Accepting request 247224 from Base:System

- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM
  gconv modules (CVE-2014-6040, bnc#894553, BZ #17325) (forwarded request 247223 from Andreas_Schwab)

OBS-URL: https://build.opensuse.org/request/show/247224
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=183

glibc-testsuite.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep  2 07:52:36 UTC 2014 - schwab@suse.de
+
+- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM
+  gconv modules (CVE-2014-6040, bnc#894553, BZ #17325)
+
 -------------------------------------------------------------------
 Tue Aug 26 10:47:31 UTC 2014 - schwab@suse.de
 

glibc-testsuite.spec

@@ -270,6 +270,8 @@ Patch1016:      dt-ppc64-num.patch
 Patch1017:      ppc64le-profiling.patch
 # PATCH-FIX-UPSTREAM S/390 Reverting the jmp_buf/ucontext_t ABI change (bnc#887228)
 Patch1018:      s390-revert-abi-change.patch
+# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187)
+Patch1019:      disable-gconv-translit-modules.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -290,8 +292,8 @@ Patch2005:      glibc-memset-nontemporal.diff
 Patch2006:      ibm93x-redundant-shift-si.patch
 # PATCH-FIX-UPSTREAM Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790)
 Patch2007:      pthread-mutexattr-gettype-kind.patch
-# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187)
-Patch2008:      disable-gconv-translit-modules.patch
+# PATCH-FIX-UPSTREAM Fix crashes on invalid input in IBM gconv modules (BZ #17325)
+Patch2008:      iconv-ibm-sentinel-check.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -511,6 +513,7 @@ rm nscd/s-stamp
 %patch1016 -p1
 %patch1017 -p1
 %patch1018 -p1
+%patch1019 -p1
 
 %patch2000 -p1
 %patch2001 -p1

glibc-utils.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep  2 07:52:36 UTC 2014 - schwab@suse.de
+
+- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM
+  gconv modules (CVE-2014-6040, bnc#894553, BZ #17325)
+
 -------------------------------------------------------------------
 Tue Aug 26 10:47:31 UTC 2014 - schwab@suse.de
 

glibc-utils.spec

@@ -269,6 +269,8 @@ Patch1016:      dt-ppc64-num.patch
 Patch1017:      ppc64le-profiling.patch
 # PATCH-FIX-UPSTREAM S/390 Reverting the jmp_buf/ucontext_t ABI change (bnc#887228)
 Patch1018:      s390-revert-abi-change.patch
+# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187)
+Patch1019:      disable-gconv-translit-modules.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -289,8 +291,8 @@ Patch2005:      glibc-memset-nontemporal.diff
 Patch2006:      ibm93x-redundant-shift-si.patch
 # PATCH-FIX-UPSTREAM Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790)
 Patch2007:      pthread-mutexattr-gettype-kind.patch
-# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187)
-Patch2008:      disable-gconv-translit-modules.patch
+# PATCH-FIX-UPSTREAM Fix crashes on invalid input in IBM gconv modules (BZ #17325)
+Patch2008:      iconv-ibm-sentinel-check.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -511,6 +513,7 @@ rm nscd/s-stamp
 %patch1016 -p1
 %patch1017 -p1
 %patch1018 -p1
+%patch1019 -p1
 
 %patch2000 -p1
 %patch2001 -p1

glibc.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Sep  2 07:52:36 UTC 2014 - schwab@suse.de
+
+- iconv-ibm-sentinel-check.patch: Fix crashes on invalid input in IBM
+  gconv modules (CVE-2014-6040, bnc#894553, BZ #17325)
+
 -------------------------------------------------------------------
 Tue Aug 26 10:47:31 UTC 2014 - schwab@suse.de
 

glibc.spec

@@ -270,6 +270,8 @@ Patch1016:      dt-ppc64-num.patch
 Patch1017:      ppc64le-profiling.patch
 # PATCH-FIX-UPSTREAM S/390 Reverting the jmp_buf/ucontext_t ABI change (bnc#887228)
 Patch1018:      s390-revert-abi-change.patch
+# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187)
+Patch1019:      disable-gconv-translit-modules.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -290,8 +292,8 @@ Patch2005:      glibc-memset-nontemporal.diff
 Patch2006:      ibm93x-redundant-shift-si.patch
 # PATCH-FIX-UPSTREAM Filter out PTHREAD_MUTEX_NO_ELISION_NP bit in pthread_mutexattr_gettype (BZ #15790)
 Patch2007:      pthread-mutexattr-gettype-kind.patch
-# PATCH-FIX-UPSTREAM Disable gconv transliteration module loading (BZ #17187)
-Patch2008:      disable-gconv-translit-modules.patch
+# PATCH-FIX-UPSTREAM Fix crashes on invalid input in IBM gconv modules (BZ #17325)
+Patch2008:      iconv-ibm-sentinel-check.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -511,6 +513,7 @@ rm nscd/s-stamp
 %patch1016 -p1
 %patch1017 -p1
 %patch1018 -p1
+%patch1019 -p1
 
 %patch2000 -p1
 %patch2001 -p1

iconv-ibm-sentinel-check.patch

@@ -0,0 +1,162 @@
+2014-08-29  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #17325]
+	* iconvdata/ibm1364.c (BODY): Fix check for sentinel.
+	* iconvdata/ibm932.c (BODY): Replace invalid sentinel check with
+	assert.
+	* iconvdata/ibm933.c (BODY): Fix check for sentinel.
+	* iconvdata/ibm935.c (BODY): Likewise.
+	* iconvdata/ibm937.c (BODY): Likewise.
+	* iconvdata/ibm939.c (BODY): Likewise.
+	* iconvdata/ibm943.c (BODY): Replace invalid sentinel check with
+	assert.
+	* iconvdata/Makefile (iconv-test.out): Pass module list to test
+	script.
+	* iconvdata/run-iconv-test.sh: New test loop for checking for
+	decoder crashers.
+
+Index: glibc-2.19/iconvdata/Makefile
+===================================================================
+--- glibc-2.19.orig/iconvdata/Makefile
++++ glibc-2.19/iconvdata/Makefile
+@@ -302,6 +302,7 @@ $(objpfx)bug-iconv10.out: $(objpfx)gconv
+ $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
+ 			 $(addprefix $(objpfx),$(modules.so)) \
+ 			 $(common-objdir)/iconv/iconv_prog TESTS
++	iconv_modules="$(modules)" \
+ 	$(SHELL) $< $(common-objdir) '$(test-wrapper)' > $@
+ 
+ $(objpfx)tst-tables.out: tst-tables.sh $(objpfx)gconv-modules \
+Index: glibc-2.19/iconvdata/ibm1364.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm1364.c
++++ glibc-2.19/iconvdata/ibm1364.c
+@@ -220,7 +220,8 @@ enum
+ 	  ++rp2;							      \
+ 									      \
+ 	uint32_t res;							      \
+-	if (__builtin_expect (ch < rp2->start, 0)			      \
++	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
++	    || __builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = DB_TO_UCS4[ch + rp2->idx],			      \
+ 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
+ 	  {								      \
+Index: glibc-2.19/iconvdata/ibm932.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm932.c
++++ glibc-2.19/iconvdata/ibm932.c
+@@ -73,11 +73,12 @@
+ 	  }								      \
+ 									      \
+ 	ch = (ch * 0x100) + inptr[1];					      \
++	/* ch was less than 0xfd.  */					      \
++	assert (ch < 0xfd00);						      \
+ 	while (ch > rp2->end)						      \
+ 	  ++rp2;							      \
+ 									      \
+-	if (__builtin_expect (rp2 == NULL, 0)				      \
+-	    || __builtin_expect (ch < rp2->start, 0)			      \
++	if (__builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = __ibm932db_to_ucs4[ch + rp2->idx],		      \
+ 	    __builtin_expect (res, '\1') == 0 && ch !=0))		      \
+ 	  {								      \
+Index: glibc-2.19/iconvdata/ibm933.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm933.c
++++ glibc-2.19/iconvdata/ibm933.c
+@@ -161,7 +161,7 @@ enum
+ 	while (ch > rp2->end)						      \
+ 	  ++rp2;							      \
+ 									      \
+-	if (__builtin_expect (rp2 == NULL, 0)				      \
++	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+ 	    || __builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = __ibm933db_to_ucs4[ch + rp2->idx],		      \
+ 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
+Index: glibc-2.19/iconvdata/ibm935.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm935.c
++++ glibc-2.19/iconvdata/ibm935.c
+@@ -161,7 +161,7 @@ enum
+ 	while (ch > rp2->end)						      \
+ 	  ++rp2;							      \
+ 									      \
+-	if (__builtin_expect (rp2 == NULL, 0)				      \
++	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+ 	    || __builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = __ibm935db_to_ucs4[ch + rp2->idx],		      \
+ 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
+Index: glibc-2.19/iconvdata/ibm937.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm937.c
++++ glibc-2.19/iconvdata/ibm937.c
+@@ -161,7 +161,7 @@ enum
+ 	while (ch > rp2->end)						      \
+ 	  ++rp2;							      \
+ 									      \
+-	if (__builtin_expect (rp2 == NULL, 0)				      \
++	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+ 	    || __builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = __ibm937db_to_ucs4[ch + rp2->idx],		      \
+ 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
+Index: glibc-2.19/iconvdata/ibm939.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm939.c
++++ glibc-2.19/iconvdata/ibm939.c
+@@ -161,7 +161,7 @@ enum
+ 	while (ch > rp2->end)						      \
+ 	  ++rp2;							      \
+ 									      \
+-	if (__builtin_expect (rp2 == NULL, 0)				      \
++	if (__builtin_expect (rp2->start == 0xffff, 0)			      \
+ 	    || __builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = __ibm939db_to_ucs4[ch + rp2->idx],		      \
+ 		__builtin_expect (res, L'\1') == L'\0' && ch != '\0'))	      \
+Index: glibc-2.19/iconvdata/ibm943.c
+===================================================================
+--- glibc-2.19.orig/iconvdata/ibm943.c
++++ glibc-2.19/iconvdata/ibm943.c
+@@ -74,11 +74,12 @@
+ 	  }								      \
+ 									      \
+ 	ch = (ch * 0x100) + inptr[1];					      \
++	/* ch was less than 0xfd.  */					      \
++	assert (ch < 0xfd00);						      \
+ 	while (ch > rp2->end)						      \
+ 	  ++rp2;							      \
+ 									      \
+-	if (__builtin_expect (rp2 == NULL, 0)				      \
+-	    || __builtin_expect (ch < rp2->start, 0)			      \
++	if (__builtin_expect (ch < rp2->start, 0)			      \
+ 	    || (res = __ibm943db_to_ucs4[ch + rp2->idx],		      \
+ 	    __builtin_expect (res, '\1') == 0 && ch !=0))		      \
+ 	  {								      \
+Index: glibc-2.19/iconvdata/run-iconv-test.sh
+===================================================================
+--- glibc-2.19.orig/iconvdata/run-iconv-test.sh
++++ glibc-2.19/iconvdata/run-iconv-test.sh
+@@ -188,6 +188,24 @@ while read utf8 from filename; do
+ 
+ done < TESTS2
+ 
++# Check for crashes in decoders.
++printf '\016\377\377\377\377\377\377\377' > $temp1
++for from in $iconv_modules ; do
++    echo $ac_n "test decoder $from $ac_c"
++    PROG=`eval echo $ICONV`
++    if $PROG < $temp1 >/dev/null 2>&1 ; then
++	: # fall through
++    else
++	status=$?
++	if test $status -gt 1 ; then
++	    echo "/FAILED"
++	    failed=1
++	    continue
++	fi
++    fi
++    echo "OK"
++done
++
+ exit $failed
+ # Local Variables:
+ #  mode:shell-script