Accepting request 492649 from Base:System

1 OBS-URL: https://build.opensuse.org/request/show/492649 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/coreutils?expand=0&rev=123
2017-05-17 08:45:29 +00:00 · 2017-05-17 08:45:29 +00:00 · d8863ca283
commit d8863ca283
parent 7f261a9923
5 changed files with 246 additions and 0 deletions
--- a/coreutils-cve-2017-7476-out-of-bounds-with-large-tz.patch
+++ b/coreutils-cve-2017-7476-out-of-bounds-with-large-tz.patch
@ -0,0 +1,216 @@
 # Upstream fix on top of coreutils-v8.27:
 # Add upstream patch to fix an heap overflow security issue
 # in date(1) and touch(1) with a large TZ variable
 # (CVE-2017-7476, rh#1444774, boo#1037124).
 This issue is already fixed upstream, so here in openSUSE
 we're just picking up the patches:
 * [PATCH 1/2] Upstream gnulib fix:
  http://git.sv.gnu.org/cgit/gnulib.git/commit/?id=94e015715078
  FWIW, this patch has been picked up by upstream coreutils by
  the following update to latest gnulib:
  http://git.sv.gnu.org/cgit/coreutils.git/commit/?id=5d4be52a982e
 * [PATCH 2/2] Upstream coreutils test:
  http://git.sv.gnu.org/cgit/coreutils.git/commit/?id=9287ef2b1707
 This downstream patch squashes both commits into one.
 Here are the original commit messages.
 ================================================================================
 From 94e01571507835ff59dd8ce2a0b56a4b566965a4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
 Date: Mon, 24 Apr 2017 01:43:36 -0700
 Subject: [PATCH 1/2] time_rz: fix heap buffer overflow vulnerability
 This issue has been assigned CVE-2017-7476 and was
 detected with American Fuzzy Lop 2.41b run on the
 coreutils date(1) program with ASAN enabled.
  ERROR: AddressSanitizer: heap-buffer-overflow on address 0x...
  WRITE of size 8 at 0x60d00000cff8 thread T0
  #1 0x443020 in extend_abbrs lib/time_rz.c:88
  #2 0x443356 in save_abbr lib/time_rz.c:155
  #3 0x44393f in localtime_rz lib/time_rz.c:290
  #4 0x41e4fe in parse_datetime2 lib/parse-datetime.y:1798
 A minimized reproducer is the following 120 byte TZ value,
 which goes beyond the value of ABBR_SIZE_MIN (119) on x86_64.
 Extend the aa...b portion to overwrite more of the heap.
  date -d $(printf 'TZ="aaa%020daaaaaab%089d"')
 localtime_rz and mktime_z were affected since commit 4bc76593.
 parse_datetime was affected since commit 4e6e16b3f.
 * lib/time_rz.c (save_abbr): Rearrange the calculation determining
 whether there is enough buffer space available.  The rearrangement
 ensures we're only dealing with positive numbers, thus avoiding
 the problematic promotion of signed to unsigned causing an invalid
 comparison when zone_copy is more than ABBR_SIZE_MIN bytes beyond
 the start of the buffer.
 * tests/test-parse-datetime.c (main): Add a test case written by
 Paul Eggert, which overwrites enough of the heap so that
 standard glibc will fail with "free(): invalid pointer"
 without the patch applied.
 Reported and analyzed at https://bugzilla.redhat.com/1444774
 ================================================================================
 From 9287ef2b1707e2a222f8ae776ce3785abcb16fba Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
 Date: Wed, 26 Apr 2017 20:51:39 -0700
 Subject: [PATCH 2/2] date,touch: test and document large TZ security issue
 Add a test for CVE-2017-7476 which was fixed in gnulib at:
 http://git.sv.gnu.org/gitweb/?p=gnulib.git;a=commitdiff;h=94e01571
 * tests/misc/date-tz.sh: Add a new test which overwrites enough
 of the heap to trigger a segfault, even without ASAN enabled.
 * tests/local.mk: Reference the new test.
 * NEWS: Mention the bug fix.
 ---
 NEWS                               |    9 +++++++++
 gnulib-tests/test-parse-datetime.c |   16 ++++++++++++++++
 lib/time_rz.c                      |   15 +++++++++++++--
 tests/local.mk                     |    1 +
 tests/misc/date-tz.sh              |   26 ++++++++++++++++++++++++++
 5 files changed, 65 insertions(+), 2 deletions(-)
 Index: NEWS
 ===================================================================
 --- NEWS.orig
 +++ NEWS
@@ -1,5 +1,14 @@
 GNU coreutils NEWS                                    -*- outline -*-
 +* Noteworthy openSUSE changes after release 8.27 [downstream]
 +
 +** Bug fixes
 +
 +  date and touch no longer overwrite the heap with large
 +  user specified TZ values (CVE-2017-7476).
 +  [bug introduced in coreutils-8.27]
 +
 +
 * Noteworthy changes in release 8.27 (2017-03-08) [stable]
 ** Bug fixes
 Index: gnulib-tests/test-parse-datetime.c
 ===================================================================
 --- gnulib-tests/test-parse-datetime.c.orig
 +++ gnulib-tests/test-parse-datetime.c
@@ -432,5 +432,21 @@ main (int argc _GL_UNUSED, char **argv)
   ASSERT (   parse_datetime (&result, "TZ=\"\\\\\"", &now));
   ASSERT (   parse_datetime (&result, "TZ=\"\\\"\"", &now));
 +  /* Outlandishly-long time zone abbreviations should not cause problems.  */
 +  {
 +    static char const bufprefix[] = "TZ=\"";
 +    enum { tzname_len = 2000 };
 +    static char const bufsuffix[] = "0\" 1970-01-01 01:02:03.123456789";
 +    enum { bufsize = sizeof bufprefix - 1 + tzname_len + sizeof bufsuffix };
 +    char buf[bufsize];
 +    memcpy (buf, bufprefix, sizeof bufprefix - 1);
 +    memset (buf + sizeof bufprefix - 1, 'X', tzname_len);
 +    strcpy (buf + bufsize - sizeof bufsuffix, bufsuffix);
 +    ASSERT (parse_datetime (&result, buf, &now));
 +    LOG (buf, now, result);
 +    ASSERT (result.tv_sec == 1 * 60 * 60 + 2 * 60 + 3
 +            && result.tv_nsec == 123456789);
 +  }
 +
   return 0;
 }
 Index: lib/time_rz.c
 ===================================================================
 --- lib/time_rz.c.orig
 +++ lib/time_rz.c
@@ -27,6 +27,7 @@
 #include <time.h>
 #include <errno.h>
 +#include <limits.h>
 #include <stdbool.h>
 #include <stddef.h>
 #include <stdlib.h>
@@ -35,6 +36,10 @@
 #include "flexmember.h"
 #include "time-internal.h"
 +#ifndef SIZE_MAX
 +# define SIZE_MAX ((size_t) -1)
 +#endif
 +
 #if !HAVE_TZSET
 static void tzset (void) { }
 #endif
@@ -43,7 +48,7 @@ static void tzset (void) { }
    the largest "small" request for the GNU C library malloc.  */
 enum { DEFAULT_MXFAST = 64 * sizeof (size_t) / 4 };
 -/* Minimum size of the ABBRS member of struct abbr.  ABBRS is larger
 +/* Minimum size of the ABBRS member of struct tm_zone.  ABBRS is larger
    only in the unlikely case where an abbreviation longer than this is
    used.  */
 enum { ABBR_SIZE_MIN = DEFAULT_MXFAST - offsetof (struct tm_zone, abbrs) };
@@ -150,7 +155,13 @@ save_abbr (timezone_t tz, struct tm *tm)
           if (! (*zone_copy || (zone_copy == tz->abbrs && tz->tz_is_set)))
             {
               size_t zone_size = strlen (zone) + 1;
 -              if (zone_size < tz->abbrs + ABBR_SIZE_MIN - zone_copy)
 +              size_t zone_used = zone_copy - tz->abbrs;
 +              if (SIZE_MAX - zone_used < zone_size)
 +                {
 +                  errno = ENOMEM;
 +                  return false;
 +                }
 +              if (zone_used + zone_size < ABBR_SIZE_MIN)
                 extend_abbrs (zone_copy, zone, zone_size);
               else
                 {
 Index: tests/local.mk
 ===================================================================
 --- tests/local.mk.orig
 +++ tests/local.mk
@@ -282,6 +282,7 @@ all_tests =					\
   tests/misc/csplit-suppress-matched.pl		\
   tests/misc/date-debug.sh			\
   tests/misc/date-sec.sh			\
 +  tests/misc/date-tz.sh				\
   tests/misc/dircolors.pl			\
   tests/misc/dirname.pl				\
   tests/misc/env-null.sh			\
 Index: tests/misc/date-tz.sh
 ===================================================================
 --- /dev/null
 +++ tests/misc/date-tz.sh
@@ -0,0 +1,26 @@
 +#!/bin/sh
 +# Verify TZ processing.
 +
 +# Copyright (C) 2017 Free Software Foundation, Inc.
 +
 +# This program is free software: you can redistribute it and/or modify
 +# it under the terms of the GNU General Public License as published by
 +# the Free Software Foundation, either version 3 of the License, or
 +# (at your option) any later version.
 +
 +# This program is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 +# GNU General Public License for more details.
 +
 +# You should have received a copy of the GNU General Public License
 +# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 +
 +. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
 +print_ver_ date
 +
 +# coreutils-8.27 would overwrite the heap with large TZ values
 +tz_long=$(printf '%2000s' | tr ' ' a)
 +date -d "TZ=\"${tz_long}0\" 2017" || fail=1
 +
 +Exit $fail
--- a/coreutils-testsuite.changes
+++ b/coreutils-testsuite.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Tue May  2 21:29:32 UTC 2017 - mail@bernhard-voelker.de
 - coreutils-cve-2017-7476-out-of-bounds-with-large-tz.patch:
  Add upstream patch to fix an heap overflow security issue
  in date(1) and touch(1) with a large TZ variable
  (CVE-2017-7476, rh#1444774, boo#1037124).
 -------------------------------------------------------------------
 Fri Mar 10 09:42:51 UTC 2017 - mail@bernhard-voelker.de
--- a/coreutils-testsuite.spec
+++ b/coreutils-testsuite.spec
@ -133,6 +133,12 @@ Patch501:       coreutils-test_without_valgrind.patch
 # Avoid a FP of tests/misc/date-debug.sh with newer timezone-2017a.
 Patch700:       coreutils-tests-port-to-timezone-2017a.patch
 # Upstream fix on top of coreutils-v8.27:
 # Add upstream patch to fix an heap overflow security issue
 # in date(1) and touch(1) with a large TZ variable
 # (CVE-2017-7476, rh#1444774, boo#1037124).
 Patch710:       coreutils-cve-2017-7476-out-of-bounds-with-large-tz.patch
 # ================================================
 %description
 These are the GNU core utilities.  This package is the union of
@ -176,6 +182,7 @@ the GNU fileutils, sh-utils, and textutils packages.
 %patch501
 %patch700
 %patch710
 #???## We need to statically link to gmp, otherwise we have a build loop
 #???#sed -i s,'$(LIB_GMP)',%%{_libdir}/libgmp.a,g Makefile.in
--- a/coreutils.changes
+++ b/coreutils.changes
@ -1,3 +1,11 @@
 -------------------------------------------------------------------
 Tue May  2 21:29:32 UTC 2017 - mail@bernhard-voelker.de
 - coreutils-cve-2017-7476-out-of-bounds-with-large-tz.patch:
  Add upstream patch to fix an heap overflow security issue
  in date(1) and touch(1) with a large TZ variable
  (CVE-2017-7476, rh#1444774, boo#1037124).
 -------------------------------------------------------------------
 Fri Mar 10 09:42:51 UTC 2017 - mail@bernhard-voelker.de
--- a/coreutils.spec
+++ b/coreutils.spec
@ -133,6 +133,12 @@ Patch501:       coreutils-test_without_valgrind.patch
 # Avoid a FP of tests/misc/date-debug.sh with newer timezone-2017a.
 Patch700:       coreutils-tests-port-to-timezone-2017a.patch
 # Upstream fix on top of coreutils-v8.27:
 # Add upstream patch to fix an heap overflow security issue
 # in date(1) and touch(1) with a large TZ variable
 # (CVE-2017-7476, rh#1444774, boo#1037124).
 Patch710:       coreutils-cve-2017-7476-out-of-bounds-with-large-tz.patch
 # ================================================
 %description
 These are the GNU core utilities.  This package is the union of
@ -176,6 +182,7 @@ the GNU fileutils, sh-utils, and textutils packages.
 %patch501
 %patch700
 %patch710
 #???## We need to statically link to gmp, otherwise we have a build loop
 #???#sed -i s,'$(LIB_GMP)',%%{_libdir}/libgmp.a,g Makefile.in