- rel 2; fixes CVE-2016-3075; update from upstream git

diff --git a/glibc-git.patch b/glibc-git.patch
index 1d5ad4b97face03d4f76bf8df495dbb35bfb1b35..3acd9dd7988532def6eae79dc64121a4975dbe73 100644 (file)
--- a/glibc-git.patch
+++ b/glibc-git.patch
@@ -1,8 +1,27 @@
 diff --git a/ChangeLog b/ChangeLog
-index 2e4afb7..64a2746 100644
+index 2e4afb7..29b7cf5 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,5 +1,163 @@
+@@ -1,5 +1,182 @@
++2016-04-20  Yvan Roux  <yvan.roux@linaro.org>
++
++      * stdlib/setenv.c (unsetenv): Fix ambiguous 'else'.
++      * nis/nis_call.c (nis_server_cache_add): Likewise.
++
++2016-04-09  Mike Frysinger  <vapier@gentoo.org>
++
++      * sysdeps/i386/configure.ac: Change == to = when calling test.
++      * sysdeps/x86_64/configure.ac: Likewise.
++      * sysdeps/i386/configure: Regenerated.
++      * sysdeps/x86_64/configure: Likewise.
++
++2016-04-01  Florian Weimer  <fweimer@redhat.com>
++
++      [BZ #19879]
++      CVE-2016-3075
++      * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
++      copy name.
++
 +2016-04-01  Stefan Liebler  <stli@linux.vnet.ibm.com>
 +
 +      * sysdeps/s390/bits/link.h: (La_s390_vr) New typedef.
@@ -167,10 +186,10 @@ index 2e4afb7..64a2746 100644
        (VERSION): Set to 2.23.
        * include/feature.h (__GLIBC_MINOR__): Set to 23.
 diff --git a/NEWS b/NEWS
-index c0276cf..674d217 100644
+index c0276cf..a08f96b 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,23 @@ See the end for copying conditions.
+@@ -5,6 +5,29 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  \f
@@ -178,7 +197,10 @@ index c0276cf..674d217 100644
 +
 +Security related changes:
 +
-+  [Add security related changes here]
++* The getnetbyname implementation in nss_dns had a potentially unbounded
++  alloca call (in the form of a call to strdupa), leading to a stack
++  overflow (stack exhaustion) and a crash if getnetbyname is invoked
++  on a very long name.  (CVE-2016-3075)
 +
 +The following bugs are resolved with this release:
 +
@@ -186,15 +208,18 @@ index c0276cf..674d217 100644
 +  [19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS
 +  [19759] Don't inline mempcpy for x86
 +  [19762] Use HAS_ARCH_FEATURE with Fast_Rep_String
-+  [19791] Assertion failure in res_query.c with un-connectable name server addresses
++  [19791] Assertion failure in res_query.c with un-connectable name server
++    addresses
 +  [19792] MIPS: backtrace yields infinite backtrace with makecontext
 +  [19822] libm.so install clobbers old version
++  [19879] network: nss_dns: Stack overflow in getnetbyname implementation
++    (CVE-2016-3075)
 +
 +\f
  Version 2.23
  
  * Unicode 8.0.0 Support: Character encoding, character type info, and
-@@ -38,7 +55,7 @@ Version 2.23
+@@ -38,7 +61,7 @@ Version 2.23
    unnecessary serialization of memory allocation requests across threads.
    The defect is now corrected.  Users should see a substantial increase in
    the concurent throughput of allocation requests for applications which
@@ -278,6 +303,38 @@ index 195d753..ecff1dc 100644
      {
        printf ("FAIL: Failed to call is* functions.\n");
        exit (1);
+diff --git a/nis/nis_call.c b/nis/nis_call.c
+index 3fa37e4..cb7839a 100644
+--- a/nis/nis_call.c
++++ b/nis/nis_call.c
+@@ -680,16 +680,18 @@ nis_server_cache_add (const_nis_name name, int search_parent,
+   /* Choose which entry should be evicted from the cache.  */
+   loc = &nis_server_cache[0];
+   if (*loc != NULL)
+-    for (i = 1; i < 16; ++i)
+-      if (nis_server_cache[i] == NULL)
+-      {
++    {
++      for (i = 1; i < 16; ++i)
++      if (nis_server_cache[i] == NULL)
++        {
++          loc = &nis_server_cache[i];
++          break;
++        }
++      else if ((*loc)->uses > nis_server_cache[i]->uses
++               || ((*loc)->uses == nis_server_cache[i]->uses
++                   && (*loc)->expires > nis_server_cache[i]->expires))
+         loc = &nis_server_cache[i];
+-        break;
+-      }
+-      else if ((*loc)->uses > nis_server_cache[i]->uses
+-             || ((*loc)->uses == nis_server_cache[i]->uses
+-                 && (*loc)->expires > nis_server_cache[i]->expires))
+-      loc = &nis_server_cache[i];
++    }
+   old = *loc;
+   *loc = new;
+ 
 diff --git a/po/be.po b/po/be.po
 index 66d1235..ffb39b4 100644
 --- a/po/be.po
@@ -55270,6 +55327,29 @@ index 90c47e4..9ca8cb1 100644
  #~ msgid "compile-time support for database policy missing"
  #~ msgstr "compile-time 支援用於資料庫策略缺少"
  
+diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
+index 2eb2f67..8f301a7 100644
+--- a/resolv/nss_dns/dns-network.c
++++ b/resolv/nss_dns/dns-network.c
+@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
+   } net_buffer;
+   querybuf *orig_net_buffer;
+   int anslen;
+-  char *qbuf;
+   enum nss_status status;
+ 
+   if (__res_maybe_init (&_res, 0) == -1)
+     return NSS_STATUS_UNAVAIL;
+ 
+-  qbuf = strdupa (name);
+-
+   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
+ 
+-  anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
++  anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
+                              1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
+   if (anslen < 0)
+     {
 diff --git a/resolv/res_init.c b/resolv/res_init.c
 index e0b6a80..6c951f5 100644
 --- a/resolv/res_init.c
@@ -55449,6 +55529,43 @@ index 25c19f1..b4efcb6 100644
        else {
                /* poll should not have returned > 0 in this case.  */
                abort ();
+diff --git a/stdlib/setenv.c b/stdlib/setenv.c
+index da61ee0..e66045f 100644
+--- a/stdlib/setenv.c
++++ b/stdlib/setenv.c
+@@ -278,18 +278,20 @@ unsetenv (const char *name)
+   ep = __environ;
+   if (ep != NULL)
+     while (*ep != NULL)
+-      if (!strncmp (*ep, name, len) && (*ep)[len] == '=')
+-      {
+-        /* Found it.  Remove this pointer by moving later ones back.  */
+-        char **dp = ep;
+-
+-        do
+-          dp[0] = dp[1];
+-        while (*dp++);
+-        /* Continue the loop in case NAME appears again.  */
+-      }
+-      else
+-      ++ep;
++      {
++      if (!strncmp (*ep, name, len) && (*ep)[len] == '=')
++        {
++          /* Found it.  Remove this pointer by moving later ones back.  */
++          char **dp = ep;
++
++          do
++              dp[0] = dp[1];
++          while (*dp++);
++          /* Continue the loop in case NAME appears again.  */
++        }
++      else
++        ++ep;
++      }
+ 
+   UNLOCK;
+ 
 diff --git a/sysdeps/arm/nacl/libc.abilist b/sysdeps/arm/nacl/libc.abilist
 index 561441e..0560510 100644
 --- a/sysdeps/arm/nacl/libc.abilist
@@ -55463,6 +55580,32 @@ index 561441e..0560510 100644
 +GLIBC_2.23 fts64_open F
 +GLIBC_2.23 fts64_read F
 +GLIBC_2.23 fts64_set F
+diff --git a/sysdeps/i386/configure b/sysdeps/i386/configure
+index 9515719..5b55c5a 100644
+--- a/sysdeps/i386/configure
++++ b/sysdeps/i386/configure
+@@ -72,7 +72,7 @@ rm -f conftest*
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5
+ $as_echo "$libc_cv_asm_mpx" >&6; }
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+   $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h
+ 
+ fi
+diff --git a/sysdeps/i386/configure.ac b/sysdeps/i386/configure.ac
+index f8f9e44..19ef33f 100644
+--- a/sysdeps/i386/configure.ac
++++ b/sysdeps/i386/configure.ac
+@@ -41,7 +41,7 @@ else
+   libc_cv_asm_mpx=no
+ fi
+ rm -f conftest*])
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+   AC_DEFINE(HAVE_MPX_SUPPORT)
+ fi
+ 
 diff --git a/sysdeps/i386/i686/multiarch/bcopy.S b/sysdeps/i386/i686/multiarch/bcopy.S
 index d5b408d..ce6661b 100644
 --- a/sysdeps/i386/i686/multiarch/bcopy.S
@@ -56569,6 +56712,50 @@ index e4e019f..8dfce05 100644
  /* Enable inline functions only for i486 or better when compiling for
     ia32.  */
  #if !defined __x86_64__ && (defined __i486__ || defined __pentium__         \
+diff --git a/sysdeps/x86_64/configure b/sysdeps/x86_64/configure
+index c72b9d3..88fbfe4 100644
+--- a/sysdeps/x86_64/configure
++++ b/sysdeps/x86_64/configure
+@@ -24,7 +24,7 @@ rm -f conftest*
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_avx512" >&5
+ $as_echo "$libc_cv_asm_avx512" >&6; }
+-if test $libc_cv_asm_avx512 == yes; then
++if test $libc_cv_asm_avx512 = yes; then
+   $as_echo "#define HAVE_AVX512_ASM_SUPPORT 1" >>confdefs.h
+ 
+ fi
+@@ -77,7 +77,7 @@ rm -f conftest*
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $libc_cv_asm_mpx" >&5
+ $as_echo "$libc_cv_asm_mpx" >&6; }
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+   $as_echo "#define HAVE_MPX_SUPPORT 1" >>confdefs.h
+ 
+ fi
+diff --git a/sysdeps/x86_64/configure.ac b/sysdeps/x86_64/configure.ac
+index 37b1059..b39309e 100644
+--- a/sysdeps/x86_64/configure.ac
++++ b/sysdeps/x86_64/configure.ac
+@@ -13,7 +13,7 @@ else
+   libc_cv_asm_avx512=no
+ fi
+ rm -f conftest*])
+-if test $libc_cv_asm_avx512 == yes; then
++if test $libc_cv_asm_avx512 = yes; then
+   AC_DEFINE(HAVE_AVX512_ASM_SUPPORT)
+ fi
+ 
+@@ -37,7 +37,7 @@ else
+   libc_cv_asm_mpx=no
+ fi
+ rm -f conftest*])
+-if test $libc_cv_asm_mpx == yes; then
++if test $libc_cv_asm_mpx = yes; then
+   AC_DEFINE(HAVE_MPX_SUPPORT)
+ fi
+ 
 diff --git a/sysdeps/x86_64/dl-trampoline.S b/sysdeps/x86_64/dl-trampoline.S
 index 9fb6b13..39b8771 100644
 --- a/sysdeps/x86_64/dl-trampoline.S

diff --git a/glibc.spec b/glibc.spec
index bd5794f90679795b03d4b832631d20bd79a9e710..1fdfc5f8579a49c34f0a1451b0437f8db39e1007 100644 (file)
--- a/glibc.spec
+++ b/glibc.spec
@@ -41,7 +41,7 @@ Summary(tr.UTF-8):    GNU libc
 Summary(uk.UTF-8):     GNU libc версії
 Name:          glibc
 Version:       %{core_version}
-Release:       1
+Release:       2
 Epoch:         6
 License:       LGPL v2.1+
 Group:         Libraries