Accepting request 186872 from home:Andreas_Schwab:Factory

- Update to glibc 2.18 release
  * No source change
- strcoll-overflow.patch: fix buffer overflow in strcoll (CVE-2012-4412,
  bnc#779320)
- readdir_r-overflow.patch: fix readdir_r with long file names
  (CVE-2013-4237, bnc#834594)

OBS-URL: https://build.opensuse.org/request/show/186872
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=305

glibc-2.17.90-85891acadf1b.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5a58b32a88c982b0eebdaca9a0b8c14441ebbb15174b10f69a98f82eb849ce73
-size 11780928

glibc-2.18.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2cb4e1e381928f1e5e55e71ab1ba8e0ea7ede75ff9709770435bfd018ea257a3
+size 11150148

glibc-testsuite.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Aug 13 07:24:59 UTC 2013 - schwab@suse.de
+
+- Update to glibc 2.18 release
+  * No source change
+- strcoll-overflow.patch: fix buffer overflow in strcoll (CVE-2012-4412,
+  bnc#779320)
+- readdir_r-overflow.patch: fix readdir_r with long file names
+  (CVE-2013-4237, bnc#834594)
+
 -------------------------------------------------------------------
 Tue Aug  6 09:20:04 UTC 2013 - schwab@suse.de
 

glibc-testsuite.spec

@@ -106,13 +106,14 @@ BuildRequires:  gd-devel
 # 2.6.16 is the SLES 10 kernel, use this as oldest supported kernel
 %define enablekernel 2.6.16
 %endif
-Version:        2.17.90
+Version:        2.18
 Release:        0
-%define glibc_major_version 2.17.90
-%define git_id 85891acadf1b
+%define glibc_major_version 2.18
+%define git_id %{nil}
 Url:            http://www.gnu.org/software/libc/libc.html
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Source:         glibc-%{version}-%{git_id}.tar.xz
+#Source:         glibc-%{version}-%{git_id}.tar.xz
+Source:         http://ftp.gnu.org/pub/gnu/glibc/glibc-%{version}.tar.xz
 Source3:        noversion.tar.bz2
 Source4:        manpages.tar.bz2
 Source5:        nsswitch.conf
@@ -257,6 +258,10 @@ Patch2018:      i686-strcasecmp-fallback.patch
 Patch2019:      pldd-wait-ptrace-stop.patch
 # PATCH-FIX-UPSTREAM Fix cbrtl for ldbl-96
 Patch2020:      cbrtl-ldbl-96.patch
+# PATCH-FIX-UPSTREAM Fix buffer overflow in strcoll (CVE-2012-4412)
+Patch2021:      strcoll-overflow.patch
+# PATCH-FIX-UPSTREAM Fix readdir_r with long file names (CVE-2013-4237)
+Patch2022:      readdir_r-overflow.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -465,6 +470,8 @@ rm nscd/s-stamp
 %patch2018 -p1
 %patch2019 -p1
 %patch2020 -p1
+%patch2021 -p1
+%patch2022 -p1
 
 %patch3000
 

glibc-utils.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Aug 13 07:24:59 UTC 2013 - schwab@suse.de
+
+- Update to glibc 2.18 release
+  * No source change
+- strcoll-overflow.patch: fix buffer overflow in strcoll (CVE-2012-4412,
+  bnc#779320)
+- readdir_r-overflow.patch: fix readdir_r with long file names
+  (CVE-2013-4237, bnc#834594)
+
 -------------------------------------------------------------------
 Tue Aug  6 09:20:04 UTC 2013 - schwab@suse.de
 

glibc-utils.spec

@@ -105,13 +105,14 @@ BuildRequires:  gd-devel
 # 2.6.16 is the SLES 10 kernel, use this as oldest supported kernel
 %define enablekernel 2.6.16
 %endif
-Version:        2.17.90
+Version:        2.18
 Release:        0
-%define glibc_major_version 2.17.90
-%define git_id 85891acadf1b
+%define glibc_major_version 2.18
+%define git_id %{nil}
 Url:            http://www.gnu.org/software/libc/libc.html
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Source:         glibc-%{version}-%{git_id}.tar.xz
+#Source:         glibc-%{version}-%{git_id}.tar.xz
+Source:         http://ftp.gnu.org/pub/gnu/glibc/glibc-%{version}.tar.xz
 Source3:        noversion.tar.bz2
 Source4:        manpages.tar.bz2
 Source5:        nsswitch.conf
@@ -256,6 +257,10 @@ Patch2018:      i686-strcasecmp-fallback.patch
 Patch2019:      pldd-wait-ptrace-stop.patch
 # PATCH-FIX-UPSTREAM Fix cbrtl for ldbl-96
 Patch2020:      cbrtl-ldbl-96.patch
+# PATCH-FIX-UPSTREAM Fix buffer overflow in strcoll (CVE-2012-4412)
+Patch2021:      strcoll-overflow.patch
+# PATCH-FIX-UPSTREAM Fix readdir_r with long file names (CVE-2013-4237)
+Patch2022:      readdir_r-overflow.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -465,6 +470,8 @@ rm nscd/s-stamp
 %patch2018 -p1
 %patch2019 -p1
 %patch2020 -p1
+%patch2021 -p1
+%patch2022 -p1
 
 %patch3000
 

glibc.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Aug 13 07:24:59 UTC 2013 - schwab@suse.de
+
+- Update to glibc 2.18 release
+  * No source change
+- strcoll-overflow.patch: fix buffer overflow in strcoll (CVE-2012-4412,
+  bnc#779320)
+- readdir_r-overflow.patch: fix readdir_r with long file names
+  (CVE-2013-4237, bnc#834594)
+
 -------------------------------------------------------------------
 Tue Aug  6 09:20:04 UTC 2013 - schwab@suse.de
 

glibc.spec

@@ -106,13 +106,14 @@ BuildRequires:  gd-devel
 # 2.6.16 is the SLES 10 kernel, use this as oldest supported kernel
 %define enablekernel 2.6.16
 %endif
-Version:        2.17.90
+Version:        2.18
 Release:        0
-%define glibc_major_version 2.17.90
-%define git_id 85891acadf1b
+%define glibc_major_version 2.18
+%define git_id %{nil}
 Url:            http://www.gnu.org/software/libc/libc.html
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-Source:         glibc-%{version}-%{git_id}.tar.xz
+#Source:         glibc-%{version}-%{git_id}.tar.xz
+Source:         http://ftp.gnu.org/pub/gnu/glibc/glibc-%{version}.tar.xz
 Source3:        noversion.tar.bz2
 Source4:        manpages.tar.bz2
 Source5:        nsswitch.conf
@@ -257,6 +258,10 @@ Patch2018:      i686-strcasecmp-fallback.patch
 Patch2019:      pldd-wait-ptrace-stop.patch
 # PATCH-FIX-UPSTREAM Fix cbrtl for ldbl-96
 Patch2020:      cbrtl-ldbl-96.patch
+# PATCH-FIX-UPSTREAM Fix buffer overflow in strcoll (CVE-2012-4412)
+Patch2021:      strcoll-overflow.patch
+# PATCH-FIX-UPSTREAM Fix readdir_r with long file names (CVE-2013-4237)
+Patch2022:      readdir_r-overflow.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -465,6 +470,8 @@ rm nscd/s-stamp
 %patch2018 -p1
 %patch2019 -p1
 %patch2020 -p1
+%patch2021 -p1
+%patch2022 -p1
 
 %patch3000
 

readdir_r-overflow.patch

@@ -0,0 +1,297 @@
+2013-06-12  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #14699]
+	* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
+	member.
+	* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
+	member.
+	* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
+	* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
+	Return delayed error code.  Remove GETDENTS_64BIT_ALIGNED
+	conditional.
+	* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
+	GETDENTS_64BIT_ALIGNED.
+	* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
+	* manual/filesys.texi (Reading/Closing Directory): Document
+	ENAMETOOLONG return value of readdir_r.  Recommend readdir more
+	strongly.
+	* manual/conf.texi (Limits for Files): Add portability note to
+	NAME_MAX, PATH_MAX.
+	(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
+
+Index: glibc-2.18/manual/conf.texi
+===================================================================
+--- glibc-2.18.orig/manual/conf.texi
++++ glibc-2.18/manual/conf.texi
+@@ -1149,6 +1149,9 @@ typed ahead as input.  @xref{I/O Queues}
+ @deftypevr Macro int NAME_MAX
+ The uniform system limit (if any) for the length of a file name component, not
+ including the terminating null character.
++
++@strong{Portability Note:} On some systems, @theglibc{} defines
++@code{NAME_MAX}, but does not actually enforce this limit.
+ @end deftypevr
+ 
+ @comment limits.h
+@@ -1157,6 +1160,9 @@ including the terminating null character
+ The uniform system limit (if any) for the length of an entire file name (that
+ is, the argument given to system calls such as @code{open}), including the
+ terminating null character.
++
++@strong{Portability Note:} @Theglibc{} does not enforce this limit
++even if @code{PATH_MAX} is defined.
+ @end deftypevr
+ 
+ @cindex limits, pipe buffer size
+@@ -1476,6 +1482,9 @@ Inquire about the value of @code{POSIX_R
+ Inquire about the value of @code{POSIX_REC_XFER_ALIGN}.
+ @end table
+ 
++@strong{Portability Note:} On some systems, @theglibc{} does not
++enforce @code{_PC_NAME_MAX} or @code{_PC_PATH_MAX} limits.
++
+ @node Utility Limits
+ @section Utility Program Capacity Limits
+ 
+Index: glibc-2.18/manual/filesys.texi
+===================================================================
+--- glibc-2.18.orig/manual/filesys.texi
++++ glibc-2.18/manual/filesys.texi
+@@ -444,9 +444,9 @@ symbols are declared in the header file
+ @comment POSIX.1
+ @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+ This function reads the next entry from the directory.  It normally
+-returns a pointer to a structure containing information about the file.
+-This structure is statically allocated and can be rewritten by a
+-subsequent call.
++returns a pointer to a structure containing information about the
++file.  This structure is associated with the @var{dirstream} handle
++and can be rewritten by a subsequent call.
+ 
+ @strong{Portability Note:} On some systems @code{readdir} may not
+ return entries for @file{.} and @file{..}, even though these are always
+@@ -461,19 +461,59 @@ conditions are defined for this function
+ The @var{dirstream} argument is not valid.
+ @end table
+ 
+-@code{readdir} is not thread safe.  Multiple threads using
+-@code{readdir} on the same @var{dirstream} may overwrite the return
+-value.  Use @code{readdir_r} when this is critical.
++To distinguish between an end-of-directory condition or an error, you
++must set @code{errno} to zero before calling @code{readdir}.  To avoid
++entering an infinite loop, you should stop reading from the directory
++after the first error.
++
++In POSIX.1-2008, @code{readdir} is not thread-safe.  In @theglibc{}
++implementation, it is safe to call @code{readdir} concurrently on
++different @var{dirstream}s (but multiple threads accessing the same
++@var{dirstream} result in undefined behavior).  @code{readdir_r} is a
++fully thread-safe alternative, but suffers from poor portability (see
++below).  It is recommended that you use @code{readdir}, with external
++locking if multiple threads access the same @var{dirstream}.
+ @end deftypefun
+ 
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+-This function is the reentrant version of @code{readdir}.  Like
+-@code{readdir} it returns the next entry from the directory.  But to
+-prevent conflicts between simultaneously running threads the result is
+-not stored in statically allocated memory.  Instead the argument
+-@var{entry} points to a place to store the result.
++This function is a version of @code{readdir} which performs internal
++locking.  Like @code{readdir} it returns the next entry from the
++directory.  To prevent conflicts between simultaneously running
++threads the result is stored inside the @var{entry} object.
++
++@strong{Portability Note:} It is recommended to use @code{readdir}
++instead of @code{readdir_r} for the following reasons:
++
++@itemize @bullet
++@item
++On systems which do not define @code{NAME_MAX}, it may not be possible
++to use @code{readdir_r} safely because the caller does not specify the
++length of the buffer for the directory entry.
++
++@item
++On some systems, @code{readdir_r} cannot read directory entries with
++very long names.  If such a name is encountered, @theglibc{}
++implementation of @code{readdir_r} returns with an error code of
++@code{ENAMETOOLONG} after the final directory entry has been read.  On
++other systems, @code{readdir_r} may return successfully, but the
++@code{d_name} member may not be NUL-terminated or may be truncated.
++
++@item
++POSIX-1.2008 does not guarantee that @code{readdir} is thread-safe,
++even when access to the same @var{dirstream} is serialized.  But in
++current implementations (including @theglibc{}), it is safe to call
++@code{readdir} concurrently on different @var{dirstream}s, so there is
++no requirement to use @code{readdir_r} even in multi-threaded
++programs.
++
++@item
++It is expected that future versions of POSIX will obsolete
++@code{readdir_r} and mandate the level of thread safety for
++@code{readdir} which is provided by @theglibc{} and other
++implementations today.
++@end itemize
+ 
+ Normally @code{readdir_r} returns zero and sets @code{*@var{result}}
+ to @var{entry}.  If there are no more entries in the directory or an
+@@ -481,15 +521,6 @@ error is detected, @code{readdir_r} sets
+ null pointer and returns a nonzero error code, also stored in
+ @code{errno}, as described for @code{readdir}.
+ 
+-@strong{Portability Note:} On some systems @code{readdir_r} may not
+-return a NUL terminated string for the file name, even when there is no
+-@code{d_reclen} field in @code{struct dirent} and the file
+-name is the maximum allowed size.  Modern systems all have the
+-@code{d_reclen} field, and on old systems multi-threading is not
+-critical.  In any case there is no such problem with the @code{readdir}
+-function, so that even on systems without the @code{d_reclen} member one
+-could use multiple threads by using external locking.
+-
+ It is also important to look at the definition of the @code{struct
+ dirent} type.  Simply passing a pointer to an object of this type for
+ the second parameter of @code{readdir_r} might not be enough.  Some
+Index: glibc-2.18/sysdeps/posix/dirstream.h
+===================================================================
+--- glibc-2.18.orig/sysdeps/posix/dirstream.h
++++ glibc-2.18/sysdeps/posix/dirstream.h
+@@ -39,6 +39,8 @@ struct __dirstream
+ 
+     off_t filepos;		/* Position of next entry to read.  */
+ 
++    int errcode;		/* Delayed error code.  */
++
+     /* Directory block.  */
+     char data[0] __attribute__ ((aligned (__alignof__ (void*))));
+   };
+Index: glibc-2.18/sysdeps/posix/opendir.c
+===================================================================
+--- glibc-2.18.orig/sysdeps/posix/opendir.c
++++ glibc-2.18/sysdeps/posix/opendir.c
+@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int
+   dirp->size = 0;
+   dirp->offset = 0;
+   dirp->filepos = 0;
++  dirp->errcode = 0;
+ 
+   return dirp;
+ }
+Index: glibc-2.18/sysdeps/posix/readdir_r.c
+===================================================================
+--- glibc-2.18.orig/sysdeps/posix/readdir_r.c
++++ glibc-2.18/sysdeps/posix/readdir_r.c
+@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent
+   DIRENT_TYPE *dp;
+   size_t reclen;
+   const int saved_errno = errno;
++  int ret;
+ 
+   __libc_lock_lock (dirp->lock);
+ 
+@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent
+ 		  bytes = 0;
+ 		  __set_errno (saved_errno);
+ 		}
++	      if (bytes < 0)
++		dirp->errcode = errno;
+ 
+ 	      dp = NULL;
+-	      /* Reclen != 0 signals that an error occurred.  */
+-	      reclen = bytes != 0;
+ 	      break;
+ 	    }
+ 	  dirp->size = (size_t) bytes;
+@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *ent
+       dirp->filepos += reclen;
+ #endif
+ 
+-      /* Skip deleted files.  */
++#ifdef NAME_MAX
++      if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
++	{
++	  /* The record is very long.  It could still fit into the
++	     caller-supplied buffer if we can skip padding at the
++	     end.  */
++	  size_t namelen = _D_EXACT_NAMLEN (dp);
++	  if (namelen <= NAME_MAX)
++	    reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
++	  else
++	    {
++	      /* The name is too long.  Ignore this file.  */
++	      dirp->errcode = ENAMETOOLONG;
++	      dp->d_ino = 0;
++	      continue;
++	    }
++	}
++#endif
++
++      /* Skip deleted and ignored files.  */
+     }
+   while (dp->d_ino == 0);
+ 
+   if (dp != NULL)
+     {
+-#ifdef GETDENTS_64BIT_ALIGNED
+-      /* The d_reclen value might include padding which is not part of
+-	 the DIRENT_TYPE data structure.  */
+-      reclen = MIN (reclen,
+-		    offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
+-#endif
+       *result = memcpy (entry, dp, reclen);
+-#ifdef GETDENTS_64BIT_ALIGNED
++#ifdef _DIRENT_HAVE_D_RECLEN
+       entry->d_reclen = reclen;
+ #endif
++      ret = 0;
+     }
+   else
+-    *result = NULL;
++    {
++      *result = NULL;
++      ret = dirp->errcode;
++    }
+ 
+   __libc_lock_unlock (dirp->lock);
+ 
+-  return dp != NULL ? 0 : reclen ? errno : 0;
++  return ret;
+ }
+ 
+ #ifdef __READDIR_R_ALIAS
+Index: glibc-2.18/sysdeps/posix/rewinddir.c
+===================================================================
+--- glibc-2.18.orig/sysdeps/posix/rewinddir.c
++++ glibc-2.18/sysdeps/posix/rewinddir.c
+@@ -33,6 +33,7 @@ rewinddir (dirp)
+   dirp->filepos = 0;
+   dirp->offset = 0;
+   dirp->size = 0;
++  dirp->errcode = 0;
+ #ifndef NOT_IN_libc
+   __libc_lock_unlock (dirp->lock);
+ #endif
+Index: glibc-2.18/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+===================================================================
+--- glibc-2.18.orig/sysdeps/unix/sysv/linux/i386/readdir64_r.c
++++ glibc-2.18/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+@@ -18,7 +18,6 @@
+ #define __READDIR_R __readdir64_r
+ #define __GETDENTS __getdents64
+ #define DIRENT_TYPE struct dirent64
+-#define GETDENTS_64BIT_ALIGNED 1
+ 
+ #include <sysdeps/posix/readdir_r.c>
+ 
+Index: glibc-2.18/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+===================================================================
+--- glibc-2.18.orig/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
++++ glibc-2.18/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+@@ -1,5 +1,4 @@
+ #define readdir64_r __no_readdir64_r_decl
+-#define GETDENTS_64BIT_ALIGNED 1
+ #include <sysdeps/posix/readdir_r.c>
+ #undef readdir64_r
+ weak_alias (__readdir_r, readdir64_r)