Accepting request 755339 from Base:System

- prefer-map-32bit-exec.patch: rtld: Check __libc_enable_secure before
  honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126, bsc#1157292, BZ
  #25204) (forwarded request 755338 from Andreas_Schwab)

OBS-URL: https://build.opensuse.org/request/show/755339
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/glibc?expand=0&rev=233

euc-kr-overrun.patch

@@ -0,0 +1,133 @@
+Fix buffer overrun in EUC-KR conversion module (bug 24973)
+
+The byte 0xfe as input to the EUC-KR conversion denotes a user-defined
+area and is not allowed.  The from_euc_kr function used to skip two bytes
+when told to skip over the unknown designation, potentially running over
+the buffer end.
+
+	[BZ #24973]
+	* iconvdata/ksc5601.h (ksc5601_to_ucs4): Check for available bytes
+	first.
+	* iconvdata/euc-kr.c (BODY for FROM_LOOP): Don't check for unknown
+	two-byte codes here.
+	* iconvdata/Makefile (tests): Add bug-iconv13.
+	* iconvdata/bug-iconv13.c: New file.
+---
+ iconvdata/Makefile      |  2 +-
+ iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++
+ iconvdata/euc-kr.c      |  6 +----
+ iconvdata/ksc5601.h     |  6 ++---
+ 4 files changed, 58 insertions(+), 9 deletions(-)
+ create mode 100644 iconvdata/bug-iconv13.c
+
+Index: glibc-2.30/iconvdata/Makefile
+===================================================================
+--- glibc-2.30.orig/iconvdata/Makefile
++++ glibc-2.30/iconvdata/Makefile
+@@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules
+ ifeq (yes,$(build-shared))
+ tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
+ 	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
+-	bug-iconv10 bug-iconv11 bug-iconv12
++	bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13
+ ifeq ($(have-thread-library),yes)
+ tests += bug-iconv3
+ endif
+Index: glibc-2.30/iconvdata/bug-iconv13.c
+===================================================================
+--- /dev/null
++++ glibc-2.30/iconvdata/bug-iconv13.c
+@@ -0,0 +1,53 @@
++/* bug 24973: Test EUC-KR module
++   Copyright (C) 2019 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <iconv.h>
++#include <stdio.h>
++#include <support/check.h>
++
++static int
++do_test (void)
++{
++  iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR");
++  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
++
++  /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined
++     areas, which are not allowed and should be skipped over due to
++     //IGNORE.  The trailing 0xfe also is an incomplete sequence, which
++     should be checked first.  */
++  char input[4] = { '\xc9', '\xa1', '\0', '\xfe' };
++  char *inptr = input;
++  size_t insize = sizeof (input);
++  char output[4];
++  char *outptr = output;
++  size_t outsize = sizeof (output);
++
++  /* This used to crash due to buffer overrun.  */
++  TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1);
++  TEST_VERIFY (errno == EINVAL);
++  /* The conversion should produce one character, the converted null
++     character.  */
++  TEST_VERIFY (sizeof (output) - outsize == 1);
++
++  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
++
++  return 0;
++}
++
++#include <support/test-driver.c>
+Index: glibc-2.30/iconvdata/euc-kr.c
+===================================================================
+--- glibc-2.30.orig/iconvdata/euc-kr.c
++++ glibc-2.30/iconvdata/euc-kr.c
+@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c
+ 									      \
+     if (ch <= 0x9f)							      \
+       ++inptr;								      \
+-    /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are		      \
+-       user-defined areas.  */						      \
+-    else if (__builtin_expect (ch == 0xa0, 0)				      \
+-	     || __builtin_expect (ch > 0xfe, 0)				      \
+-	     || __builtin_expect (ch == 0xc9, 0))			      \
++    else if (__glibc_unlikely (ch == 0xa0))				      \
+       {									      \
+ 	/* This is illegal.  */						      \
+ 	STANDARD_FROM_LOOP_ERR_HANDLER (1);				      \
+Index: glibc-2.30/iconvdata/ksc5601.h
+===================================================================
+--- glibc-2.30.orig/iconvdata/ksc5601.h
++++ glibc-2.30/iconvdata/ksc5601.h
+@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s
+   unsigned char ch2;
+   int idx;
+ 
++  if (avail < 2)
++    return 0;
++
+   /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */
+ 
+   if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e
+       || (ch - offset) == 0x49)
+     return __UNKNOWN_10646_CHAR;
+ 
+-  if (avail < 2)
+-    return 0;
+-
+   ch2 = (*s)[1];
+   if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f)
+     return __UNKNOWN_10646_CHAR;

glibc.changes

@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Mon Dec  9 13:21:34 UTC 2019 - Andreas Schwab <schwab@suse.de>
+
+- prefer-map-32bit-exec.patch: rtld: Check __libc_enable_secure before
+  honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126, bsc#1157292, BZ
+  #25204)
+
+-------------------------------------------------------------------
+Tue Nov 26 11:34:45 CET 2019 - kukuk@suse.de
+
+- nsswitch.conf: add usrfiles for services, protocols, rpc, ethers
+  and aliases for /usr/etc move
+
+-------------------------------------------------------------------
+Mon Oct 14 13:36:30 UTC 2019 - Andreas Schwab <schwab@suse.de>
+
+- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module
+  (BZ #24973)
+
+-------------------------------------------------------------------
+Thu Oct 10 14:39:24 UTC 2019 - Andreas Schwab <schwab@suse.de>
+
+- ldconfig-dynstr.patch: ldconfig: handle .dynstr located in separate
+  segment (bsc#1153149, BZ #25087)
+
 -------------------------------------------------------------------
 Mon Sep 23 14:00:09 UTC 2019 - Andreas Schwab <schwab@suse.de>
 

glibc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package glibc
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -157,7 +157,7 @@ Release:        0
 %define git_id %(echo %version | sed 's/.*\.g//')
 %define libversion %(echo %version | sed 's/\.[^.]*\.g.*//')
 %endif
-Url:            http://www.gnu.org/software/libc/libc.html
+URL:            http://www.gnu.org/software/libc/libc.html
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if !%{build_snapshot}
 Source:         http://ftp.gnu.org/pub/gnu/glibc/glibc-%{version}.tar.xz
@@ -248,8 +248,6 @@ Patch104:       glibc-c-utf8-locale.patch
 # PATCH-FIX-OPENSUSE -- Disable gettext for C.UTF-8 locale
 Patch105:       glibc-disable-gettext-for-c-utf8.patch
 
-### Broken patches in glibc that we revert for now:
-
 ### Network related patches
 # PATCH-FIX-OPENSUSE Warn about usage of mdns in resolv.conv
 Patch304:       glibc-resolv-mdnshint.diff
@@ -263,6 +261,8 @@ Patch306:       glibc-fix-double-loopback.diff
 Patch1000:      malloc-info-whitespace.patch
 # PATCH-FIX-UPSTREAM Fix RISC-V vfork build with Linux 5.3 kernel headers
 Patch1001:      riscv-vfork.patch
+# PATCH-FIX-UPSTREAM rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126, BZ #25204)
+Patch1002:      prefer-map-32bit-exec.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -271,6 +271,10 @@ Patch1001:      riscv-vfork.patch
 Patch2000:      fix-locking-in-_IO_cleanup.patch
 # PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973)
 Patch2001:      ldconfig-concurrency.patch
+# PATCH-FIX-UPSTREAM ldconfig: handle .dynstr located in separate segment (BZ #25087)
+Patch2002:      ldconfig-dynstr.patch
+# PATCH-FIX-UPSTREAM Fix buffer overrun in EUC-KR conversion module (BZ #24973)
+Patch2003:      euc-kr-overrun.patch
 
 # Non-glibc patches
 # PATCH-FIX-OPENSUSE Remove debianisms from manpages
@@ -470,9 +474,12 @@ makedb: A program to create a database for nss
 
 %patch1000 -p1
 %patch1001 -p1
+%patch1002 -p1
 
 %patch2000 -p1
 %patch2001 -p1
+%patch2002 -p1
+%patch2003 -p1
 
 %patch3000
 

ldconfig-dynstr.patch

@@ -0,0 +1,86 @@
+ldconfig: handle .dynstr located in separate segment (bug 25087)
+
+To determine the load offset of the DT_STRTAB section search for the
+segment containing it, instead of using the load offset of the first
+segment.
+
+	[BZ #25087]
+	* elf/readelflib.c (process_elf_file): Use containing segment for
+	DT_STRTAB load offset.
+---
+ elf/readelflib.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+Index: glibc-2.30/elf/readelflib.c
+===================================================================
+--- glibc-2.30.orig/elf/readelflib.c
++++ glibc-2.30/elf/readelflib.c
+@@ -45,7 +45,6 @@ process_elf_file (const char *file_name,
+ {
+   int i;
+   unsigned int j;
+-  ElfW(Addr) loadaddr;
+   unsigned int dynamic_addr;
+   size_t dynamic_size;
+   char *program_interpreter;
+@@ -87,7 +86,6 @@ process_elf_file (const char *file_name,
+      libc5/libc6.  */
+   *flag = FLAG_ELF;
+ 
+-  loadaddr = -1;
+   dynamic_addr = 0;
+   dynamic_size = 0;
+   program_interpreter = NULL;
+@@ -98,11 +96,6 @@ process_elf_file (const char *file_name,
+ 
+       switch (segment->p_type)
+ 	{
+-	case PT_LOAD:
+-	  if (loadaddr == (ElfW(Addr)) -1)
+-	    loadaddr = segment->p_vaddr - segment->p_offset;
+-	  break;
+-
+ 	case PT_DYNAMIC:
+ 	  if (dynamic_addr)
+ 	    error (0, 0, _("more than one dynamic segment\n"));
+@@ -176,11 +169,6 @@ process_elf_file (const char *file_name,
+ 	}
+ 
+     }
+-  if (loadaddr == (ElfW(Addr)) -1)
+-    {
+-      /* Very strange. */
+-      loadaddr = 0;
+-    }
+ 
+   /* Now we can read the dynamic sections.  */
+   if (dynamic_size == 0)
+@@ -197,7 +185,27 @@ process_elf_file (const char *file_name,
+       check_ptr (dyn_entry);
+       if (dyn_entry->d_tag == DT_STRTAB)
+ 	{
+-	  dynamic_strings = (char *) (file_contents + dyn_entry->d_un.d_val - loadaddr);
++	  /* Find the file offset of the segment containing the dynamic
++	     string table.  */
++	  ElfW(Off) loadoff = -1;
++	  for (i = 0, segment = elf_pheader;
++	       i < elf_header->e_phnum; i++, segment++)
++	    {
++	      if (segment->p_type == PT_LOAD
++		  && dyn_entry->d_un.d_val >= segment->p_vaddr
++		  && dyn_entry->d_un.d_val < segment->p_vaddr + segment->p_filesz)
++		{
++		  loadoff = segment->p_vaddr - segment->p_offset;
++		  break;
++		}
++	    }
++	  if (loadoff == (ElfW(Off)) -1)
++	    {
++	      /* Very strange. */
++	      loadoff = 0;
++	    }
++
++	  dynamic_strings = (char *) (file_contents + dyn_entry->d_un.d_val - loadoff);
+ 	  check_ptr (dynamic_strings);
+ 	  break;
+ 	}

nsswitch.conf

@@ -29,14 +29,14 @@ shadow: compat
 hosts:  	files dns
 networks:	files dns
 
-services:	files
-protocols:	files
-rpc:		files
-ethers:		files
+services:	files usrfiles
+protocols:	files usrfiles
+rpc:		files usrfiles
+ethers:		files usrfiles
 netmasks:	files
 netgroup:	files nis
 publickey:	files
 
 bootparams:	files
 automount:	files nis
-aliases:	files
+aliases:	files usrfiles

prefer-map-32bit-exec.patch

@@ -0,0 +1,28 @@
+From d5dfad4326fc683c813df1e37bbf5cf920591c8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marcin=20Ko=C5=9Bcielnicki?= <mwk@0x04.net>
+Date: Thu, 21 Nov 2019 00:20:15 +0100
+Subject: [PATCH] rtld: Check __libc_enable_secure before honoring
+ LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
+
+The problem was introduced in glibc 2.23, in commit
+b9eb92ab05204df772eb4929eccd018637c9f3e9
+("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
+---
+ NEWS                                            | 6 +++++-
+ sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++-
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+Index: glibc-2.30/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+===================================================================
+--- glibc-2.30.orig/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
++++ glibc-2.30/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+@@ -31,7 +31,8 @@
+    environment variable, LD_PREFER_MAP_32BIT_EXEC.  */
+ #define EXTRA_LD_ENVVARS \
+   case 21:								  \
+-    if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
++    if (!__libc_enable_secure						  \
++	&& memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
+       GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
+ 	|= bit_arch_Prefer_MAP_32BIT_EXEC;				  \
+     break;