pool/glibc
SHA256
2
0
Fork 2
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 97013 from Base:System

Browse Source 
Fix timezone loader overflow. (forwarded request 97011 from a_jaeger)

OBS-URL: https://build.opensuse.org/request/show/97013
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=98
This commit is contained in:
Stephan Kulow 2011-12-21 13:56:41 +00:00 committed by Git OBS Bridge
commit bb70e13116
3 changed files with 109 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
glibc.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Dec 19 10:01:56 UTC 2011 - aj@suse.de
- Fix timezone loader overflow (bnc#735850,CVE-2009-5029) (patch
tzfile-corruption-fix.patch)
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Nov 29 03:09:56 UTC 2011 - rcoe@wi.rr.com Tue Nov 29 03:09:56 UTC 2011 - rcoe@wi.rr.com

3
glibc.spec
View File

@ -225,6 +225,8 @@ Patch83: glibc-arm-clone-unwind-fix.diff
Patch84: nscd-avoid-gcc-warning.diff Patch84: nscd-avoid-gcc-warning.diff
# PATCH-FIX-OPENSUSE fix printf with > 32 args and printf specifiers bnc#733140, bso#13446 # PATCH-FIX-OPENSUSE fix printf with > 32 args and printf specifiers bnc#733140, bso#13446
Patch85: glibc-2.14-32args-printf.patch Patch85: glibc-2.14-32args-printf.patch
# PATCH-FIX-UPSTREAM fix tzfile heap overrun bnc#735850 - aj@suse.de
Patch86: tzfile-corruption-fix.patch
%description %description
The GNU C Library provides the most important standard libraries used The GNU C Library provides the most important standard libraries used
@ -466,6 +468,7 @@ rm nscd/s-stamp
%patch75 -p1 %patch75 -p1
%patch84 %patch84
%patch85 %patch85
%patch86 -p1
# #
# Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed! # Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed!

100
tzfile-corruption-fix.patch Normal file
View File

@ -0,0 +1,100 @@
2011-12-17 Ulrich Drepper <drepper@gmail.com>
[BZ #13506]
* time/tzfile.c (__tzfile_read): Check values from file header.
diff --git a/time/tzfile.c b/time/tzfile.c
index 144e20b..402389c 100644
--- a/time/tzfile.c
+++ b/time/tzfile.c
@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
goto read_again;
}
+ if (__builtin_expect (num_transitions
+ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
+ / (sizeof (time_t) + 1)), 0))
+ goto lose;
total_size = num_transitions * (sizeof (time_t) + 1);
total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
& ~(__alignof__ (struct ttinfo) - 1));
types_idx = total_size;
- total_size += num_types * sizeof (struct ttinfo) + chars;
+ if (__builtin_expect (num_types
+ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
+ goto lose;
+ total_size += num_types * sizeof (struct ttinfo);
+ if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
+ goto lose;
+ total_size += chars;
+ if (__builtin_expect (__alignof__ (struct leap) - 1
+ > SIZE_MAX - total_size, 0))
+ goto lose;
total_size = ((total_size + __alignof__ (struct leap) - 1)
& ~(__alignof__ (struct leap) - 1));
leaps_idx = total_size;
+ if (__builtin_expect (num_leaps
+ > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
+ goto lose;
total_size += num_leaps * sizeof (struct leap);
- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
- ? st.st_size - (ftello (f)
- + num_transitions * (8 + 1)
- + num_types * 6
- + chars
- + num_leaps * 12
- + num_isstd
- + num_isgmt) - 1 : 0);
+ tzspec_len = 0;
+ if (sizeof (time_t) == 8 && trans_width == 8)
+ {
+ off_t rem = st.st_size - ftello (f);
+ if (__builtin_expect (rem < 0
+ || (size_t) rem < (num_transitions * (8 + 1)
+ + num_types * 6
+ + chars), 0))
+ goto lose;
+ tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
+ + num_types * 6
+ + chars);
+ if (__builtin_expect (num_leaps > SIZE_MAX / 12
+ || tzspec_len < num_leaps * 12, 0))
+ goto lose;
+ tzspec_len -= num_leaps * 12;
+ if (__builtin_expect (tzspec_len < num_isstd, 0))
+ goto lose;
+ tzspec_len -= num_isstd;
+ if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
+ goto lose;
+ tzspec_len -= num_isgmt + 1;
+ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
+ goto lose;
+ }
+ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
+ goto lose;
/* Allocate enough memory including the extra block requested by the
caller. */
And fix the previous patch ...
--- a/time/tzfile.c.orig 2011-12-19 10:58:26.000000000 +0100
+++ b/time/tzfile.c 2011-12-19 10:59:35.000000000 +0100
@@ -19,6 +19,7 @@
#include <assert.h>
#include <limits.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdio_ext.h>
#include <stdlib.h>
@@ -278,7 +279,7 @@
if (__builtin_expect (tzspec_len < num_isstd, 0))
goto lose;
tzspec_len -= num_isstd;
- if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
+ if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
goto lose;
tzspec_len -= num_isgmt + 1;
if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))