Ana Guerrero 2024-01-24 18:03:49 +00:00 committed by Git OBS Bridge
commit 1d3a2aaae5
4 changed files with 154 additions and 82 deletions

View File

@ -0,0 +1,34 @@
Upstream patch on top of coreutils-9.4 fixing CVE-2024-0684.
https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=c4c5ed8f4e9cd55a12966
From c4c5ed8f4e9cd55a12966d4f520e3a13101637d9 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@cs.ucla.edu>
Date: Tue, 16 Jan 2024 13:48:32 -0800
Subject: [PATCH] split: do not shrink hold buffer
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
* src/split.c (line_bytes_split): Do not shrink hold buffer.
If its large for this batch its likely to be large for the next
batch, and for split its not worth the complexity/CPU hassle to
shrink it. Do not assume hold_size can be bufsize.
---
src/split.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/src/split.c b/src/split.c
index 64020c859..037960a59 100644
--- a/src/split.c
+++ b/src/split.c
@@ -809,10 +809,7 @@ line_bytes_split (intmax_t n_bytes, char *buf, idx_t bufsize)
{
cwrite (n_out == 0, hold, n_hold);
n_out += n_hold;
- if (n_hold > bufsize)
- hold = xirealloc (hold, bufsize);
n_hold = 0;
- hold_size = bufsize;
}
/* Output to eol if present. */

View File

@ -7,8 +7,8 @@ Subject: [PATCH] coreutils-i18n.patch
bootstrap.conf | 1 +
configure.ac | 6 +
lib/linebuffer.h | 8 +
lib/mbfile.c | 3 +
lib/mbfile.h | 255 ++++++++++++
lib/mbfile.c | 20 +
lib/mbfile.h | 267 ++++++++++++
m4/mbfile.m4 | 14 +
src/cut.c | 508 +++++++++++++++++++++--
src/expand-common.c | 114 ++++++
@ -35,7 +35,7 @@ Subject: [PATCH] coreutils-i18n.patch
tests/sort/sort.pl | 40 +-
tests/unexpand/mb.sh | 172 ++++++++
tests/uniq/uniq.pl | 55 +++
31 files changed, 3703 insertions(+), 242 deletions(-)
31 files changed, 3732 insertions(+), 242 deletions(-)
create mode 100644 lib/mbfile.c
create mode 100644 lib/mbfile.h
create mode 100644 m4/mbfile.m4
@ -101,34 +101,51 @@ index b4cc8e4..f2bbb52 100644
/* Initialize linebuffer LINEBUFFER for use. */
diff --git a/lib/mbfile.c b/lib/mbfile.c
new file mode 100644
index 0000000..b0a468e
index 0000000..8d2957b
--- /dev/null
+++ b/lib/mbfile.c
@@ -0,0 +1,3 @@
@@ -0,0 +1,20 @@
+/* Multibyte character I/O: macros for multi-byte encodings.
+ Copyright (C) 2012-2023 Free Software Foundation, Inc.
+
+ This file is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation, either version 3 of the
+ License, or (at your option) any later version.
+
+ This file is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+#include <config.h>
+
+#define MBFILE_INLINE _GL_EXTERN_INLINE
+#include "mbfile.h"
diff --git a/lib/mbfile.h b/lib/mbfile.h
new file mode 100644
index 0000000..11f1b12
index 0000000..ad61c19
--- /dev/null
+++ b/lib/mbfile.h
@@ -0,0 +1,255 @@
@@ -0,0 +1,267 @@
+/* Multibyte character I/O: macros for multi-byte encodings.
+ Copyright (C) 2001, 2005, 2009-2015 Free Software Foundation, Inc.
+ Copyright (C) 2001, 2005, 2009-2023 Free Software Foundation, Inc.
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+ This file is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as
+ published by the Free Software Foundation, either version 3 of the
+ License, or (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ This file is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>. */
+ You should have received a copy of the GNU Lesser General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>. */
+
+/* Written by Mitsuru Chinen <mchinen@yamato.ibm.com>
+ and Bruno Haible <bruno@clisp.org>. */
@ -163,24 +180,18 @@ index 0000000..11f1b12
+#ifndef _MBFILE_H
+#define _MBFILE_H 1
+
+/* This file uses _GL_INLINE_HEADER_BEGIN, _GL_INLINE. */
+#if !_GL_CONFIG_H_INCLUDED
+ #error "Please include config.h first."
+#endif
+
+#include <assert.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+
+/* Tru64 with Desktop Toolkit C has a bug: <stdio.h> must be included before
+ <wchar.h>.
+ BSD/OS 4.1 has a bug: <stdio.h> and <time.h> must be included before
+ <wchar.h>. */
+#include <stdio.h>
+#include <time.h>
+#include <wchar.h>
+
+#include "mbchar.h"
+
+#ifndef _GL_INLINE_HEADER_BEGIN
+ #error "Please include config.h first."
+#endif
+_GL_INLINE_HEADER_BEGIN
+#ifndef MBFILE_INLINE
+# define MBFILE_INLINE _GL_INLINE
@ -199,6 +210,7 @@ index 0000000..11f1b12
+MBFILE_INLINE void
+mbfile_multi_getc (struct mbchar *mbc, struct mbfile_multi *mbf)
+{
+ unsigned int new_bufcount;
+ size_t bytes;
+
+ /* If EOF has already been seen, don't use getc. This matters if
@ -214,8 +226,18 @@ index 0000000..11f1b12
+ return;
+ }
+
+ /* Before using mbrtowc, we need at least one byte. */
+ if (mbf->bufcount == 0)
+ new_bufcount = mbf->bufcount;
+
+ /* If mbf->state is not in an initial state, some more 32-bit wide character
+ may be hiding in the state. We need to call mbrtoc32 again. */
+ #if GNULIB_MBRTOC32_REGULAR
+ assert (mbsinit (&mbf->state));
+ #else
+ if (mbsinit (&mbf->state))
+ #endif
+ {
+ /* Before using mbrtoc32, we need at least one byte. */
+ if (new_bufcount == 0)
+ {
+ int c = getc (mbf->fp);
+ if (c == EOF)
@ -224,15 +246,18 @@ index 0000000..11f1b12
+ goto eof;
+ }
+ mbf->buf[0] = (unsigned char) c;
+ mbf->bufcount++;
+ new_bufcount++;
+ }
+
+ /* Handle most ASCII characters quickly, without calling mbrtowc(). */
+ if (mbf->bufcount == 1 && mbsinit (&mbf->state) && is_basic (mbf->buf[0]))
+ /* Handle most ASCII characters quickly, without calling mbrtoc32(). */
+ if (new_bufcount == 1 && is_basic (mbf->buf[0]))
+ {
+ /* These characters are part of the basic character set. ISO C 99
+ guarantees that their wide character code is identical to their
+ char code. */
+ /* These characters are part of the POSIX portable character set.
+ For most of them, namely those in the ISO C basic character set,
+ ISO C 99 guarantees that their wide character code is identical to
+ their char code. For the few other ones, this is the case as well,
+ in all locale encodings that are in use. The 32-bit wide character
+ code is the same as well. */
+ mbc->wc = mbc->buf[0] = mbf->buf[0];
+ mbc->wc_valid = true;
+ mbc->ptr = &mbc->buf[0];
@ -240,38 +265,31 @@ index 0000000..11f1b12
+ mbf->bufcount = 0;
+ return;
+ }
+ }
+
+ /* Use mbrtowc on an increasing number of bytes. Read only as many bytes
+ /* Use mbrtoc32 on an increasing number of bytes. Read only as many bytes
+ from mbf->fp as needed. This is needed to give reasonable interactive
+ behaviour when mbf->fp is connected to an interactive tty. */
+ for (;;)
+ {
+ /* We don't know whether the 'mbrtowc' function updates the state when
+ it returns -2, - this is the ISO C 99 and glibc-2.2 behaviour - or
+ not - amended ANSI C, glibc-2.1 and Solaris 2.7 behaviour. We
+ don't have an autoconf test for this, yet.
+ The new behaviour would allow us to feed the bytes one by one into
+ mbrtowc. But the old behaviour forces us to feed all bytes since
+ the end of the last character into mbrtowc. Since we want to retry
+ with more bytes when mbrtowc returns -2, we must backup the state
+ before calling mbrtowc, because implementations with the new
+ behaviour will clobber it. */
+ mbstate_t backup_state = mbf->state;
+
+ bytes = mbrtowc (&mbc->wc, &mbf->buf[0], mbf->bufcount, &mbf->state);
+ /* Feed the bytes one by one into mbrtoc32. */
+ bytes = mbrtoc32 (&mbc->wc, &mbf->buf[mbf->bufcount], new_bufcount - mbf->bufcount, &mbf->state);
+
+ if (bytes == (size_t) -1)
+ {
+ /* An invalid multibyte sequence was encountered. */
+ mbf->bufcount = new_bufcount;
+ /* Return a single byte. */
+ bytes = 1;
+ mbc->wc_valid = false;
+ /* Allow the next invocation to continue from a sane state. */
+ mbszero (&mbf->state);
+ break;
+ }
+ else if (bytes == (size_t) -2)
+ {
+ /* An incomplete multibyte character. */
+ mbf->state = backup_state;
+ mbf->bufcount = new_bufcount;
+ if (mbf->bufcount == MBCHAR_BUF_SIZE)
+ {
+ /* An overlong incomplete multibyte sequence was encountered. */
@ -282,29 +300,43 @@ index 0000000..11f1b12
+ }
+ else
+ {
+ /* Read one more byte and retry mbrtowc. */
+ /* Read one more byte and retry mbrtoc32. */
+ int c = getc (mbf->fp);
+ if (c == EOF)
+ {
+ /* An incomplete multibyte character at the end. */
+ mbf->eof_seen = true;
+ bytes = mbf->bufcount;
+ bytes = new_bufcount;
+ mbc->wc_valid = false;
+ break;
+ }
+ mbf->buf[mbf->bufcount] = (unsigned char) c;
+ mbf->bufcount++;
+ mbf->buf[new_bufcount] = (unsigned char) c;
+ new_bufcount++;
+ }
+ }
+ else
+ {
+ #if !GNULIB_MBRTOC32_REGULAR
+ if (bytes == (size_t) -3)
+ {
+ /* The previous multibyte sequence produced an additional 32-bit
+ wide character. */
+ mbf->bufcount = new_bufcount;
+ bytes = 0;
+ }
+ else
+ #endif
+ {
+ bytes = mbf->bufcount + bytes;
+ mbf->bufcount = new_bufcount;
+ if (bytes == 0)
+ {
+ /* A null wide character was encountered. */
+ /* A null 32-bit wide character was encountered. */
+ bytes = 1;
+ assert (mbf->buf[0] == '\0');
+ assert (mbc->wc == 0);
+ }
+ }
+ mbc->wc_valid = true;
+ break;
+ }
@ -354,7 +386,7 @@ index 0000000..11f1b12
+ ((mbf).fp = (stream), \
+ (mbf).eof_seen = false, \
+ (mbf).have_pushback = false, \
+ memset (&(mbf).state, '\0', sizeof (mbstate_t)), \
+ mbszero (&(mbf).state), \
+ (mbf).bufcount = 0)
+
+#define mbf_getc(mbc, mbf) mbfile_multi_getc (&(mbc), &(mbf))
@ -363,20 +395,17 @@ index 0000000..11f1b12
+
+#define mb_iseof(mbc) ((mbc).bytes == 0)
+
+#ifndef _GL_INLINE_HEADER_BEGIN
+ #error "Please include config.h first."
+#endif
+_GL_INLINE_HEADER_BEGIN
+_GL_INLINE_HEADER_END
+
+#endif /* _MBFILE_H */
diff --git a/m4/mbfile.m4 b/m4/mbfile.m4
new file mode 100644
index 0000000..8589902
index 0000000..83068a9
--- /dev/null
+++ b/m4/mbfile.m4
@@ -0,0 +1,14 @@
+# mbfile.m4 serial 7
+dnl Copyright (C) 2005, 2008-2015 Free Software Foundation, Inc.
+dnl Copyright (C) 2005, 2008-2023 Free Software Foundation, Inc.
+dnl This file is free software; the Free Software Foundation
+dnl gives unlimited permission to copy and/or distribute it,
+dnl with or without modifications, as long as this notice is preserved.
@ -5527,5 +5556,5 @@ index a6354dc..e43cd6e 100755
@Tests = triple_test \@Tests;
--
2.41.0
2.43.0

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Sun Jan 21 09:50:55 UTC 2024 - Bernhard Voelker <mail@bernhard-voelker.de>
- coreutils-9.4.split-CVE-2024-0684.patch: Add upstream patch:
split: do not shrink hold buffer. (CVE-2024-0684)
- coreutils-i18n.patch: Update from Fedora to fix build on i686 on GCC14.
-------------------------------------------------------------------
Sun Sep 17 16:15:24 UTC 2023 - Bernhard Voelker <mail@bernhard-voelker.de>

View File

@ -1,7 +1,7 @@
#
# spec file
#
# Copyright (c) 2023 SUSE LLC
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -70,6 +70,7 @@ Patch501: coreutils-test_without_valgrind.patch
# tests: skip tests/rm/ext3-perf.sh temporarily as it hangs on OBS.
Patch810: coreutils-skip-tests-rm-ext3-perf.patch
Patch900: coreutils-tests-workaround-make-fdleak.patch
Patch920: coreutils-9.4.split-CVE-2024-0684.patch
BuildRequires: automake
BuildRequires: gmp-devel
BuildRequires: hostname
@ -173,6 +174,7 @@ This package contains the documentation for the GNU Core Utilities.
%patch810
%patch900
%patch920 -p1
# ================================================
%build