diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-15671.patch | 66 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-16997.patch | 150 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 80 |
3 files changed, 0 insertions, 296 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch deleted file mode 100644 index 35692820d4..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch +++ /dev/null @@ -1,66 +0,0 @@ -From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001 -From: Paul Eggert <eggert@cs.ucla.edu> -Date: Sun, 22 Oct 2017 10:00:57 +0200 -Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ - #22332] - -(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8) - -Upstream-Status: Backport -CVE: CVE-2017-15671 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 6 ++++++ - NEWS | 4 ++++ - posix/glob.c | 4 ++-- - 3 files changed, 12 insertions(+), 2 deletions(-) - -Index: git/NEWS -=================================================================== ---- git.orig/NEWS -+++ git/NEWS -@@ -211,6 +211,10 @@ Security related changes: - on the stack or the heap, depending on the length of the user name). - Reported by Tim Rühsen. - -+ The glob function, when invoked with GLOB_TILDE and without -+ GLOB_NOESCAPE, could write past the end of a buffer while -+ unescaping user names. Reported by Tim Rühsen. -+ - The following bugs are resolved with this release: - - [984] network: Respond to changed resolv.conf in gethostbyname -Index: git/posix/glob.c -=================================================================== ---- git.orig/posix/glob.c -+++ git/posix/glob.c -@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in - char *p = mempcpy (newp, dirname + 1, - unescape - dirname - 1); - char *q = unescape; -- while (*q != '\0') -+ while (q != end_name) - { - if (*q == '\\') - { -- if (q[1] == '\0') -+ if (q + 1 == end_name) - { - /* "~fo\\o\\" unescape to user_name "foo\\", - but "~fo\\o\\/" unescape to user_name -Index: git/ChangeLog -=================================================================== ---- git.orig/ChangeLog -+++ git/ChangeLog -@@ -1,5 +1,10 @@ -+ - 2017-10-20 Paul Eggert <eggert@cs.ucla.edu> - -+ [BZ #22332] -+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE -+ unescaping. -+ - [BZ #22320] - CVE-2017-15670 - * posix/glob.c (__glob): Fix one-byte overflow. diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch deleted file mode 100644 index 38731e4124..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch +++ /dev/null @@ -1,150 +0,0 @@ -From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001 -From: Aurelien Jarno <aurelien@aurel32.net> -Date: Sat, 30 Dec 2017 10:54:23 +0100 -Subject: [PATCH] elf: Check for empty tokens before dynamic string token - expansion [BZ #22625] - -The fillin_rpath function in elf/dl-load.c loops over each RPATH or -RUNPATH tokens and interprets empty tokens as the current directory -("./"). In practice the check for empty token is done *after* the -dynamic string token expansion. The expansion process can return an -empty string for the $ORIGIN token if __libc_enable_secure is set -or if the path of the binary can not be determined (/proc not mounted). - -Fix that by moving the check for empty tokens before the dynamic string -token expansion. In addition, check for NULL pointer or empty strings -return by expand_dynamic_string_token. - -The above changes highlighted a bug in decompose_rpath, an empty array -is represented by the first element being NULL at the fillin_rpath -level, but by using a -1 pointer in decompose_rpath and other functions. - -Changelog: - [BZ #22625] - * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic - string token expansion. Check for NULL pointer or empty string possibly - returned by expand_dynamic_string_token. - (decompose_rpath): Check for empty path after dynamic string - token expansion. -(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef) - -Upstream-Status: Backport -CVE: CVE-2017-16997 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 10 ++++++++++ - NEWS | 4 ++++ - elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++---------------- - 3 files changed, 47 insertions(+), 16 deletions(-) - -Index: git/NEWS -=================================================================== ---- git.orig/NEWS -+++ git/NEWS -@@ -215,6 +215,10 @@ Security related changes: - GLOB_NOESCAPE, could write past the end of a buffer while - unescaping user names. Reported by Tim Rühsen. - -+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN -+ for AT_SECURE or SUID binaries could be used to load libraries from the -+ current directory. -+ - The following bugs are resolved with this release: - - [984] network: Respond to changed resolv.conf in gethostbyname -Index: git/elf/dl-load.c -=================================================================== ---- git.orig/elf/dl-load.c -+++ git/elf/dl-load.c -@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear - { - char *cp; - size_t nelems = 0; -- char *to_free; - - while ((cp = __strsep (&rpath, sep)) != NULL) - { - struct r_search_path_elem *dirp; -+ char *to_free = NULL; -+ size_t len = 0; - -- to_free = cp = expand_dynamic_string_token (l, cp, 1); -+ /* `strsep' can pass an empty string. */ -+ if (*cp != '\0') -+ { -+ to_free = cp = expand_dynamic_string_token (l, cp, 1); - -- size_t len = strlen (cp); -+ /* expand_dynamic_string_token can return NULL in case of empty -+ path or memory allocation failure. */ -+ if (cp == NULL) -+ continue; -+ -+ /* Compute the length after dynamic string token expansion and -+ ignore empty paths. */ -+ len = strlen (cp); -+ if (len == 0) -+ { -+ free (to_free); -+ continue; -+ } - -- /* `strsep' can pass an empty string. This has to be -- interpreted as `use the current directory'. */ -- if (len == 0) -- { -- static const char curwd[] = "./"; -- cp = (char *) curwd; -+ /* Remove trailing slashes (except for "/"). */ -+ while (len > 1 && cp[len - 1] == '/') -+ --len; -+ -+ /* Now add one if there is none so far. */ -+ if (len > 0 && cp[len - 1] != '/') -+ cp[len++] = '/'; - } - -- /* Remove trailing slashes (except for "/"). */ -- while (len > 1 && cp[len - 1] == '/') -- --len; -- -- /* Now add one if there is none so far. */ -- if (len > 0 && cp[len - 1] != '/') -- cp[len++] = '/'; -- - /* Make sure we don't use untrusted directories if we run SUID. */ - if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) - { -@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st - necessary. */ - free (copy); - -+ /* There is no path after expansion. */ -+ if (result[0] == NULL) -+ { -+ free (result); -+ sps->dirs = (struct r_search_path_elem **) -1; -+ return false; -+ } -+ - sps->dirs = result; - /* The caller will change this value if we haven't used a real malloc. */ - sps->malloced = 1; -Index: git/ChangeLog -=================================================================== ---- git.orig/ChangeLog -+++ git/ChangeLog -@@ -1,3 +1,12 @@ -+2017-12-30 Aurelien Jarno <aurelien@aurel32.net> -+ Dmitry V. Levin <ldv@altlinux.org> -+ -+ [BZ #22625] -+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic -+ string token expansion. Check for NULL pointer or empty string possibly -+ returned by expand_dynamic_string_token. -+ (decompose_rpath): Check for empty path after dynamic string -+ token expansion. - - 2017-10-20 Paul Eggert <eggert@cs.ucla.edu> - diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch deleted file mode 100644 index c7d1cb86df..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch +++ /dev/null @@ -1,80 +0,0 @@ -From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001 -From: Arjun Shankar <arjun@redhat.com> -Date: Thu, 30 Nov 2017 13:31:45 +0100 -Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ - #22375] - -When the per-thread cache is enabled, __libc_malloc uses request2size (which -does not perform an overflow check) to calculate the chunk size from the -requested allocation size. This leads to an integer overflow causing malloc -to incorrectly return the last successfully allocated block when called with -a very large size argument (close to SIZE_MAX). - -This commit uses checked_request2size instead, removing the overflow. - -(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6) - -Upstream-Status: Backport -CVE: CVE-2017-17426 -Signed-off-by: Armin Kuster <akuster@mvista.com> - ---- - ChangeLog | 7 +++++++ - NEWS | 6 ++++++ - malloc/malloc.c | 3 ++- - 3 files changed, 15 insertions(+), 1 deletion(-) - -Index: git/NEWS -=================================================================== ---- git.orig/NEWS -+++ git/NEWS -@@ -4,6 +4,8 @@ See the end for copying conditions. - - Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> - using `glibc' in the "product" field. -+ -+[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426) - - Version 2.26 - -@@ -215,6 +217,11 @@ Security related changes: - for AT_SECURE or SUID binaries could be used to load libraries from the - current directory. - -+ CVE-2017-17426: The malloc function, when called with an object size near -+ the value SIZE_MAX, would return a pointer to a buffer which is too small, -+ instead of NULL. This was a regression introduced with the new malloc -+ thread cache in glibc 2.26. Reported by Iain Buclaw. -+ - The following bugs are resolved with this release: - - [984] network: Respond to changed resolv.conf in gethostbyname -Index: git/malloc/malloc.c -=================================================================== ---- git.orig/malloc/malloc.c -+++ git/malloc/malloc.c -@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes) - return (*hook)(bytes, RETURN_ADDRESS (0)); - #if USE_TCACHE - /* int_free also calls request2size, be careful to not pad twice. */ -- size_t tbytes = request2size (bytes); -+ size_t tbytes; -+ checked_request2size (bytes, tbytes); - size_t tc_idx = csize2tidx (tbytes); - - MAYBE_INIT_TCACHE (); -Index: git/ChangeLog -=================================================================== ---- git.orig/ChangeLog -+++ git/ChangeLog -@@ -1,3 +1,10 @@ -+2017-11-30 Arjun Shankar <arjun@redhat.com> -+ -+ [BZ #22375] -+ CVE-2017-17426 -+ * malloc/malloc.c (__libc_malloc): Use checked_request2size -+ instead of request2size. -+ - 2017-12-30 Aurelien Jarno <aurelien@aurel32.net> - Dmitry V. Levin <ldv@altlinux.org> - |