Accepting request 681703 from Base:System

- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308,
  BZ #24114)
- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig
  (bsc#1117993, BZ #23973) (forwarded request 681702 from Andreas_Schwab)

OBS-URL: https://build.opensuse.org/request/show/681703
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=227
This commit is contained in:
Dominique Leuenberger 2019-03-06 18:01:26 +00:00 committed by Git OBS Bridge
commit c5de37b765
4 changed files with 103 additions and 2 deletions

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Mar 5 10:38:30 UTC 2019 - Andreas Schwab <schwab@suse.de>
- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308,
BZ #24114)
- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig
(bsc#1117993, BZ #23973)
-------------------------------------------------------------------
Thu Feb 21 08:37:00 UTC 2019 - Martin Liška <mliska@suse.cz>
@ -57,6 +65,7 @@ Fri Feb 1 10:34:39 UTC 2019 - schwab@suse.de
gethostid-gethostbyname-failure.patch, strstr-huge-needle.patch,
pthread-mutex-lock-elision-race.patch, x86-haswell-string-flags.patch,
if-nametoindex-descr-leak.patch, riscv-flush-icache.patch: Removed
- CVE-2016-10739
-------------------------------------------------------------------
Wed Jan 9 14:21:04 UTC 2019 - schwab@suse.de
@ -170,6 +179,7 @@ Thu Aug 2 07:48:07 UTC 2018 - schwab@suse.de
riscv-kernel-sigaction.patch, riscv-readelflib.patch,
riscv-tls-init.patch: Removed
- glibc_post_upgrade.c: Don't reload init (bsc#1103124)
- CVE-2009-5155, CVE-2015-8985
-------------------------------------------------------------------
Tue Jun 19 08:37:43 UTC 2018 - schwab@suse.de

View File

@ -71,8 +71,7 @@ BuildRequires: xz
BuildRequires: gcc-c++
BuildRequires: gdb
BuildRequires: glibc-devel-static
# BZ #24113
#BuildRequires: libidn2-0
BuildRequires: libidn2-0
BuildRequires: libstdc++-devel
BuildRequires: python3-pexpect
%endif
@ -284,6 +283,8 @@ Patch1004: pthread-join-probe.patch
Patch1005: riscv-clone-unwind.patch
# PATCH-FIX-UPSTREAM Add new Fortran vector math header file.
Patch1006: add-new-Fortran-vector-math-header-file.patch
# PATCH-FIX-UPSTREAM regex: fix read overrun (CVE-2019-9169, BZ #24114)
Patch1007: regex-read-overrun.patch
###
# Patches awaiting upstream approval
@ -296,6 +297,8 @@ Patch2004: fnmatch-collating-elements.patch
Patch2005: nss-files-long-lines-2.patch
# PATCH-FIX-UPSTREAM Fix iconv buffer handling with IGNORE error handler (BZ #18830)
Patch2006: iconv-reset-input-buffer.patch
# PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973)
Patch2007: ldconfig-concurrency.patch
# Non-glibc patches
# PATCH-FIX-OPENSUSE Remove debianisms from manpages
@ -500,11 +503,13 @@ makedb: A program to create a database for nss
%patch1004 -p1
%patch1005 -p1
%patch1006 -p1
%patch1007 -p1
%patch2000 -p1
%patch2004 -p1
%patch2005 -p1
%patch2006 -p1
%patch2007 -p1
%patch3000

View File

@ -0,0 +1,61 @@
* elf/cache.c (save_cache): Use unique temporary name.
(save_aux_cache): Likewise.
Index: glibc-2.29/elf/cache.c
===================================================================
--- glibc-2.29.orig/elf/cache.c
+++ glibc-2.29/elf/cache.c
@@ -427,12 +427,12 @@ save_cache (const char *cache_name)
/* Write out the cache. */
/* Write cache first to a temporary file and rename it later. */
- char *temp_name = xmalloc (strlen (cache_name) + 2);
- sprintf (temp_name, "%s~", cache_name);
+ char *temp_name;
+ if (asprintf (&temp_name, "%s.XXXXXX", cache_name) < 0)
+ error (EXIT_FAILURE, errno, _("Can't allocate temporary name for cache file"));
/* Create file. */
- int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW,
- S_IRUSR|S_IWUSR);
+ int fd = mkostemp (temp_name, 0);
if (fd < 0)
error (EXIT_FAILURE, errno, _("Can't create temporary cache file %s"),
temp_name);
@@ -481,6 +481,7 @@ save_cache (const char *cache_name)
free (file_entries_new);
free (file_entries);
free (strings);
+ free (temp_name);
while (entries)
{
@@ -804,8 +805,9 @@ save_aux_cache (const char *aux_cache_na
/* Write out auxiliary cache file. */
/* Write auxiliary cache first to a temporary file and rename it later. */
- char *temp_name = xmalloc (strlen (aux_cache_name) + 2);
- sprintf (temp_name, "%s~", aux_cache_name);
+ char *temp_name;
+ if (asprintf (&temp_name, "%s.XXXXXX", aux_cache_name) < 0)
+ goto out_fail2;
/* Check that directory exists and create if needed. */
char *dir = strdupa (aux_cache_name);
@@ -819,8 +821,7 @@ save_aux_cache (const char *aux_cache_na
}
/* Create file. */
- int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW,
- S_IRUSR|S_IWUSR);
+ int fd = mkostemp (temp_name, 0);
if (fd < 0)
goto out_fail;
@@ -840,5 +841,6 @@ save_aux_cache (const char *aux_cache_na
out_fail:
/* Free allocated memory. */
free (temp_name);
+out_fail2:
free (file_entries);
}

25
regex-read-overrun.patch Normal file
View File

@ -0,0 +1,25 @@
2019-01-31 Paul Eggert <eggert@cs.ucla.edu>
regex: fix read overrun [BZ #24114]
Problem found by AddressSanitizer, reported by Hongxu Chen in:
https://debbugs.gnu.org/34140
* posix/regexec.c (proceed_next_node):
Do not read past end of input buffer.
Index: glibc-2.29/posix/regexec.c
===================================================================
--- glibc-2.29.orig/posix/regexec.c
+++ glibc-2.29/posix/regexec.c
@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_contex
else if (naccepted)
{
char *buf = (char *) re_string_get_buffer (&mctx->input);
- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
- naccepted) != 0)
+ if (mctx->input.valid_len - *pidx < naccepted
+ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+ naccepted)
+ != 0))
return -1;
}
}