forked from pool/glibc
Accepting request 568214 from Base:System
- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) - dl-init-paths-overflow.patch: Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627) - fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) (forwarded request 568213 from Andreas_Schwab) OBS-URL: https://build.opensuse.org/request/show/568214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=218
This commit is contained in:
commit
166761407a
90
dl-init-paths-overflow.patch
Normal file
90
dl-init-paths-overflow.patch
Normal file
@ -0,0 +1,90 @@
|
||||
2017-12-18 Dmitry V. Levin <ldv@altlinux.org>
|
||||
|
||||
[BZ #22627]
|
||||
* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
|
||||
code and invocation.
|
||||
|
||||
2017-12-14 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
[BZ #22607]
|
||||
CVE-2017-1000409
|
||||
* elf/dl-load.c (_dl_init_paths): Compute number of components in
|
||||
the expanded path string.
|
||||
|
||||
2017-12-14 Florian Weimer <fweimer@redhat.com>
|
||||
|
||||
[BZ #22606]
|
||||
CVE-2017-1000408
|
||||
* elf/dl-load.c (system_dirs): Update comment.
|
||||
(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
|
||||
|
||||
Index: glibc-2.26/elf/dl-load.c
|
||||
===================================================================
|
||||
--- glibc-2.26.orig/elf/dl-load.c
|
||||
+++ glibc-2.26/elf/dl-load.c
|
||||
@@ -103,7 +103,9 @@ static size_t ncapstr attribute_relro;
|
||||
static size_t max_capstrlen attribute_relro;
|
||||
|
||||
|
||||
-/* Get the generated information about the trusted directories. */
|
||||
+/* Get the generated information about the trusted directories. Use
|
||||
+ an array of concatenated strings to avoid relocations. See
|
||||
+ gen-trusted-dirs.awk. */
|
||||
#include "trusted-dirs.h"
|
||||
|
||||
static const char system_dirs[] = SYSTEM_DIRS;
|
||||
@@ -688,9 +690,8 @@ _dl_init_paths (const char *llp)
|
||||
+ ncapstr * sizeof (enum r_dir_status))
|
||||
/ sizeof (struct r_search_path_elem));
|
||||
|
||||
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
|
||||
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
|
||||
- * round_size * sizeof (struct r_search_path_elem));
|
||||
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
|
||||
+ * sizeof (*rtld_search_dirs.dirs[0]));
|
||||
if (rtld_search_dirs.dirs[0] == NULL)
|
||||
{
|
||||
errstring = N_("cannot create cache for search path");
|
||||
@@ -776,37 +777,14 @@ _dl_init_paths (const char *llp)
|
||||
|
||||
if (llp != NULL && *llp != '\0')
|
||||
{
|
||||
- size_t nllp;
|
||||
- const char *cp = llp;
|
||||
- char *llp_tmp;
|
||||
-
|
||||
-#ifdef SHARED
|
||||
- /* Expand DSTs. */
|
||||
- size_t cnt = DL_DST_COUNT (llp, 1);
|
||||
- if (__glibc_likely (cnt == 0))
|
||||
- llp_tmp = strdupa (llp);
|
||||
- else
|
||||
- {
|
||||
- /* Determine the length of the substituted string. */
|
||||
- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
|
||||
-
|
||||
- /* Allocate the necessary memory. */
|
||||
- llp_tmp = (char *) alloca (total + 1);
|
||||
- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
|
||||
- }
|
||||
-#else
|
||||
- llp_tmp = strdupa (llp);
|
||||
-#endif
|
||||
+ char *llp_tmp = strdupa (llp);
|
||||
|
||||
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
|
||||
elements it has. */
|
||||
- nllp = 1;
|
||||
- while (*cp)
|
||||
- {
|
||||
- if (*cp == ':' || *cp == ';')
|
||||
- ++nllp;
|
||||
- ++cp;
|
||||
- }
|
||||
+ size_t nllp = 1;
|
||||
+ for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
|
||||
+ if (*cp == ':' || *cp == ';')
|
||||
+ ++nllp;
|
||||
|
||||
env_path_list.dirs = (struct r_search_path_elem **)
|
||||
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
|
88
fillin-rpath-empty-tokens.patch
Normal file
88
fillin-rpath-empty-tokens.patch
Normal file
@ -0,0 +1,88 @@
|
||||
2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
|
||||
Dmitry V. Levin <ldv@altlinux.org>
|
||||
|
||||
[BZ #22625]
|
||||
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
|
||||
string token expansion. Check for NULL pointer or empty string possibly
|
||||
returned by expand_dynamic_string_token.
|
||||
(decompose_rpath): Check for empty path after dynamic string
|
||||
token expansion.
|
||||
|
||||
Index: glibc-2.26/elf/dl-load.c
|
||||
===================================================================
|
||||
--- glibc-2.26.orig/elf/dl-load.c
|
||||
+++ glibc-2.26/elf/dl-load.c
|
||||
@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear
|
||||
{
|
||||
char *cp;
|
||||
size_t nelems = 0;
|
||||
- char *to_free;
|
||||
|
||||
while ((cp = __strsep (&rpath, sep)) != NULL)
|
||||
{
|
||||
struct r_search_path_elem *dirp;
|
||||
+ char *to_free = NULL;
|
||||
+ size_t len = 0;
|
||||
|
||||
- to_free = cp = expand_dynamic_string_token (l, cp, 1);
|
||||
+ /* `strsep' can pass an empty string. */
|
||||
+ if (*cp != '\0')
|
||||
+ {
|
||||
+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
|
||||
|
||||
- size_t len = strlen (cp);
|
||||
+ /* expand_dynamic_string_token can return NULL in case of empty
|
||||
+ path or memory allocation failure. */
|
||||
+ if (cp == NULL)
|
||||
+ continue;
|
||||
+
|
||||
+ /* Compute the length after dynamic string token expansion and
|
||||
+ ignore empty paths. */
|
||||
+ len = strlen (cp);
|
||||
+ if (len == 0)
|
||||
+ {
|
||||
+ free (to_free);
|
||||
+ continue;
|
||||
+ }
|
||||
|
||||
- /* `strsep' can pass an empty string. This has to be
|
||||
- interpreted as `use the current directory'. */
|
||||
- if (len == 0)
|
||||
- {
|
||||
- static const char curwd[] = "./";
|
||||
- cp = (char *) curwd;
|
||||
+ /* Remove trailing slashes (except for "/"). */
|
||||
+ while (len > 1 && cp[len - 1] == '/')
|
||||
+ --len;
|
||||
+
|
||||
+ /* Now add one if there is none so far. */
|
||||
+ if (len > 0 && cp[len - 1] != '/')
|
||||
+ cp[len++] = '/';
|
||||
}
|
||||
|
||||
- /* Remove trailing slashes (except for "/"). */
|
||||
- while (len > 1 && cp[len - 1] == '/')
|
||||
- --len;
|
||||
-
|
||||
- /* Now add one if there is none so far. */
|
||||
- if (len > 0 && cp[len - 1] != '/')
|
||||
- cp[len++] = '/';
|
||||
-
|
||||
/* Make sure we don't use untrusted directories if we run SUID. */
|
||||
if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
|
||||
{
|
||||
@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st
|
||||
necessary. */
|
||||
free (copy);
|
||||
|
||||
+ /* There is no path after expansion. */
|
||||
+ if (result[0] == NULL)
|
||||
+ {
|
||||
+ free (result);
|
||||
+ sps->dirs = (struct r_search_path_elem **) -1;
|
||||
+ return false;
|
||||
+ }
|
||||
+
|
||||
sps->dirs = result;
|
||||
/* The caller will change this value if we haven't used a real malloc. */
|
||||
sps->malloced = 1;
|
34
getcwd-absolute.patch
Normal file
34
getcwd-absolute.patch
Normal file
@ -0,0 +1,34 @@
|
||||
2018-01-12 Dmitry V. Levin <ldv@altlinux.org>
|
||||
|
||||
[BZ #22679]
|
||||
CVE-2018-1000001
|
||||
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
|
||||
generic_getcwd if the path returned by getcwd syscall is not absolute.
|
||||
|
||||
Index: glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
|
||||
===================================================================
|
||||
--- glibc-2.26.orig/sysdeps/unix/sysv/linux/getcwd.c
|
||||
+++ glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
|
||||
@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)
|
||||
int retval;
|
||||
|
||||
retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
|
||||
- if (retval >= 0)
|
||||
+ if (retval > 0 && path[0] == '/')
|
||||
{
|
||||
#ifndef NO_ALLOCATION
|
||||
if (buf == NULL && size == 0)
|
||||
@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)
|
||||
return buf;
|
||||
}
|
||||
|
||||
- /* The system call cannot handle paths longer than a page.
|
||||
- Neither can the magic symlink in /proc/self. Just use the
|
||||
+ /* The system call either cannot handle paths longer than a page
|
||||
+ or can succeed without returning an absolute path. Just use the
|
||||
generic implementation right away. */
|
||||
- if (errno == ENAMETOOLONG)
|
||||
+ if (retval >= 0 || errno == ENAMETOOLONG)
|
||||
{
|
||||
#ifndef NO_ALLOCATION
|
||||
if (buf == NULL && size == 0)
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Jan 22 10:32:36 UTC 2018 - schwab@suse.de
|
||||
|
||||
- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
|
||||
absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jan 2 10:43:09 UTC 2018 - schwab@suse.de
|
||||
|
||||
- dl-init-paths-overflow.patch: Count components of the expanded path in
|
||||
_dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
|
||||
#22607, BZ #22627)
|
||||
- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
|
||||
string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Dec 13 15:04:54 UTC 2017 - schwab@suse.de
|
||||
|
||||
|
11
glibc.spec
11
glibc.spec
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package glibc
|
||||
#
|
||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -326,6 +326,12 @@ Patch1024: tst-tlsopt-powerpc.patch
|
||||
Patch1025: powerpc-hwcap-bits.patch
|
||||
# PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375)
|
||||
Patch1026: malloc-tcache-check-overflow.patch
|
||||
# PATCH-FIX-UPSTREAM Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627)
|
||||
Patch1027: dl-init-paths-overflow.patch
|
||||
# PATCH-FIX-UPSTREAM Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
|
||||
Patch1028: fillin-rpath-empty-tokens.patch
|
||||
# PATCH-FIX-UPSTREAM make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, BZ #22679)
|
||||
Patch1029: getcwd-absolute.patch
|
||||
|
||||
###
|
||||
# Patches awaiting upstream approval
|
||||
@ -574,6 +580,9 @@ rm nscd/s-stamp
|
||||
%patch1024 -p1
|
||||
%patch1025 -p1
|
||||
%patch1026 -p1
|
||||
%patch1027 -p1
|
||||
%patch1028 -p1
|
||||
%patch1029 -p1
|
||||
|
||||
%patch2000 -p1
|
||||
%patch2001 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user