Accepting request 568213 from home:Andreas_Schwab:Factory

- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
  absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)

- dl-init-paths-overflow.patch: Count components of the expanded path in
  _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
  #22607, BZ #22627)
- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
  string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)

OBS-URL: https://build.opensuse.org/request/show/568213
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=488

dl-init-paths-overflow.patch

@@ -0,0 +1,90 @@
+2017-12-18  Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22627]
+	* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
+	code and invocation.
+
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22607]
+	CVE-2017-1000409
+	* elf/dl-load.c (_dl_init_paths): Compute number of components in
+	the expanded path string.
+
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22606]
+	CVE-2017-1000408
+	* elf/dl-load.c (system_dirs): Update comment.
+	(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
+Index: glibc-2.26/elf/dl-load.c
+===================================================================
+--- glibc-2.26.orig/elf/dl-load.c
++++ glibc-2.26/elf/dl-load.c
+@@ -103,7 +103,9 @@ static size_t ncapstr attribute_relro;
+ static size_t max_capstrlen attribute_relro;
+ 
+ 
+-/* Get the generated information about the trusted directories.  */
++/* Get the generated information about the trusted directories.  Use
++   an array of concatenated strings to avoid relocations.  See
++   gen-trusted-dirs.awk.  */
+ #include "trusted-dirs.h"
+ 
+ static const char system_dirs[] = SYSTEM_DIRS;
+@@ -688,9 +690,8 @@ _dl_init_paths (const char *llp)
+ 		 + ncapstr * sizeof (enum r_dir_status))
+ 		/ sizeof (struct r_search_path_elem));
+ 
+-  rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
+-    malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
+-	    * round_size * sizeof (struct r_search_path_elem));
++  rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
++				     * sizeof (*rtld_search_dirs.dirs[0]));
+   if (rtld_search_dirs.dirs[0] == NULL)
+     {
+       errstring = N_("cannot create cache for search path");
+@@ -776,37 +777,14 @@ _dl_init_paths (const char *llp)
+ 
+   if (llp != NULL && *llp != '\0')
+     {
+-      size_t nllp;
+-      const char *cp = llp;
+-      char *llp_tmp;
+-
+-#ifdef SHARED
+-      /* Expand DSTs.  */
+-      size_t cnt = DL_DST_COUNT (llp, 1);
+-      if (__glibc_likely (cnt == 0))
+-	llp_tmp = strdupa (llp);
+-      else
+-	{
+-	  /* Determine the length of the substituted string.  */
+-	  size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
+-
+-	  /* Allocate the necessary memory.  */
+-	  llp_tmp = (char *) alloca (total + 1);
+-	  llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
+-	}
+-#else
+-      llp_tmp = strdupa (llp);
+-#endif
++      char *llp_tmp = strdupa (llp);
+ 
+       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
+ 	 elements it has.  */
+-      nllp = 1;
+-      while (*cp)
+-	{
+-	  if (*cp == ':' || *cp == ';')
+-	    ++nllp;
+-	  ++cp;
+-	}
++      size_t nllp = 1;
++      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
++	if (*cp == ':' || *cp == ';')
++	  ++nllp;
+ 
+       env_path_list.dirs = (struct r_search_path_elem **)
+ 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));

fillin-rpath-empty-tokens.patch

@@ -0,0 +1,88 @@
+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+	string token expansion. Check for NULL pointer or empty string possibly
+	returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+
+Index: glibc-2.26/elf/dl-load.c
+===================================================================
+--- glibc-2.26.orig/elf/dl-load.c
++++ glibc-2.26/elf/dl-load.c
+@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
++      char *to_free = NULL;
++      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
++      /* `strsep' can pass an empty string.  */
++      if (*cp != '\0')
++	{
++	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
++	  /* expand_dynamic_string_token can return NULL in case of empty
++	     path or memory allocation failure.  */
++	  if (cp == NULL)
++	    continue;
++
++	  /* Compute the length after dynamic string token expansion and
++	     ignore empty paths.  */
++	  len = strlen (cp);
++	  if (len == 0)
++	    {
++	      free (to_free);
++	      continue;
++	    }
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-	 interpreted as `use the current directory'. */
+-      if (len == 0)
+-	{
+-	  static const char curwd[] = "./";
+-	  cp = (char *) curwd;
++	  /* Remove trailing slashes (except for "/").  */
++	  while (len > 1 && cp[len - 1] == '/')
++	    --len;
++
++	  /* Now add one if there is none so far.  */
++	  if (len > 0 && cp[len - 1] != '/')
++	    cp[len++] = '/';
+ 	}
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-	--len;
+-
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-	cp[len++] = '/';
+-
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+ 	{
+@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st
+      necessary.  */
+   free (copy);
+ 
++  /* There is no path after expansion.  */
++  if (result[0] == NULL)
++    {
++      free (result);
++      sps->dirs = (struct r_search_path_elem **) -1;
++      return false;
++    }
++
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;

getcwd-absolute.patch

@@ -0,0 +1,34 @@
+2018-01-12  Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22679]
+	CVE-2018-1000001
+	* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
+	generic_getcwd if the path returned by getcwd syscall is not absolute.
+
+Index: glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
+===================================================================
+--- glibc-2.26.orig/sysdeps/unix/sysv/linux/getcwd.c
++++ glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
+@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)
+   int retval;
+ 
+   retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
+-  if (retval >= 0)
++  if (retval > 0 && path[0] == '/')
+     {
+ #ifndef NO_ALLOCATION
+       if (buf == NULL && size == 0)
+@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)
+       return buf;
+     }
+ 
+-  /* The system call cannot handle paths longer than a page.
+-     Neither can the magic symlink in /proc/self.  Just use the
++  /* The system call either cannot handle paths longer than a page
++     or can succeed without returning an absolute path.  Just use the
+      generic implementation right away.  */
+-  if (errno == ENAMETOOLONG)
++  if (retval >= 0 || errno == ENAMETOOLONG)
+     {
+ #ifndef NO_ALLOCATION
+       if (buf == NULL && size == 0)

glibc.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Mon Jan 22 10:32:36 UTC 2018 - schwab@suse.de
+
+- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
+  absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)
+
+-------------------------------------------------------------------
+Tue Jan  2 10:43:09 UTC 2018 - schwab@suse.de
+
+- dl-init-paths-overflow.patch: Count components of the expanded path in
+  _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
+  #22607, BZ #22627)
+- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
+  string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
+
 -------------------------------------------------------------------
 Wed Dec 13 15:04:54 UTC 2017 - schwab@suse.de
 

glibc.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package glibc
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -326,6 +326,12 @@ Patch1024:      tst-tlsopt-powerpc.patch
 Patch1025:      powerpc-hwcap-bits.patch
 # PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375)
 Patch1026:      malloc-tcache-check-overflow.patch
+# PATCH-FIX-UPSTREAM Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627)
+Patch1027:      dl-init-paths-overflow.patch
+# PATCH-FIX-UPSTREAM Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
+Patch1028:      fillin-rpath-empty-tokens.patch
+# PATCH-FIX-UPSTREAM make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, BZ #22679)
+Patch1029:      getcwd-absolute.patch
 
 ### 
 # Patches awaiting upstream approval
@@ -574,6 +580,9 @@ rm nscd/s-stamp
 %patch1024 -p1
 %patch1025 -p1
 %patch1026 -p1
+%patch1027 -p1
+%patch1028 -p1
+%patch1029 -p1
 
 %patch2000 -p1
 %patch2001 -p1