offset += outstop - out;
free (out);
+commit 04b76b5aa8b2d1d19066e42dd1a56a38f34e274c
+Author: Andreas Schwab <schwab@suse.de>
+Date: Thu Oct 30 12:18:48 2014 +0100
+
+ Don't error out writing a multibyte character to an unbuffered stream (bug 17522)
+
+diff --git a/libio/Makefile b/libio/Makefile
+index 56952ce..2742128 100644
+--- a/libio/Makefile
++++ b/libio/Makefile
+@@ -61,7 +61,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc \
+ bug-memstream1 bug-wmemstream1 \
+ tst-setvbuf1 tst-popen1 tst-fgetwc bug-wsetpos tst-fseek \
+ tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
+- tst-ftell-append
++ tst-ftell-append tst-fputws
+ ifeq (yes,$(build-shared))
+ # Add test-fopenloc only if shared library is enabled since it depends on
+ # shared localedata objects.
+diff --git a/libio/tst-fputws.c b/libio/tst-fputws.c
+new file mode 100644
+index 0000000..09f53df
+--- /dev/null
++++ b/libio/tst-fputws.c
+@@ -0,0 +1,39 @@
++/* Test that we can write a multibyte character to an unbuffered stream.
++ Copyright (C) 2014 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <locale.h>
++#include <stdio.h>
++#include <wchar.h>
++
++static int
++do_test (void)
++{
++ const wchar_t str[] = L"\xbe\n";
++
++ setlocale (LC_ALL, "en_US.UTF-8");
++ setvbuf (stdout, NULL, _IONBF, 0);
++
++ if (fputws (str, stdout) < 0)
++ return 1;
++
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++
++#include <test-skeleton.c>
+diff --git a/libio/wfileops.c b/libio/wfileops.c
+index c5ec5f7..6a088b1 100644
+--- a/libio/wfileops.c
++++ b/libio/wfileops.c
+@@ -75,17 +75,32 @@ _IO_wdo_write (fp, data, to_do)
+ {
+ enum __codecvt_result result;
+ const wchar_t *new_data;
++ char mb_buf[MB_LEN_MAX];
++ char *write_base, *write_ptr, *buf_end;
++
++ if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf))
++ {
++ /* Make sure we have room for at least one multibyte
++ character. */
++ write_ptr = write_base = mb_buf;
++ buf_end = mb_buf + sizeof (mb_buf);
++ }
++ else
++ {
++ write_ptr = fp->_IO_write_ptr;
++ write_base = fp->_IO_write_base;
++ buf_end = fp->_IO_buf_end;
++ }
+
+ /* Now convert from the internal format into the external buffer. */
+ result = (*cc->__codecvt_do_out) (cc, &fp->_wide_data->_IO_state,
+ data, data + to_do, &new_data,
+- fp->_IO_write_ptr,
+- fp->_IO_buf_end,
+- &fp->_IO_write_ptr);
++ write_ptr,
++ buf_end,
++ &write_ptr);
+
+ /* Write out what we produced so far. */
+- if (_IO_new_do_write (fp, fp->_IO_write_base,
+- fp->_IO_write_ptr - fp->_IO_write_base) == EOF)
++ if (_IO_new_do_write (fp, write_base, write_ptr - write_base) == EOF)
+ /* Something went wrong. */
+ return WEOF;
+
+commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
+Author: Carlos O'Donell <carlos@redhat.com>
+Date: Wed Nov 19 11:44:12 2014 -0500
+
+ CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
+
+ The function wordexp() fails to properly handle the WRDE_NOCMD
+ flag when processing arithmetic inputs in the form of "$((... ``))"
+ where "..." can be anything valid. The backticks in the arithmetic
+ epxression are evaluated by in a shell even if WRDE_NOCMD forbade
+ command substitution. This allows an attacker to attempt to pass
+ dangerous commands via constructs of the above form, and bypass
+ the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
+ in exec_comm(), the only place that can execute a shell. All other
+ checks for WRDE_NOCMD are superfluous and removed.
+
+ We expand the testsuite and add 3 new regression tests of roughly
+ the same form but with a couple of nested levels.
+
+ On top of the 3 new tests we add fork validation to the WRDE_NOCMD
+ testing. If any forks are detected during the execution of a wordexp()
+ call with WRDE_NOCMD, the test is marked as failed. This is slightly
+ heuristic since vfork might be used in the future, but it provides a
+ higher level of assurance that no shells were executed as part of
+ command substitution with WRDE_NOCMD in effect. In addition it doesn't
+ require libpthread or libdl, instead we use the public implementation
+ namespace function __register_atfork (already part of the public ABI
+ for libpthread).
+
+ Tested on x86_64 with no regressions.
+
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index 4957006..bdd65e4 100644
+--- a/posix/wordexp-test.c
++++ b/posix/wordexp-test.c
+@@ -27,6 +27,25 @@
+
+ #define IFS " \n\t"
+
++extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
++
++static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
++{
++ return __register_atfork (prepare, parent, child,
++ &__dso_handle == NULL ? NULL : __dso_handle);
++}
++
++/* Number of forks seen. */
++static int registered_forks;
++
++/* For each fork increment the fork count. */
++static void
++register_fork (void)
++{
++ registered_forks++;
++}
++
+ struct test_case_struct
+ {
+ int retval;
+@@ -206,6 +225,12 @@ struct test_case_struct
+ { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
+ { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
+ { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
++ /* Test for CVE-2014-7817. We test 3 combinations of command
++ substitution inside an arithmetic expression to make sure that
++ no commands are executed and error is returned. */
++ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
++ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
+
+ { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
+ };
+@@ -258,6 +283,15 @@ main (int argc, char *argv[])
+ return -1;
+ }
+
++ /* If we are not allowed to do command substitution, we install
++ fork handlers to verify that no forks happened. No forks should
++ happen at all if command substitution is disabled. */
++ if (__app_register_atfork (register_fork, NULL, NULL) != 0)
++ {
++ printf ("Failed to register fork handler.\n");
++ return -1;
++ }
++
+ for (test = 0; test_case[test].retval != -1; test++)
+ if (testit (&test_case[test]))
+ ++fail;
+@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
+
+ printf ("Test %d (%s): ", ++tests, tc->words);
+
++ if (tc->flags & WRDE_NOCMD)
++ registered_forks = 0;
++
+ if (tc->flags & WRDE_APPEND)
+ {
+ /* initial wordexp() call, to be appended to */
+@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
+ }
+ retval = wordexp (tc->words, &we, tc->flags);
+
++ if ((tc->flags & WRDE_NOCMD)
++ && (registered_forks > 0))
++ {
++ printf ("FAILED fork called for WRDE_NOCMD\n");
++ return 1;
++ }
++
+ if (tc->flags & WRDE_DOOFFS)
+ start_offs = sav_we.we_offs;
+
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index b6b65dd..26f3a26 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length,
+ pid_t pid;
+ int noexec = 0;
+
++ /* Do nothing if command substitution should not succeed. */
++ if (flags & WRDE_NOCMD)
++ return WRDE_CMDSUB;
++
+ /* Don't fork() unless necessary */
+ if (!comm || !*comm)
+ return 0;
+@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length,
+ }
+ }
+
+- if (flags & WRDE_NOCMD)
+- return WRDE_CMDSUB;
+-
+ (*offset) += 2;
+ return parse_comm (word, word_length, max_length, words, offset, flags,
+ quoted? NULL : pwordexp, ifs, ifs_white);
+@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length,
+ break;
+
+ case '`':
+- if (flags & WRDE_NOCMD)
+- return WRDE_CMDSUB;
+-
+ ++(*offset);
+ error = parse_backtick (word, word_length, max_length, words,
+ offset, flags, NULL, NULL, NULL);
+@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
+ break;
+
+ case '`':
+- if (flags & WRDE_NOCMD)
+- {
+- error = WRDE_CMDSUB;
+- goto do_error;
+- }
+-
+ ++words_offset;
+ error = parse_backtick (&word, &word_length, &max_length, words,
+ &words_offset, flags, pwordexp, ifs,
projects / packages / glibc.git / commitdiff