Accepting request 79220 from home:a_jaeger:branches:openSUSE:Factory

Fix crash (access-after-free) in dl_lookup_x. [bnc#703140] OBS-URL: https://build.opensuse.org/request/show/79220 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=89
2011-08-18 11:43:18 +00:00 · 2011-08-18 11:43:18 +00:00 · 257877d3c3
commit 257877d3c3
parent f9d5ef4791
3 changed files with 28 additions and 0 deletions
--- a/glibc-fix-lookup-crash.patch
+++ b/glibc-fix-lookup-crash.patch
@ -0,0 +1,19 @@
+Index: glibc-2.11.3/elf/dl-close.c
+===================================================================
+--- glibc-2.11.3.orig/elf/dl-close.c	2011-05-27 15:08:23.000000000 +0200
+++ glibc-2.11.3/elf/dl-close.c	2011-07-13 19:28:52.000000000 +0200
+@@ -127,7 +127,13 @@ _dl_close_worker (struct link_map *map)
+ 	    {
+ 	      struct link_map **oldp = map->l_initfini;
+ 	      map->l_initfini = map->l_orig_initfini;
+-	      _dl_scope_free (oldp);
+	      /* We can't remove the l_initfini memory because
+	         it's shared with l_searchlist.r_list.  We don't clear
+		 the latter so when we dlopen this object again that
+		 entry would point to stale memory.  And we don't want
+		 to recompute it as it would involve a new call to
+		 map_object_deps.
+	      _dl_scope_free (oldp); */
+ 	    }
+ 	}
+ 
--- a/glibc.changes
+++ b/glibc.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Aug 17 18:57:00 UTC 2011 - matz@suse.de
+
+- Fix crash (access-after-free) in dl_lookup_x.  [bnc#703140]
+
 -------------------------------------------------------------------
 Wed Aug 17 18:56:03 UTC 2011 - aj@suse.de

@ -29,6 +34,7 @@ Thu Jul 21 12:37:09 UTC 2011 - rhafer@suse.de

 - Disable rewriting ::1 to 127.0.0.1 for /etc/hosts entries.
  (bnc#684534, bnc#706719)
+  (patch glibc-fix-double-loopback.diff)

 -------------------------------------------------------------------
 Wed Jul 20 15:04:33 UTC 2011 - lnussel@suse.de
--- a/glibc.spec
+++ b/glibc.spec
@ -194,6 +194,8 @@ Patch65:        glibc-fix-double-loopback.diff
 Patch66:        glibc2.14-revert-sunrpc-removal.patch
 # PATCH-FIX-OPENSUSE revert seeking on fclose for now bnc#711829 matz@suse.de 
 Patch67:        glibc-revert-fseek-on-fclose.diff
+# PATCH-FIX-OPENSUSE Fix crash (access-after-free) in dl_lookup_x bnc#703140 matz@suse.de
+Patch68:        glibc-fix-lookup-crash.patch
 # PATCH-FEATURE-OPENSUSE -- add sha support to crypt_blowfish lnussel@suse.de
 Patch80:        crypt_blowfish-1.1-sha.diff

@ -420,6 +422,7 @@ rm nscd/s-stamp
 %patch65 -p1
 %patch66 -p1
 %patch67 -p1
+%patch68 -p1

 #
 # Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed!