_AVX512_ASM_SUPPORT) + fi + +@@ -37,7 +37,7 @@ else + libc_cv_asm_mpx=no + fi + rm -f conftest*]) +-if test $libc_cv_asm_mpx == yes; then ++if test $libc_cv_asm_mpx = yes; then + AC_DEFINE(HAVE_MPX_SUPPORT) + fi + diff --git a/sysdeps/x86_64/dl-trampoline.S b/sysdeps/x86_64/dl-trampoline.S index 9fb6b13..39b8771 100644 --- a/sysdeps/x86_64/dl-trampoline.S diff --git a/glibc.spec b/glibc.spec index bd5794f..1fdfc5f 100644 --- a/glibc.spec +++ b/glibc.spec @@ -41,7 +41,7 @@ Summary(tr.UTF-8): GNU libc Summary(uk.UTF-8): GNU libc версії Name: glibc Version: %{core_version} -Release: 1 +Release: 2 Epoch: 6 License: LGPL v2.1+ Group: Libraries -- 2.44.0