From 0d4730959a4b6607fdbd91d6817b5dd2727280cd Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 10 Feb 2016 12:14:17 +0100 Subject: [PATCH] glibc: added patches for CVE-2015-8776, CVE-2015-8777, CVE-2015-8778, CVE-2015-8779 --- glibc/.md5sum | 4 + glibc/CVE-2015-8776.patch | 121 +++++++++++++++++++ glibc/CVE-2015-8777.patch | 59 ++++++++++ glibc/CVE-2015-8778.patch | 29 +++++ glibc/CVE-2015-8779.patch | 239 ++++++++++++++++++++++++++++++++++++++ glibc/Pkgfile | 8 +- 6 files changed, 459 insertions(+), 1 deletion(-) create mode 100644 glibc/CVE-2015-8776.patch create mode 100644 glibc/CVE-2015-8777.patch create mode 100644 glibc/CVE-2015-8778.patch create mode 100644 glibc/CVE-2015-8779.patch diff --git a/glibc/.md5sum b/glibc/.md5sum index 74086ff..16239a5 100644 --- a/glibc/.md5sum +++ b/glibc/.md5sum @@ -1,3 +1,7 @@ +3972ff7405c89be7f5694bdc28fbd798 CVE-2015-8776.patch +c0e4a708857a0a50b9a3d1a5cc315763 CVE-2015-8777.patch +5cd75bfc0789559553b9c708c6b986ac CVE-2015-8778.patch +9623a770f7a9781272b8f30761cbe256 CVE-2015-8779.patch e51e02bf552a0a1fbbdc948fb2f5e83c glibc-2.22.tar.xz 96156bec8e05de67384dc93e72bdc313 host.conf fbbc215a9b15ba4846f326cc88108057 hosts diff --git a/glibc/CVE-2015-8776.patch b/glibc/CVE-2015-8776.patch new file mode 100644 index 0000000..ac202e6 --- /dev/null +++ b/glibc/CVE-2015-8776.patch @@ -0,0 +1,121 @@ +diff --git a/time/strftime_l.c b/time/strftime_l.c +index b48ef34..4eb647c 100644 +--- a/time/strftime_l.c ++++ b/time/strftime_l.c +@@ -510,13 +510,17 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument + only a few elements. Dereference the pointers only if the format + requires this. Then it is ok to fail if the pointers are invalid. */ + # define a_wkday \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)) ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))) + # define f_wkday \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)) ++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))) + # define a_month \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)) ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))) + # define f_month \ +- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)) ++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))) + # define ampm \ + ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \ + ? NLW(PM_STR) : NLW(AM_STR))) +@@ -526,8 +530,10 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument + # define ap_len STRLEN (ampm) + #else + # if !HAVE_STRFTIME +-# define f_wkday (weekday_name[tp->tm_wday]) +-# define f_month (month_name[tp->tm_mon]) ++# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \ ++ ? "?" : weekday_name[tp->tm_wday]) ++# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \ ++ ? "?" : month_name[tp->tm_mon]) + # define a_wkday f_wkday + # define a_month f_month + # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11)) +@@ -1321,7 +1327,7 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument + *tzset_called = true; + } + # endif +- zone = tzname[tp->tm_isdst]; ++ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?"; + } + #endif + if (! zone) +diff --git a/time/tst-strftime.c b/time/tst-strftime.c +index 374fba4..af3ff72 100644 +--- a/time/tst-strftime.c ++++ b/time/tst-strftime.c +@@ -4,6 +4,56 @@ + #include + + ++static int ++do_bz18985 (void) ++{ ++ char buf[1000]; ++ struct tm ttm; ++ int rc, ret = 0; ++ ++ memset (&ttm, 1, sizeof (ttm)); ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); ++ ++ if (rc == 66) ++ { ++ const char expected[] ++ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?"; ++ if (0 != strcmp (buf, expected)) ++ { ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); ++ ret += 1; ++ } ++ } ++ else ++ { ++ printf ("expected 66, got %d\n", rc); ++ ret += 1; ++ } ++ ++ /* Check negative values as well. */ ++ memset (&ttm, 0xFF, sizeof (ttm)); ++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ ++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); ++ ++ if (rc == 30) ++ { ++ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 "; ++ if (0 != strcmp (buf, expected)) ++ { ++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf); ++ ret += 1; ++ } ++ } ++ else ++ { ++ printf ("expected 30, got %d\n", rc); ++ ret += 1; ++ } ++ ++ return ret; ++} ++ + static struct + { + const char *fmt; +@@ -104,7 +154,7 @@ do_test (void) + } + } + +- return result; ++ return result + do_bz18985 (); + } + + #define TEST_FUNCTION do_test () +-- +1.9.4 + diff --git a/glibc/CVE-2015-8777.patch b/glibc/CVE-2015-8777.patch new file mode 100644 index 0000000..0c01c25 --- /dev/null +++ b/glibc/CVE-2015-8777.patch @@ -0,0 +1,59 @@ +diff --git a/elf/rtld.c b/elf/rtld.c +index 69873c2..07e741c 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro = + ._dl_hwcap_mask = HWCAP_IMPORTANT, + ._dl_lazy = 1, + ._dl_fpu_control = _FPU_DEFAULT, +- ._dl_pointer_guard = 1, + ._dl_pagesize = EXEC_PAGESIZE, + ._dl_inhibit_cache = 0, + +@@ -709,15 +708,12 @@ security_init (void) + #endif + + /* Set up the pointer guard as well, if necessary. */ +- if (GLRO(dl_pointer_guard)) +- { +- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, +- stack_chk_guard); ++ uintptr_t pointer_chk_guard ++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard); + #ifdef THREAD_SET_POINTER_GUARD +- THREAD_SET_POINTER_GUARD (pointer_chk_guard); ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); + #endif +- __pointer_chk_guard_local = pointer_chk_guard; +- } ++ __pointer_chk_guard_local = pointer_chk_guard; + + /* We do not need the _dl_random value anymore. The less + information we leave behind, the better, so clear the +@@ -2471,9 +2467,6 @@ process_envvars (enum mode *modep) + GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; + break; + } +- +- if (memcmp (envline, "POINTER_GUARD", 13) == 0) +- GLRO(dl_pointer_guard) = envline[14] != '0'; + break; + + case 14: +diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h +index 7a0fe8d..78e3a97 100644 +--- a/sysdeps/generic/ldsodefs.h ++++ b/sysdeps/generic/ldsodefs.h +@@ -592,9 +592,6 @@ struct rtld_global_ro + /* List of auditing interfaces. */ + struct audit_ifaces *_dl_audit; + unsigned int _dl_naudit; +- +- /* 0 if internal pointer values should not be guarded, 1 if they should. */ +- EXTERN int _dl_pointer_guard; + }; + # define __rtld_global_attribute__ + # if IS_IN (rtld) +-- +1.9.4 + diff --git a/glibc/CVE-2015-8778.patch b/glibc/CVE-2015-8778.patch new file mode 100644 index 0000000..fd7f3ff --- /dev/null +++ b/glibc/CVE-2015-8778.patch @@ -0,0 +1,29 @@ +diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c +index 9f55e84..559df29 100644 +--- a/misc/hsearch_r.c ++++ b/misc/hsearch_r.c +@@ -19,7 +19,7 @@ + #include + #include + #include +- ++#include + #include + + /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986 +@@ -73,6 +73,13 @@ __hcreate_r (nel, htab) + return 0; + } + ++ if (nel >= SIZE_MAX / sizeof (_ENTRY)) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ ++ + /* There is still another table active. Return with error. */ + if (htab->table != NULL) + return 0; +-- +1.9.4 diff --git a/glibc/CVE-2015-8779.patch b/glibc/CVE-2015-8779.patch new file mode 100644 index 0000000..7f0f49b --- /dev/null +++ b/glibc/CVE-2015-8779.patch @@ -0,0 +1,239 @@ +diff --git a/catgets/Makefile b/catgets/Makefile +index 4624a88..56de38b 100644 +--- a/catgets/Makefile ++++ b/catgets/Makefile +@@ -34,6 +34,7 @@ test-srcs = test-gencat + ifeq ($(run-built-tests),yes) + tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \ + $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out ++tests-special += $(objpfx)tst-catgets-mem.out + endif + + gencat-modules = xmalloc +@@ -50,9 +51,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcatdir)/%L/%N:$(msgcatdir)/%L/LC_MESSAGES/% + + generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \ + test-gencat.h ++generated += tst-catgets.mtrace tst-catgets-mem.out ++ + generated-dirs += de + +-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de ++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace + + ifeq ($(run-built-tests),yes) + # This test just checks whether the program produces any error or not. +@@ -86,4 +89,8 @@ $(objpfx)test-gencat.out: test-gencat.sh $(objpfx)test-gencat \ + $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat + $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out ++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \ ++ $(evaluate-test) + endif +diff --git a/catgets/catgets.c b/catgets/catgets.c +index cf93d56..4be452d 100644 +--- a/catgets/catgets.c ++++ b/catgets/catgets.c +@@ -16,7 +16,6 @@ + License along with the GNU C Library; if not, see + . */ + +-#include + #include + #include + #include +@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag) + __nl_catd result; + const char *env_var = NULL; + const char *nlspath = NULL; ++ char *tmp = NULL; + + if (strchr (cat_name, '/') == NULL) + { +@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag) + { + /* Append the system dependent directory. */ + size_t len = strlen (nlspath) + 1 + sizeof NLSPATH; +- char *tmp = alloca (len); ++ tmp = malloc (len); ++ ++ if (__glibc_unlikely (tmp == NULL)) ++ return (nl_catd) -1; + + __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH); + nlspath = tmp; +@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag) + + result = (__nl_catd) malloc (sizeof (*result)); + if (result == NULL) +- /* We cannot get enough memory. */ +- return (nl_catd) -1; +- +- if (__open_catalog (cat_name, nlspath, env_var, result) != 0) ++ { ++ /* We cannot get enough memory. */ ++ result = (nl_catd) -1; ++ } ++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0) + { + /* Couldn't open the file. */ + free ((void *) result); +- return (nl_catd) -1; ++ result = (nl_catd) -1; + } + ++ free (tmp); + return (nl_catd) result; + } + +diff --git a/catgets/open_catalog.c b/catgets/open_catalog.c +index e069416..9f4d776 100644 +--- a/catgets/open_catalog.c ++++ b/catgets/open_catalog.c +@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, + size_t tab_size; + const char *lastp; + int result = -1; ++ char *buf = NULL; + + if (strchr (cat_name, '/') != NULL || nlspath == NULL) + fd = open_not_cancel_2 (cat_name, O_RDONLY); +@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, + if (__glibc_unlikely (bufact + (n) >= bufmax)) \ + { \ + char *old_buf = buf; \ +- bufmax += 256 + (n); \ +- buf = (char *) alloca (bufmax); \ +- memcpy (buf, old_buf, bufact); \ ++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \ ++ buf = realloc (buf, bufmax); \ ++ if (__glibc_unlikely (buf == NULL)) \ ++ { \ ++ free (old_buf); \ ++ return -1; \ ++ } \ + } + + /* The RUN_NLSPATH variable contains a colon separated list of + descriptions where we expect to find catalogs. We have to + recognize certain % substitutions and stop when we found the + first existing file. */ +- char *buf; + size_t bufact; +- size_t bufmax; ++ size_t bufmax = 0; + size_t len; + +- buf = NULL; +- bufmax = 0; +- + fd = -1; + while (*run_nlspath != '\0') + { +@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, + + /* Avoid dealing with directories and block devices */ + if (__builtin_expect (fd, 0) < 0) +- return -1; ++ { ++ free (buf); ++ return -1; ++ } + + if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0) + goto close_unlock_return; +@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, const char *nlspath, const char *env_var, + /* Release the lock again. */ + close_unlock_return: + close_not_cancel_no_status (fd); ++ free (buf); + + return result; + } +diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c +index a0a4089..140de72 100644 +--- a/catgets/tst-catgets.c ++++ b/catgets/tst-catgets.c +@@ -1,7 +1,10 @@ ++#include + #include + #include + #include ++#include + #include ++#include + + + static const char *msgs[] = +@@ -12,6 +15,33 @@ static const char *msgs[] = + }; + #define nmsgs (sizeof (msgs) / sizeof (msgs[0])) + ++ ++/* Test for unbounded alloca. */ ++static int ++do_bz17905 (void) ++{ ++ char *buf; ++ struct rlimit rl; ++ nl_catd result; ++ ++ const int sz = 1024 * 1024; ++ ++ getrlimit (RLIMIT_STACK, &rl); ++ rl.rlim_cur = sz; ++ setrlimit (RLIMIT_STACK, &rl); ++ ++ buf = malloc (sz + 1); ++ memset (buf, 'A', sz); ++ buf[sz] = '\0'; ++ setenv ("NLSPATH", buf, 1); ++ ++ result = catopen (buf, NL_CAT_LOCALE); ++ assert (result == (nl_catd) -1); ++ ++ free (buf); ++ return 0; ++} ++ + #define ROUNDS 5 + + static int +@@ -62,6 +92,7 @@ do_test (void) + } + } + ++ result += do_bz17905 (); + return result; + } + +-- +1.9.4 + +From 7565d2a862683a3c26ffb1f32351b8c5ab9f7b31 Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov +Date: Sat, 8 Aug 2015 15:54:40 -0700 +Subject: [PATCH] Fix trailing space. + +--- + catgets/tst-catgets.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/catgets/tst-catgets.c b/catgets/tst-catgets.c +index 140de72..0886938 100644 +--- a/catgets/tst-catgets.c ++++ b/catgets/tst-catgets.c +@@ -30,7 +30,7 @@ do_bz17905 (void) + rl.rlim_cur = sz; + setrlimit (RLIMIT_STACK, &rl); + +- buf = malloc (sz + 1); ++ buf = malloc (sz + 1); + memset (buf, 'A', sz); + buf[sz] = '\0'; + setenv ("NLSPATH", buf, 1); +-- +1.9.4 + diff --git a/glibc/Pkgfile b/glibc/Pkgfile index e37fb7c..0a0ef97 100644 --- a/glibc/Pkgfile +++ b/glibc/Pkgfile @@ -6,9 +6,10 @@ name=glibc version=2.22 -release=1 +release=2 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-4.1.13.tar.xz \ + CVE-2015-8779.patch CVE-2015-8778.patch CVE-2015-8777.patch CVE-2015-8776.patch \ hosts resolv.conf nsswitch.conf host.conf ld.so.conf) build() { @@ -18,6 +19,11 @@ build() { make ARCH=arm headers_check make ARCH=arm INSTALL_HDR_PATH=$PKG/usr headers_install + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8779.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8778.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8777.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8776.patch + mkdir $SRC/build cd $SRC/build ../$name-$version/configure --prefix=/usr \ -- 2.26.2