diff --git a/glibc.changes b/glibc.changes index 7f3e64c..5000319 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Mar 5 10:38:30 UTC 2019 - Andreas Schwab + +- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308, + BZ #24114) +- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig + (bsc#1117993, BZ #23973) + ------------------------------------------------------------------- Thu Feb 21 08:37:00 UTC 2019 - Martin Liška @@ -57,6 +65,7 @@ Fri Feb 1 10:34:39 UTC 2019 - schwab@suse.de gethostid-gethostbyname-failure.patch, strstr-huge-needle.patch, pthread-mutex-lock-elision-race.patch, x86-haswell-string-flags.patch, if-nametoindex-descr-leak.patch, riscv-flush-icache.patch: Removed +- CVE-2016-10739 ------------------------------------------------------------------- Wed Jan 9 14:21:04 UTC 2019 - schwab@suse.de @@ -170,6 +179,7 @@ Thu Aug 2 07:48:07 UTC 2018 - schwab@suse.de riscv-kernel-sigaction.patch, riscv-readelflib.patch, riscv-tls-init.patch: Removed - glibc_post_upgrade.c: Don't reload init (bsc#1103124) +- CVE-2009-5155, CVE-2015-8985 ------------------------------------------------------------------- Tue Jun 19 08:37:43 UTC 2018 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index 207660e..0d58770 100644 --- a/glibc.spec +++ b/glibc.spec @@ -71,8 +71,7 @@ BuildRequires: xz BuildRequires: gcc-c++ BuildRequires: gdb BuildRequires: glibc-devel-static -# BZ #24113 -#BuildRequires: libidn2-0 +BuildRequires: libidn2-0 BuildRequires: libstdc++-devel BuildRequires: python3-pexpect %endif @@ -284,6 +283,8 @@ Patch1004: pthread-join-probe.patch Patch1005: riscv-clone-unwind.patch # PATCH-FIX-UPSTREAM Add new Fortran vector math header file. Patch1006: add-new-Fortran-vector-math-header-file.patch +# PATCH-FIX-UPSTREAM regex: fix read overrun (CVE-2019-9169, BZ #24114) +Patch1007: regex-read-overrun.patch ### # Patches awaiting upstream approval @@ -296,6 +297,8 @@ Patch2004: fnmatch-collating-elements.patch Patch2005: nss-files-long-lines-2.patch # PATCH-FIX-UPSTREAM Fix iconv buffer handling with IGNORE error handler (BZ #18830) Patch2006: iconv-reset-input-buffer.patch +# PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973) +Patch2007: ldconfig-concurrency.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -500,11 +503,13 @@ makedb: A program to create a database for nss %patch1004 -p1 %patch1005 -p1 %patch1006 -p1 +%patch1007 -p1 %patch2000 -p1 %patch2004 -p1 %patch2005 -p1 %patch2006 -p1 +%patch2007 -p1 %patch3000 diff --git a/ldconfig-concurrency.patch b/ldconfig-concurrency.patch new file mode 100644 index 0000000..70bae44 --- /dev/null +++ b/ldconfig-concurrency.patch @@ -0,0 +1,61 @@ + * elf/cache.c (save_cache): Use unique temporary name. + (save_aux_cache): Likewise. + +Index: glibc-2.29/elf/cache.c +=================================================================== +--- glibc-2.29.orig/elf/cache.c ++++ glibc-2.29/elf/cache.c +@@ -427,12 +427,12 @@ save_cache (const char *cache_name) + /* Write out the cache. */ + + /* Write cache first to a temporary file and rename it later. */ +- char *temp_name = xmalloc (strlen (cache_name) + 2); +- sprintf (temp_name, "%s~", cache_name); ++ char *temp_name; ++ if (asprintf (&temp_name, "%s.XXXXXX", cache_name) < 0) ++ error (EXIT_FAILURE, errno, _("Can't allocate temporary name for cache file")); + + /* Create file. */ +- int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW, +- S_IRUSR|S_IWUSR); ++ int fd = mkostemp (temp_name, 0); + if (fd < 0) + error (EXIT_FAILURE, errno, _("Can't create temporary cache file %s"), + temp_name); +@@ -481,6 +481,7 @@ save_cache (const char *cache_name) + free (file_entries_new); + free (file_entries); + free (strings); ++ free (temp_name); + + while (entries) + { +@@ -804,8 +805,9 @@ save_aux_cache (const char *aux_cache_na + /* Write out auxiliary cache file. */ + /* Write auxiliary cache first to a temporary file and rename it later. */ + +- char *temp_name = xmalloc (strlen (aux_cache_name) + 2); +- sprintf (temp_name, "%s~", aux_cache_name); ++ char *temp_name; ++ if (asprintf (&temp_name, "%s.XXXXXX", aux_cache_name) < 0) ++ goto out_fail2; + + /* Check that directory exists and create if needed. */ + char *dir = strdupa (aux_cache_name); +@@ -819,8 +821,7 @@ save_aux_cache (const char *aux_cache_na + } + + /* Create file. */ +- int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW, +- S_IRUSR|S_IWUSR); ++ int fd = mkostemp (temp_name, 0); + if (fd < 0) + goto out_fail; + +@@ -840,5 +841,6 @@ save_aux_cache (const char *aux_cache_na + out_fail: + /* Free allocated memory. */ + free (temp_name); ++out_fail2: + free (file_entries); + } diff --git a/regex-read-overrun.patch b/regex-read-overrun.patch new file mode 100644 index 0000000..15409ca --- /dev/null +++ b/regex-read-overrun.patch @@ -0,0 +1,25 @@ +2019-01-31 Paul Eggert + + regex: fix read overrun [BZ #24114] + Problem found by AddressSanitizer, reported by Hongxu Chen in: + https://debbugs.gnu.org/34140 + * posix/regexec.c (proceed_next_node): + Do not read past end of input buffer. + +Index: glibc-2.29/posix/regexec.c +=================================================================== +--- glibc-2.29.orig/posix/regexec.c ++++ glibc-2.29/posix/regexec.c +@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_contex + else if (naccepted) + { + char *buf = (char *) re_string_get_buffer (&mctx->input); +- if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, +- naccepted) != 0) ++ if (mctx->input.valid_len - *pidx < naccepted ++ || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, ++ naccepted) ++ != 0)) + return -1; + } + }