From a7948e64eaecb6867d687b4da1f4f840750d8193c4dd0d8a3ca6a6205b294641 Mon Sep 17 00:00:00 2001
From: OBS User buildservice-autocommit <null@suse.de>
Date: Tue, 6 Dec 2011 17:13:10 +0000
Subject: [PATCH 1/2] Updating link to change in openSUSE:Factory/glibc
 revision 97.0

OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=212851e0fb57cc834b6efeb640db160a
---
 glibc.spec | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/glibc.spec b/glibc.spec
index d3b0b14..dc045e3 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -19,7 +19,7 @@
 %define crypt_bf_version 1.2
 
 Name:           glibc
-License:        GPLv2+
+License:        GPL-2.0+
 Summary:        Standard Shared Libraries (from the GNU C Library)
 Group:          System/Libraries
 BuildRequires:  gcc-c++
@@ -233,7 +233,7 @@ library, and the POSIX thread library. A system is not functional
 without these libraries.
 
 %package info
-License:        GPLv2+
+License:        GPL-2.0+
 Summary:        Info Files for the GNU C Library
 Group:          Documentation/Other
 Requires(post): %{install_info_prereq}
@@ -246,7 +246,7 @@ info files. Due to a lack of resources, this documentation is not
 complete and is partially out of date.
 
 %package html
-License:        GPLv2+ ; LGPLv2.1+
+License:        GPL-2.0+ ; LGPL-2.1+
 Summary:        HTML Documentation for the GNU C Library
 Group:          Documentation/HTML
 BuildArch:      noarch
@@ -257,7 +257,7 @@ to a lack of resources, this documentation is not complete and is
 partially out of date.
 
 %package i18ndata
-License:        LGPLv2.1+
+License:        LGPL-2.1+
 Summary:        Database Sources for 'locale'
 Group:          System/Libraries
 BuildArch:      noarch
@@ -269,7 +269,7 @@ not necessary to install this packages, the data files are already
 created.
 
 %package locale
-License:        GPLv2+ ; LGPLv2.1+
+License:        GPL-2.0+ ; LGPL-2.1+
 Summary:        Locale Data for Localized Programs
 Group:          System/Libraries
 Requires(post): /bin/cat
@@ -286,7 +286,7 @@ Obsoletes:      glibc-locale-32bit
 Locale data for the internationalisation features of the GNU C library.
 
 %package -n nscd
-License:        LGPLv2.1+
+License:        LGPL-2.1+
 Summary:        Name Service Caching Daemon
 Group:          System/Daemons
 Provides:       aaa_base:/etc/init.d/nscd
@@ -300,7 +300,7 @@ Nscd caches name service lookups and can dramatically improve
 performance with NIS, NIS+, and LDAP.
 
 %package profile
-License:        LGPLv2.1+
+License:        LGPL-2.1+
 Summary:        Libc Profiling and Debugging Versions
 Group:          Development/Libraries/C and C++
 Requires:       glibc = %{version}
@@ -317,7 +317,7 @@ This package contains special versions of the GNU C library which are
 necessary for profiling and debugging.
 
 %package devel
-License:        BSD3c(or similar) ; GPLv2+ ; LGPLv2.1+
+License:        BSD-3-Clause ; GPL-2.0+ ; LGPL-2.1+
 Summary:        Include Files and Libraries Mandatory for Development
 Group:          Development/Libraries/C and C++
 Obsoletes:      epoll = 1.0
@@ -349,7 +349,7 @@ for -static linking.  You don't need these, unless you link statically,
 which is highly discouraged.
 
 %package utils
-License:        BSD3c(or similar) ; GPLv2+ ; LGPLv2.1+
+License:        BSD-3-Clause ; GPL-2.0+ ; LGPL-2.1+
 Summary:        Development utilities from GNU C library
 Group:          Development/Languages/C and C++
 Requires:       glibc = %{version}
@@ -364,7 +364,7 @@ If you are unsure if you need this, don't install this package.
 %ifarch %ix86
 
 %package obsolete
-License:        BSD3c(or similar) ; GPLv2+ ; LGPLv2.1+
+License:        BSD-3-Clause ; GPL-2.0+ ; LGPL-2.1+
 Summary:        Obsolete Shared Libraries from the GNU C Library
 Group:          System/Libraries
 Requires:       glibc = %{version}

From 44bb89d0dfe9b9b33cb40992d194ab643c19ad8619ceb220c2dd330689860c25 Mon Sep 17 00:00:00 2001
From: Andreas Jaeger <aj@suse.com>
Date: Mon, 19 Dec 2011 10:33:39 +0000
Subject: [PATCH 2/2] Accepting request 97011 from
 home:a_jaeger:my-factory-packages

Fix timezone loader overflow.

OBS-URL: https://build.opensuse.org/request/show/97011
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=141
---
 glibc.changes               |   6 +++
 glibc.spec                  |   3 ++
 tzfile-corruption-fix.patch | 100 ++++++++++++++++++++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 tzfile-corruption-fix.patch

diff --git a/glibc.changes b/glibc.changes
index a7c8878..8382aa1 100644
--- a/glibc.changes
+++ b/glibc.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Dec 19 10:01:56 UTC 2011 - aj@suse.de
+
+- Fix timezone loader overflow (bnc#735850,CVE-2009-5029) (patch
+  tzfile-corruption-fix.patch)
+
 -------------------------------------------------------------------
 Tue Nov 29 03:09:56 UTC 2011 - rcoe@wi.rr.com
 
diff --git a/glibc.spec b/glibc.spec
index dc045e3..5e1db75 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -225,6 +225,8 @@ Patch83:        glibc-arm-clone-unwind-fix.diff
 Patch84:        nscd-avoid-gcc-warning.diff
 # PATCH-FIX-OPENSUSE fix printf with > 32 args and printf specifiers bnc#733140, bso#13446
 Patch85:        glibc-2.14-32args-printf.patch
+# PATCH-FIX-UPSTREAM fix tzfile heap overrun bnc#735850 - aj@suse.de
+Patch86:        tzfile-corruption-fix.patch
 
 %description
 The GNU C Library provides the most important standard libraries used
@@ -466,6 +468,7 @@ rm nscd/s-stamp
 %patch75 -p1
 %patch84
 %patch85
+%patch86 -p1
 
 #
 # Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed!
diff --git a/tzfile-corruption-fix.patch b/tzfile-corruption-fix.patch
new file mode 100644
index 0000000..b50b726
--- /dev/null
+++ b/tzfile-corruption-fix.patch
@@ -0,0 +1,100 @@
+2011-12-17  Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #13506]
+	* time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
+       goto read_again;
+     }
+ 
++  if (__builtin_expect (num_transitions
++			> ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++			   / (sizeof (time_t) + 1)), 0))
++    goto lose;
+   total_size = num_transitions * (sizeof (time_t) + 1);
+   total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+ 		& ~(__alignof__ (struct ttinfo) - 1));
+   types_idx = total_size;
+-  total_size += num_types * sizeof (struct ttinfo) + chars;
++  if (__builtin_expect (num_types
++			> (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++    goto lose;
++  total_size += num_types * sizeof (struct ttinfo);
++  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++    goto lose;
++  total_size += chars;
++  if (__builtin_expect (__alignof__ (struct leap) - 1
++			> SIZE_MAX - total_size, 0))
++    goto lose;
+   total_size = ((total_size + __alignof__ (struct leap) - 1)
+ 		& ~(__alignof__ (struct leap) - 1));
+   leaps_idx = total_size;
++  if (__builtin_expect (num_leaps
++			> (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++    goto lose;
+   total_size += num_leaps * sizeof (struct leap);
+-  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+-		? st.st_size - (ftello (f)
+-				+ num_transitions * (8 + 1)
+-				+ num_types * 6
+-				+ chars
+-				+ num_leaps * 12
+-				+ num_isstd
+-				+ num_isgmt) - 1 : 0);
++  tzspec_len = 0;
++  if (sizeof (time_t) == 8 && trans_width == 8)
++    {
++      off_t rem = st.st_size - ftello (f);
++      if (__builtin_expect (rem < 0
++			    || (size_t) rem < (num_transitions * (8 + 1)
++					       + num_types * 6
++					       + chars), 0))
++	goto lose;
++      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++				   + num_types * 6
++				   + chars);
++      if (__builtin_expect (num_leaps > SIZE_MAX / 12
++			    || tzspec_len < num_leaps * 12, 0))
++	goto lose;
++      tzspec_len -= num_leaps * 12;
++      if (__builtin_expect (tzspec_len < num_isstd, 0))
++	goto lose;
++      tzspec_len -= num_isstd;
++      if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
++	goto lose;
++      tzspec_len -= num_isgmt + 1;
++      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++	goto lose;
++    }
++  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++    goto lose;
+ 
+   /* Allocate enough memory including the extra block requested by the
+      caller.  */
+
+
+And fix the previous patch ...
+
+--- a/time/tzfile.c.orig	2011-12-19 10:58:26.000000000 +0100
++++ b/time/tzfile.c	2011-12-19 10:59:35.000000000 +0100
+@@ -19,6 +19,7 @@
+ 
+ #include <assert.h>
+ #include <limits.h>
++#include <stdint.h>
+ #include <stdio.h>
+ #include <stdio_ext.h>
+ #include <stdlib.h>
+@@ -278,7 +279,7 @@
+       if (__builtin_expect (tzspec_len < num_isstd, 0))
+ 	goto lose;
+       tzspec_len -= num_isstd;
+-      if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
++      if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
+ 	goto lose;
+       tzspec_len -= num_isgmt + 1;
+       if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))