diff --git a/cve-2008-4865.diff b/cve-2008-4865.diff
new file mode 100644
index 0000000..3aba4c2
--- /dev/null
+++ b/cve-2008-4865.diff
@@ -0,0 +1,46 @@
+--- docs/xml/manual-core.xml
++++ docs/xml/manual-core.xml
+@@ -1255,7 +1255,9 @@ processed earlier; for example, options
+ precedence over those in
+ ~/.valgrindrc. The first two
+ are particularly useful for setting the default tool to
+-use.
++use. Please note that the .valgrindrc file is ignored if
++it is world writeable or not owned by the current user.
++
+
+ Any tool-specific options put in
+ $VALGRIND_OPTS or the
+--- coregrind/m_commandline.c
++++ coregrind/m_commandline.c
+@@ -57,21 +57,24 @@ static HChar* read_dot_valgrindrc ( HCha
+ {
+ Int n;
+ SysRes fd;
+- Int size;
++ struct vki_stat stat_buf;
+ HChar* f_clo = NULL;
+ HChar filename[VKI_PATH_MAX];
+
+ VG_(snprintf)(filename, VKI_PATH_MAX, "%s/.valgrindrc",
+ ( NULL == dir ? "" : dir ) );
+ fd = VG_(open)(filename, 0, VKI_S_IRUSR);
++
+ if ( !fd.isError ) {
+- size = VG_(fsize)(fd.res);
+- if (size > 0) {
+- f_clo = VG_(malloc)(size+1);
++ Int res = VG_(fstat)( fd.res, &stat_buf );
++ // Ignore if not owned by current user or world writeable (CVE-2008-4865)
++ if (!res && stat_buf.st_size > 0 && stat_buf.st_uid == VG_(geteuid)()
++ && (!stat_buf.st_mode & (VKI_S_IWOTH))) {
++ f_clo = VG_(malloc)(stat_buf.st_size+1);
+ vg_assert(f_clo);
+- n = VG_(read)(fd.res, f_clo, size);
++ n = VG_(read)(fd.res, f_clo, stat_buf.st_size);
+ if (n == -1) n = 0;
+- vg_assert(n >= 0 && n <= size+1);
++ vg_assert(n >= 0 && n <= stat_buf.st_size+1);
+ f_clo[n] = '\0';
+ }
+ VG_(close)(fd.res);
diff --git a/glibc-2.9-support.diff b/glibc-2.9-support.diff
new file mode 100644
index 0000000..570afb8
--- /dev/null
+++ b/glibc-2.9-support.diff
@@ -0,0 +1,139 @@
+--- configure.in
++++ configure.in
+@@ -479,6 +479,16 @@ AC_EGREP_CPP([GLIBC_28], [
+ ],
+ libc="2.8")
+
++AC_EGREP_CPP([GLIBC_29], [
++#include
++#ifdef __GNU_LIBRARY__
++ #if (__GLIBC__ == 2 && __GLIBC_MINOR__ == 9)
++ GLIBC_29
++ #endif
++#endif
++],
++libc="2.9")
++
+ AC_EGREP_CPP([AIX5_LIBC], [
+ #include
+ #if defined(_AIXVERSION_510) || defined(_AIXVERSION_520) || defined(_AIXVERSION_530)
+@@ -535,6 +545,12 @@ case "${libc}" in
+ DEFAULT_SUPP="glibc-2.8.supp ${DEFAULT_SUPP}"
+ DEFAULT_SUPP="glibc-2.34567-NPTL-helgrind.supp ${DEFAULT_SUPP}"
+ ;;
++ 2.9)
++ AC_MSG_RESULT(2.9 family)
++ AC_DEFINE([GLIBC_2_9], 1, [Define to 1 if you're using glibc 2.9.x])
++ DEFAULT_SUPP="glibc-2.9.supp ${DEFAULT_SUPP}"
++ DEFAULT_SUPP="glibc-2.34567-NPTL-helgrind.supp ${DEFAULT_SUPP}"
++ ;;
+ aix5)
+ AC_MSG_RESULT(AIX 5.1 or 5.2 or 5.3)
+ AC_DEFINE([AIX5_LIBC], 1, [Define to 1 if you're using AIX 5.1 or 5.2 or 5.3])
+@@ -543,7 +559,7 @@ case "${libc}" in
+
+ *)
+ AC_MSG_RESULT(unsupported version)
+- AC_MSG_ERROR([Valgrind requires glibc version 2.2 - 2.7])
++ AC_MSG_ERROR([Valgrind requires glibc version 2.2 - 2.9])
+ AC_MSG_ERROR([or AIX 5.1 or 5.2 or 5.3 libc])
+ ;;
+ esac
+--- glibc-2.9.supp
++++ glibc-2.9.supp
+@@ -0,0 +1,95 @@
++
++# Errors to suppress by default with glibc 2.8.x
++
++# Format of this file is:
++# {
++# name_of_suppression
++# tool_name:supp_kind
++# (optional extra info for some suppression types)
++# caller0 name, or /name/of/so/file.so
++# caller1 name, or ditto
++# (optionally: caller2 name)
++# (optionally: caller3 name)
++# }
++#
++# For Memcheck, the supp_kinds are:
++#
++# Param Value1 Value2 Value4 Value8 Value16 Jump
++# Free Addr1 Addr2 Addr4 Addr8 Addr16
++# Cond (previously known as Value0)
++#
++# and the optional extra info is:
++# if Param: name of system call param
++
++{
++ dl-hack3-cond-1
++ Memcheck:Cond
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++}
++{
++ dl-hack3-cond-2
++ Memcheck:Cond
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/libc-2.8*.so*
++}
++{
++ dl-hack3-cond-3
++ Memcheck:Cond
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/libc-2.8*.so*
++ obj:/lib*/libc-2.8*.so*
++}
++{
++ dl-hack3-cond-4
++ Memcheck:Cond
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/libdl-2.8*.so*
++}
++
++{
++ dl-hack4-64bit-addr-1
++ Memcheck:Addr8
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++}
++{
++ dl-hack4-64bit-addr-2
++ Memcheck:Addr8
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/libc-2.8*.so*
++}
++{
++ dl-hack4-64bit-addr-3
++ Memcheck:Addr8
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/ld-2.8*.so*
++ obj:/lib*/libdl-2.8*.so*
++}
++
++{
++ dl-hack5-32bit-addr-1
++ Memcheck:Addr4
++ obj:/lib/ld-2.8*.so
++ obj:/lib/ld-2.8*.so
++ obj:/lib/ld-2.8*.so
++}
++{
++ dl-hack5-32bit-addr-3
++ Memcheck:Addr4
++ obj:/lib/ld-2.8*.so
++ obj:/lib/ld-2.8*.so
++ obj:/lib/libdl-2.8*.so*
++}
++{
++ dl-hack5-32bit-addr-4
++ Memcheck:Addr4
++ obj:/lib/ld-2.8*.so
++ obj:/lib/libdl-2.8*.so*
++ obj:/lib/ld-2.8*.so
++}
diff --git a/valgrind.changes b/valgrind.changes
index 9f92bcf..36adb43 100644
--- a/valgrind.changes
+++ b/valgrind.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Nov 20 00:32:49 CET 2008 - dmueller@suse.de
+
+- fix .valgrindrc reading vulnerability (CVE-2008-4865, bnc#445013)
+- add support for glibc 2.9
+
-------------------------------------------------------------------
Wed Nov 5 13:58:49 CET 2008 - dmueller@suse.de
diff --git a/valgrind.spec b/valgrind.spec
index faedadb..2d71fba 100644
--- a/valgrind.spec
+++ b/valgrind.spec
@@ -28,7 +28,7 @@ Group: Development/Tools/Debuggers
Summary: Valgrind Suite of Tools for Debugging and Profiling
BuildRoot: %{_tmppath}/%{name}-%{version}-build
Version: 3.3.1
-Release: 31
+Release: 32
Source0: %{name}-%{version}.tar.bz2
# svn di svn://svn.valgrind.org/valgrind/tags/VALGRIND_3_2_1 svn://svn.valgrind.org/valgrind/branches/VALGRIND_3_2_BRANCH > 3_2_BRANCH.diff
# svn di svn://svn.valgrind.org/vex/tags/VEX_3_2_1 svn://svn.valgrind.org/vex/branches/VEX_3_2_BRANCH > VEX_3_2_BRANCH.diff
@@ -38,6 +38,8 @@ Patch10: update-suppressions.diff
Patch12: xcb-update.diff
Patch13: fadvice64.diff
Patch14: r8730.diff
+Patch15: cve-2008-4865.diff
+Patch16: glibc-2.9-support.diff
Provides: callgrind = %version
Obsoletes: callgrind < %version
ExclusiveArch: %ix86 x86_64 ppc ppc64
@@ -126,6 +128,8 @@ cd ..
%patch12
%patch13
%patch14
+%patch15
+%patch16
%build
export CFLAGS="$RPM_OPT_FLAGS"
@@ -155,6 +159,9 @@ mv $RPM_BUILD_ROOT/usr/share/doc/valgrind $RPM_BUILD_ROOT/usr/share/doc/packages
%_libdir/valgrind/*/*.a
%changelog
+* Thu Nov 20 2008 dmueller@suse.de
+- fix .valgrindrc reading vulnerability (CVE-2008-4865, bnc#445013)
+- add support for glibc 2.9
* Wed Nov 05 2008 dmueller@suse.de
- add syscall wrappers for pipe2
* Tue Jun 24 2008 schwab@suse.de