forked from pool/glibc
Accepting request 568213 from home:Andreas_Schwab:Factory
- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) - dl-init-paths-overflow.patch: Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627) - fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) OBS-URL: https://build.opensuse.org/request/show/568213 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=488
This commit is contained in:
parent
3d1d35fa2b
commit
dc304305df
90
dl-init-paths-overflow.patch
Normal file
90
dl-init-paths-overflow.patch
Normal file
@ -0,0 +1,90 @@
|
|||||||
|
2017-12-18 Dmitry V. Levin <ldv@altlinux.org>
|
||||||
|
|
||||||
|
[BZ #22627]
|
||||||
|
* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
|
||||||
|
code and invocation.
|
||||||
|
|
||||||
|
2017-12-14 Florian Weimer <fweimer@redhat.com>
|
||||||
|
|
||||||
|
[BZ #22607]
|
||||||
|
CVE-2017-1000409
|
||||||
|
* elf/dl-load.c (_dl_init_paths): Compute number of components in
|
||||||
|
the expanded path string.
|
||||||
|
|
||||||
|
2017-12-14 Florian Weimer <fweimer@redhat.com>
|
||||||
|
|
||||||
|
[BZ #22606]
|
||||||
|
CVE-2017-1000408
|
||||||
|
* elf/dl-load.c (system_dirs): Update comment.
|
||||||
|
(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
|
||||||
|
|
||||||
|
Index: glibc-2.26/elf/dl-load.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.26.orig/elf/dl-load.c
|
||||||
|
+++ glibc-2.26/elf/dl-load.c
|
||||||
|
@@ -103,7 +103,9 @@ static size_t ncapstr attribute_relro;
|
||||||
|
static size_t max_capstrlen attribute_relro;
|
||||||
|
|
||||||
|
|
||||||
|
-/* Get the generated information about the trusted directories. */
|
||||||
|
+/* Get the generated information about the trusted directories. Use
|
||||||
|
+ an array of concatenated strings to avoid relocations. See
|
||||||
|
+ gen-trusted-dirs.awk. */
|
||||||
|
#include "trusted-dirs.h"
|
||||||
|
|
||||||
|
static const char system_dirs[] = SYSTEM_DIRS;
|
||||||
|
@@ -688,9 +690,8 @@ _dl_init_paths (const char *llp)
|
||||||
|
+ ncapstr * sizeof (enum r_dir_status))
|
||||||
|
/ sizeof (struct r_search_path_elem));
|
||||||
|
|
||||||
|
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
|
||||||
|
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
|
||||||
|
- * round_size * sizeof (struct r_search_path_elem));
|
||||||
|
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
|
||||||
|
+ * sizeof (*rtld_search_dirs.dirs[0]));
|
||||||
|
if (rtld_search_dirs.dirs[0] == NULL)
|
||||||
|
{
|
||||||
|
errstring = N_("cannot create cache for search path");
|
||||||
|
@@ -776,37 +777,14 @@ _dl_init_paths (const char *llp)
|
||||||
|
|
||||||
|
if (llp != NULL && *llp != '\0')
|
||||||
|
{
|
||||||
|
- size_t nllp;
|
||||||
|
- const char *cp = llp;
|
||||||
|
- char *llp_tmp;
|
||||||
|
-
|
||||||
|
-#ifdef SHARED
|
||||||
|
- /* Expand DSTs. */
|
||||||
|
- size_t cnt = DL_DST_COUNT (llp, 1);
|
||||||
|
- if (__glibc_likely (cnt == 0))
|
||||||
|
- llp_tmp = strdupa (llp);
|
||||||
|
- else
|
||||||
|
- {
|
||||||
|
- /* Determine the length of the substituted string. */
|
||||||
|
- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
|
||||||
|
-
|
||||||
|
- /* Allocate the necessary memory. */
|
||||||
|
- llp_tmp = (char *) alloca (total + 1);
|
||||||
|
- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
|
||||||
|
- }
|
||||||
|
-#else
|
||||||
|
- llp_tmp = strdupa (llp);
|
||||||
|
-#endif
|
||||||
|
+ char *llp_tmp = strdupa (llp);
|
||||||
|
|
||||||
|
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
|
||||||
|
elements it has. */
|
||||||
|
- nllp = 1;
|
||||||
|
- while (*cp)
|
||||||
|
- {
|
||||||
|
- if (*cp == ':' || *cp == ';')
|
||||||
|
- ++nllp;
|
||||||
|
- ++cp;
|
||||||
|
- }
|
||||||
|
+ size_t nllp = 1;
|
||||||
|
+ for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
|
||||||
|
+ if (*cp == ':' || *cp == ';')
|
||||||
|
+ ++nllp;
|
||||||
|
|
||||||
|
env_path_list.dirs = (struct r_search_path_elem **)
|
||||||
|
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
|
88
fillin-rpath-empty-tokens.patch
Normal file
88
fillin-rpath-empty-tokens.patch
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
|
||||||
|
Dmitry V. Levin <ldv@altlinux.org>
|
||||||
|
|
||||||
|
[BZ #22625]
|
||||||
|
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
|
||||||
|
string token expansion. Check for NULL pointer or empty string possibly
|
||||||
|
returned by expand_dynamic_string_token.
|
||||||
|
(decompose_rpath): Check for empty path after dynamic string
|
||||||
|
token expansion.
|
||||||
|
|
||||||
|
Index: glibc-2.26/elf/dl-load.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.26.orig/elf/dl-load.c
|
||||||
|
+++ glibc-2.26/elf/dl-load.c
|
||||||
|
@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear
|
||||||
|
{
|
||||||
|
char *cp;
|
||||||
|
size_t nelems = 0;
|
||||||
|
- char *to_free;
|
||||||
|
|
||||||
|
while ((cp = __strsep (&rpath, sep)) != NULL)
|
||||||
|
{
|
||||||
|
struct r_search_path_elem *dirp;
|
||||||
|
+ char *to_free = NULL;
|
||||||
|
+ size_t len = 0;
|
||||||
|
|
||||||
|
- to_free = cp = expand_dynamic_string_token (l, cp, 1);
|
||||||
|
+ /* `strsep' can pass an empty string. */
|
||||||
|
+ if (*cp != '\0')
|
||||||
|
+ {
|
||||||
|
+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
|
||||||
|
|
||||||
|
- size_t len = strlen (cp);
|
||||||
|
+ /* expand_dynamic_string_token can return NULL in case of empty
|
||||||
|
+ path or memory allocation failure. */
|
||||||
|
+ if (cp == NULL)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ /* Compute the length after dynamic string token expansion and
|
||||||
|
+ ignore empty paths. */
|
||||||
|
+ len = strlen (cp);
|
||||||
|
+ if (len == 0)
|
||||||
|
+ {
|
||||||
|
+ free (to_free);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- /* `strsep' can pass an empty string. This has to be
|
||||||
|
- interpreted as `use the current directory'. */
|
||||||
|
- if (len == 0)
|
||||||
|
- {
|
||||||
|
- static const char curwd[] = "./";
|
||||||
|
- cp = (char *) curwd;
|
||||||
|
+ /* Remove trailing slashes (except for "/"). */
|
||||||
|
+ while (len > 1 && cp[len - 1] == '/')
|
||||||
|
+ --len;
|
||||||
|
+
|
||||||
|
+ /* Now add one if there is none so far. */
|
||||||
|
+ if (len > 0 && cp[len - 1] != '/')
|
||||||
|
+ cp[len++] = '/';
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* Remove trailing slashes (except for "/"). */
|
||||||
|
- while (len > 1 && cp[len - 1] == '/')
|
||||||
|
- --len;
|
||||||
|
-
|
||||||
|
- /* Now add one if there is none so far. */
|
||||||
|
- if (len > 0 && cp[len - 1] != '/')
|
||||||
|
- cp[len++] = '/';
|
||||||
|
-
|
||||||
|
/* Make sure we don't use untrusted directories if we run SUID. */
|
||||||
|
if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
|
||||||
|
{
|
||||||
|
@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st
|
||||||
|
necessary. */
|
||||||
|
free (copy);
|
||||||
|
|
||||||
|
+ /* There is no path after expansion. */
|
||||||
|
+ if (result[0] == NULL)
|
||||||
|
+ {
|
||||||
|
+ free (result);
|
||||||
|
+ sps->dirs = (struct r_search_path_elem **) -1;
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
sps->dirs = result;
|
||||||
|
/* The caller will change this value if we haven't used a real malloc. */
|
||||||
|
sps->malloced = 1;
|
34
getcwd-absolute.patch
Normal file
34
getcwd-absolute.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
2018-01-12 Dmitry V. Levin <ldv@altlinux.org>
|
||||||
|
|
||||||
|
[BZ #22679]
|
||||||
|
CVE-2018-1000001
|
||||||
|
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
|
||||||
|
generic_getcwd if the path returned by getcwd syscall is not absolute.
|
||||||
|
|
||||||
|
Index: glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
|
||||||
|
===================================================================
|
||||||
|
--- glibc-2.26.orig/sysdeps/unix/sysv/linux/getcwd.c
|
||||||
|
+++ glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
|
||||||
|
@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)
|
||||||
|
int retval;
|
||||||
|
|
||||||
|
retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
|
||||||
|
- if (retval >= 0)
|
||||||
|
+ if (retval > 0 && path[0] == '/')
|
||||||
|
{
|
||||||
|
#ifndef NO_ALLOCATION
|
||||||
|
if (buf == NULL && size == 0)
|
||||||
|
@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)
|
||||||
|
return buf;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* The system call cannot handle paths longer than a page.
|
||||||
|
- Neither can the magic symlink in /proc/self. Just use the
|
||||||
|
+ /* The system call either cannot handle paths longer than a page
|
||||||
|
+ or can succeed without returning an absolute path. Just use the
|
||||||
|
generic implementation right away. */
|
||||||
|
- if (errno == ENAMETOOLONG)
|
||||||
|
+ if (retval >= 0 || errno == ENAMETOOLONG)
|
||||||
|
{
|
||||||
|
#ifndef NO_ALLOCATION
|
||||||
|
if (buf == NULL && size == 0)
|
@ -1,3 +1,18 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Jan 22 10:32:36 UTC 2018 - schwab@suse.de
|
||||||
|
|
||||||
|
- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
|
||||||
|
absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Jan 2 10:43:09 UTC 2018 - schwab@suse.de
|
||||||
|
|
||||||
|
- dl-init-paths-overflow.patch: Count components of the expanded path in
|
||||||
|
_dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
|
||||||
|
#22607, BZ #22627)
|
||||||
|
- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
|
||||||
|
string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Dec 13 15:04:54 UTC 2017 - schwab@suse.de
|
Wed Dec 13 15:04:54 UTC 2017 - schwab@suse.de
|
||||||
|
|
||||||
|
11
glibc.spec
11
glibc.spec
@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package glibc
|
# spec file for package glibc
|
||||||
#
|
#
|
||||||
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
|
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@ -326,6 +326,12 @@ Patch1024: tst-tlsopt-powerpc.patch
|
|||||||
Patch1025: powerpc-hwcap-bits.patch
|
Patch1025: powerpc-hwcap-bits.patch
|
||||||
# PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375)
|
# PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375)
|
||||||
Patch1026: malloc-tcache-check-overflow.patch
|
Patch1026: malloc-tcache-check-overflow.patch
|
||||||
|
# PATCH-FIX-UPSTREAM Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627)
|
||||||
|
Patch1027: dl-init-paths-overflow.patch
|
||||||
|
# PATCH-FIX-UPSTREAM Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
|
||||||
|
Patch1028: fillin-rpath-empty-tokens.patch
|
||||||
|
# PATCH-FIX-UPSTREAM make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, BZ #22679)
|
||||||
|
Patch1029: getcwd-absolute.patch
|
||||||
|
|
||||||
###
|
###
|
||||||
# Patches awaiting upstream approval
|
# Patches awaiting upstream approval
|
||||||
@ -574,6 +580,9 @@ rm nscd/s-stamp
|
|||||||
%patch1024 -p1
|
%patch1024 -p1
|
||||||
%patch1025 -p1
|
%patch1025 -p1
|
||||||
%patch1026 -p1
|
%patch1026 -p1
|
||||||
|
%patch1027 -p1
|
||||||
|
%patch1028 -p1
|
||||||
|
%patch1029 -p1
|
||||||
|
|
||||||
%patch2000 -p1
|
%patch2000 -p1
|
||||||
%patch2001 -p1
|
%patch2001 -p1
|
||||||
|
Loading…
Reference in New Issue
Block a user