From: Victor Martinez Date: Sun, 29 Sep 2013 18:42:45 +0000 (+0200) Subject: glibc: updated to 2.16.0-5 and aligned with upstream X-Git-Url: http://gitweb/?a=commitdiff_plain;h=65a1c84a9490a7444e133aa03e63d7c87b0a9c25;p=ports%2Fcore-arm.git glibc: updated to 2.16.0-5 and aligned with upstream --- diff --git a/glibc/.md5sum b/glibc/.md5sum index 2d1e95f..741bc03 100644 --- a/glibc/.md5sum +++ b/glibc/.md5sum @@ -1,5 +1,7 @@ 80b181b02ab249524ec92822c0174cf7 glibc-2.16.0.tar.xz +3a51662cd99783b3d01ceac2dca19597 glibc-CVE-2013-4332.patch 668bcd584718ff0c6aa2f14b668595b6 glibc-ports-2.16.0.tar.bz2 +d4a2a19efe1e9b59b86fd15a968f7e10 glibc-regexp_buffer_overrun.patch 7e6a5a13c37f93213db9803d9790b7de glibc-resolv_assert.patch 8be5a4516a896a4cd589134ccf113575 glibc-strtod_integer_overflow.patch 96156bec8e05de67384dc93e72bdc313 host.conf diff --git a/glibc/Pkgfile b/glibc/Pkgfile index f698f15..2fc8ddc 100644 --- a/glibc/Pkgfile +++ b/glibc/Pkgfile @@ -6,13 +6,15 @@ name=glibc version=2.16.0 -release=2 +release=5 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ ftp://ftp.kernel.org/pub/linux/kernel/v3.x/linux-3.4.11.tar.bz2 \ http://ftp.gnu.org/gnu/$name/$name-ports-$version.tar.bz2 \ hosts resolv.conf nsswitch.conf host.conf ld.so.conf \ $name-resolv_assert.patch \ - $name-strtod_integer_overflow.patch) + $name-strtod_integer_overflow.patch \ + $name-regexp_buffer_overrun.patch \ + $name-CVE-2013-4332.patch) build() { # install kernel headers @@ -24,10 +26,10 @@ build() { cd $SRC mv $name-ports-$version $name-$version/ports - pushd $name-$version - patch -p1 -i $SRC/$name-resolv_assert.patch - patch -p1 -i $SRC/$name-strtod_integer_overflow.patch - popd + patch -p1 -d $name-$version -i $SRC/$name-resolv_assert.patch + patch -p1 -d $name-$version -i $SRC/$name-strtod_integer_overflow.patch + patch -p1 -d $name-$version -i $SRC/$name-regexp_buffer_overrun.patch + patch -p1 -d $name-$version -i $SRC/$name-CVE-2013-4332.patch mkdir $SRC/build cd $SRC/build diff --git a/glibc/glibc-CVE-2013-4332.patch b/glibc/glibc-CVE-2013-4332.patch new file mode 100644 index 0000000..9f7f588 --- /dev/null +++ b/glibc/glibc-CVE-2013-4332.patch @@ -0,0 +1,64 @@ +From 0d6085cb1b4330b835ad08a3ec8f80b30f0cadb4 Mon Sep 17 00:00:00 2001 +From: mancha +Date: Wed, 11 Sep 2013 +Subject: CVE-2013-4332 + +malloc: Check for integer overflow in pvalloc, valloc, and memalign. + +A large bytes parameter to pvalloc, valloc, or memalign could cause +an integer overflow and corrupt allocator internals. Check the +overflow does not occur before continuing with the allocation. + +Note: This is a backport to glibc 2.17 of the following three commits: + * https://sourceware.org/git/?p=glibc.git;a=commit;h=1159a193696a + * https://sourceware.org/git/?p=glibc.git;a=commit;h=55e17aadc1ef + * https://sourceware.org/git/?p=glibc.git;a=commit;h=b73ed247781d +--- + +malloc.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -3020,6 +3020,13 @@ __libc_memalign(size_t alignment, size_t + /* Otherwise, ensure that it is at least a minimum chunk size */ + if (alignment < MINSIZE) alignment = MINSIZE; + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - alignment - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + arena_get(ar_ptr, bytes + alignment + MINSIZE); + if(!ar_ptr) + return 0; +@@ -3051,6 +3058,13 @@ __libc_valloc(size_t bytes) + + size_t pagesz = GLRO(dl_pagesize); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, + const __malloc_ptr_t)) = + force_reg (__memalign_hook); +@@ -3088,6 +3102,13 @@ __libc_pvalloc(size_t bytes) + size_t page_mask = GLRO(dl_pagesize) - 1; + size_t rounded_bytes = (bytes + page_mask) & ~(page_mask); + ++ /* Check for overflow. */ ++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ + __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t, + const __malloc_ptr_t)) = + force_reg (__memalign_hook); diff --git a/glibc/glibc-regexp_buffer_overrun.patch b/glibc/glibc-regexp_buffer_overrun.patch new file mode 100644 index 0000000..a786961 --- /dev/null +++ b/glibc/glibc-regexp_buffer_overrun.patch @@ -0,0 +1,72 @@ +# http://sourceware.org/bugzilla/show_bug.cgi?id=15078 +# CVE-2013-0242 +# ChangeLog, NEWS and new test removed to apply clean + +commit a445af0bc722d620afed7683cd320c0e4c7c6059 +Author: Andreas Schwab +Date: Tue Jan 29 14:45:15 2013 +0100 + + Fix buffer overrun in regexp matcher + +diff --git a/posix/regexec.c b/posix/regexec.c +index 7f2de85..5ca2bf6 100644 +--- a/posix/regexec.c ++++ b/posix/regexec.c +@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa, + static int check_node_accept (const re_match_context_t *mctx, + const re_token_t *node, int idx) + internal_function; +-static reg_errcode_t extend_buffers (re_match_context_t *mctx) ++static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len) + internal_function; + + /* Entry point for POSIX code. */ +@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match, + || (BE (next_char_idx >= mctx->input.valid_len, 0) + && mctx->input.valid_len < mctx->input.len)) + { +- err = extend_buffers (mctx); ++ err = extend_buffers (mctx, next_char_idx + 1); + if (BE (err != REG_NOERROR, 0)) + { + assert (err == REG_ESPACE); +@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx) + && mctx->input.valid_len < mctx->input.len)) + { + reg_errcode_t err; +- err = extend_buffers (mctx); ++ err = extend_buffers (mctx, next_state_log_idx + 1); + if (BE (err != REG_NOERROR, 0)) + return err; + } +@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx) + if (bkref_str_off >= mctx->input.len) + break; + +- err = extend_buffers (mctx); ++ err = extend_buffers (mctx, bkref_str_off + 1); + if (BE (err != REG_NOERROR, 0)) + return err; + +@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node, + + static reg_errcode_t + internal_function __attribute_warn_unused_result__ +-extend_buffers (re_match_context_t *mctx) ++extend_buffers (re_match_context_t *mctx, int min_len) + { + reg_errcode_t ret; + re_string_t *pstr = &mctx->input; +@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx) + if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0)) + return REG_ESPACE; + +- /* Double the lengthes of the buffers. */ +- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2)); ++ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */ ++ ret = re_string_realloc_buffers (pstr, ++ MAX (min_len, ++ MIN (pstr->len, pstr->bufs_len * 2))); + if (BE (ret != REG_NOERROR, 0)) + return ret; +