Accepting request 681703 from Base:System

- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308,
  BZ #24114)
- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig
  (bsc#1117993, BZ #23973) (forwarded request 681702 from Andreas_Schwab)

OBS-URL: https://build.opensuse.org/request/show/681703
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=227

glibc.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue Mar  5 10:38:30 UTC 2019 - Andreas Schwab <schwab@suse.de>
+
+- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308,
+  BZ #24114)
+- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig
+  (bsc#1117993, BZ #23973)
+
 -------------------------------------------------------------------
 Thu Feb 21 08:37:00 UTC 2019 - Martin Liška <mliska@suse.cz>
 
@@ -57,6 +65,7 @@ Fri Feb  1 10:34:39 UTC 2019 - schwab@suse.de
   gethostid-gethostbyname-failure.patch, strstr-huge-needle.patch,
   pthread-mutex-lock-elision-race.patch, x86-haswell-string-flags.patch,
   if-nametoindex-descr-leak.patch, riscv-flush-icache.patch: Removed
+- CVE-2016-10739
 
 -------------------------------------------------------------------
 Wed Jan  9 14:21:04 UTC 2019 - schwab@suse.de
@@ -170,6 +179,7 @@ Thu Aug  2 07:48:07 UTC 2018 - schwab@suse.de
   riscv-kernel-sigaction.patch, riscv-readelflib.patch,
   riscv-tls-init.patch: Removed
 - glibc_post_upgrade.c: Don't reload init (bsc#1103124)
+- CVE-2009-5155, CVE-2015-8985
 
 -------------------------------------------------------------------
 Tue Jun 19 08:37:43 UTC 2018 - schwab@suse.de

glibc.spec

@@ -71,8 +71,7 @@ BuildRequires:  xz
 BuildRequires:  gcc-c++
 BuildRequires:  gdb
 BuildRequires:  glibc-devel-static
-# BZ #24113
-#BuildRequires:  libidn2-0
+BuildRequires:  libidn2-0
 BuildRequires:  libstdc++-devel
 BuildRequires:  python3-pexpect
 %endif
@@ -284,6 +283,8 @@ Patch1004:      pthread-join-probe.patch
 Patch1005:      riscv-clone-unwind.patch
 # PATCH-FIX-UPSTREAM Add new Fortran vector math header file.
 Patch1006:      add-new-Fortran-vector-math-header-file.patch
+# PATCH-FIX-UPSTREAM regex: fix read overrun (CVE-2019-9169, BZ #24114)
+Patch1007:      regex-read-overrun.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -296,6 +297,8 @@ Patch2004:      fnmatch-collating-elements.patch
 Patch2005:      nss-files-long-lines-2.patch
 # PATCH-FIX-UPSTREAM Fix iconv buffer handling with IGNORE error handler (BZ #18830)
 Patch2006:      iconv-reset-input-buffer.patch
+# PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973)
+Patch2007:      ldconfig-concurrency.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -500,11 +503,13 @@ makedb: A program to create a database for nss
 %patch1004 -p1
 %patch1005 -p1
 %patch1006 -p1
+%patch1007 -p1
 
 %patch2000 -p1
 %patch2004 -p1
 %patch2005 -p1
 %patch2006 -p1
+%patch2007 -p1
 
 %patch3000
 

ldconfig-concurrency.patch

@@ -0,0 +1,61 @@
+	* elf/cache.c (save_cache): Use unique temporary name.
+	(save_aux_cache): Likewise.
+
+Index: glibc-2.29/elf/cache.c
+===================================================================
+--- glibc-2.29.orig/elf/cache.c
++++ glibc-2.29/elf/cache.c
+@@ -427,12 +427,12 @@ save_cache (const char *cache_name)
+   /* Write out the cache.  */
+ 
+   /* Write cache first to a temporary file and rename it later.  */
+-  char *temp_name = xmalloc (strlen (cache_name) + 2);
+-  sprintf (temp_name, "%s~", cache_name);
++  char *temp_name;
++  if (asprintf (&temp_name, "%s.XXXXXX", cache_name) < 0)
++    error (EXIT_FAILURE, errno, _("Can't allocate temporary name for cache file"));
+ 
+   /* Create file.  */
+-  int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW,
+-		 S_IRUSR|S_IWUSR);
++  int fd = mkostemp (temp_name, 0);
+   if (fd < 0)
+     error (EXIT_FAILURE, errno, _("Can't create temporary cache file %s"),
+ 	   temp_name);
+@@ -481,6 +481,7 @@ save_cache (const char *cache_name)
+   free (file_entries_new);
+   free (file_entries);
+   free (strings);
++  free (temp_name);
+ 
+   while (entries)
+     {
+@@ -804,8 +805,9 @@ save_aux_cache (const char *aux_cache_na
+   /* Write out auxiliary cache file.  */
+   /* Write auxiliary cache first to a temporary file and rename it later.  */
+ 
+-  char *temp_name = xmalloc (strlen (aux_cache_name) + 2);
+-  sprintf (temp_name, "%s~", aux_cache_name);
++  char *temp_name;
++  if (asprintf (&temp_name, "%s.XXXXXX", aux_cache_name) < 0)
++    goto out_fail2;
+ 
+   /* Check that directory exists and create if needed.  */
+   char *dir = strdupa (aux_cache_name);
+@@ -819,8 +821,7 @@ save_aux_cache (const char *aux_cache_na
+     }
+ 
+   /* Create file.  */
+-  int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW,
+-		 S_IRUSR|S_IWUSR);
++  int fd = mkostemp (temp_name, 0);
+   if (fd < 0)
+     goto out_fail;
+ 
+@@ -840,5 +841,6 @@ save_aux_cache (const char *aux_cache_na
+ out_fail:
+   /* Free allocated memory.  */
+   free (temp_name);
++out_fail2:
+   free (file_entries);
+ }

regex-read-overrun.patch

@@ -0,0 +1,25 @@
+2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
+
+	regex: fix read overrun [BZ #24114]
+	Problem found by AddressSanitizer, reported by Hongxu Chen in:
+	https://debbugs.gnu.org/34140
+	* posix/regexec.c (proceed_next_node):
+	Do not read past end of input buffer.
+
+Index: glibc-2.29/posix/regexec.c
+===================================================================
+--- glibc-2.29.orig/posix/regexec.c
++++ glibc-2.29/posix/regexec.c
+@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_contex
+ 	      else if (naccepted)
+ 		{
+ 		  char *buf = (char *) re_string_get_buffer (&mctx->input);
+-		  if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+-			      naccepted) != 0)
++		  if (mctx->input.valid_len - *pidx < naccepted
++		      || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
++				  naccepted)
++			  != 0))
+ 		    return -1;
+ 		}
+ 	    }