commit 49eb9abe3d36661758aab4d077ae927cdf428a3b Author: Thomas Penteker <tek@serverop.de> Date: Wed Feb 4 20:32:09 2015 +0100 [notify] glibc-32: fix CVE-2015-0235 ghost vulnerability in 3.0, too diff --git a/glibc-32/.md5sum b/glibc-32/.md5sum index a0c2384..63270c0 100644 --- a/glibc-32/.md5sum +++ b/glibc-32/.md5sum @@ -1,6 +1,7 @@ 80b181b02ab249524ec92822c0174cf7 glibc-2.16.0.tar.xz c3f3499e0a6272cba7b6e46bfe6bbcea glibc-32-2.16.0-multilib-dirs.patch 3a51662cd99783b3d01ceac2dca19597 glibc-CVE-2013-4332.patch +1168de0dd6aeca3e85a992e4ffaf53d5 glibc-ghost-CVE-2015-0235.patch d4a2a19efe1e9b59b86fd15a968f7e10 glibc-regexp_buffer_overrun.patch 7e6a5a13c37f93213db9803d9790b7de glibc-resolv_assert.patch 99ed7b88221475d51a073f00d7ee9c42 glibc-segfault_in_strncasecmp.patch diff --git a/glibc-32/Pkgfile b/glibc-32/Pkgfile index f0f78f9..955bf23 100644 --- a/glibc-32/Pkgfile +++ b/glibc-32/Pkgfile @@ -4,7 +4,7 @@ name=glibc-32 version=2.16.0 -release=6 +release=7 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ http://crux.nu/files/distfiles/kernel-headers-3.4.11.tar.xz \ $name-$version-multilib-dirs.patch \ @@ -14,6 +14,7 @@ source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ glibc-segfault_in_strncasecmp.patch \ glibc-strtod_integer_overflow.patch \ glibc-regexp_buffer_overrun.patch + glibc-ghost-CVE-2015-0235.patch \ glibc-CVE-2013-4332.patch) build() { @@ -28,6 +29,7 @@ build() { patch -p1 -d glibc-$version -i $SRC/glibc-regexp_buffer_overrun.patch patch -p1 -d glibc-$version -i $SRC/$name-$version-multilib-dirs.patch patch -p1 -d glibc-$version -i $SRC/glibc-CVE-2013-4332.patch + patch -p1 -d glibc-$version -i $SRC/glibc-ghost-CVE-2015-0235.patch mkdir build cd build diff --git a/glibc-32/glibc-ghost-CVE-2015-0235.patch b/glibc-32/glibc-ghost-CVE-2015-0235.patch new file mode 100644 index 0000000..b1b49d0 --- /dev/null +++ b/glibc-32/glibc-ghost-CVE-2015-0235.patch @@ -0,0 +1,212 @@ +diff -Naur glibc-2.16.0/nss/digits_dots.c glibc-2.16.0.new/nss/digits_dots.c +--- glibc-2.16.0/nss/digits_dots.c 2012-06-30 21:12:34.000000000 +0200 ++++ glibc-2.16.0.new/nss/digits_dots.c 2015-01-28 13:45:05.481023654 +0100 +@@ -46,7 +46,10 @@ + { + if (h_errnop) + *h_errnop = NETDB_INTERNAL; +- *result = NULL; ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_TRYAGAIN; ++ else ++ *result = NULL; + return -1; + } + +@@ -83,14 +86,16 @@ + } + + size_needed = (sizeof (*host_addr) +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); ++ + sizeof (*h_addr_ptrs) ++ + sizeof (*h_alias_ptr) + strlen (name) + 1); + + if (buffer_size == NULL) + { + if (buflen < size_needed) + { ++ *status = NSS_STATUS_TRYAGAIN; + if (h_errnop != NULL) +- *h_errnop = TRY_AGAIN; ++ *h_errnop = NETDB_INTERNAL; + __set_errno (ERANGE); + goto done; + } +@@ -109,7 +114,7 @@ + *buffer_size = 0; + __set_errno (save); + if (h_errnop != NULL) +- *h_errnop = TRY_AGAIN; ++ *h_errnop = NETDB_INTERNAL; + *result = NULL; + goto done; + } +@@ -149,7 +154,9 @@ + if (! ok) + { + *h_errnop = HOST_NOT_FOUND; +- if (buffer_size) ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_NOTFOUND; ++ else + *result = NULL; + goto done; + } +@@ -190,7 +197,7 @@ + if (buffer_size == NULL) + *status = NSS_STATUS_SUCCESS; + else +- *result = resbuf; ++ *result = resbuf; + goto done; + } + +@@ -201,15 +208,6 @@ + + if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':') + { +- const char *cp; +- char *hostname; +- typedef unsigned char host_addr_t[16]; +- host_addr_t *host_addr; +- typedef char *host_addr_list_t[2]; +- host_addr_list_t *h_addr_ptrs; +- size_t size_needed; +- int addr_size; +- + switch (af) + { + default: +@@ -225,7 +223,10 @@ + /* This is not possible. We cannot represent an IPv6 address + in an `struct in_addr' variable. */ + *h_errnop = HOST_NOT_FOUND; +- *result = NULL; ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_NOTFOUND; ++ else ++ *result = NULL; + goto done; + + case AF_INET6: +@@ -233,42 +234,6 @@ + break; + } + +- size_needed = (sizeof (*host_addr) +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); +- +- if (buffer_size == NULL && buflen < size_needed) +- { +- if (h_errnop != NULL) +- *h_errnop = TRY_AGAIN; +- __set_errno (ERANGE); +- goto done; +- } +- else if (buffer_size != NULL && *buffer_size < size_needed) +- { +- char *new_buf; +- *buffer_size = size_needed; +- new_buf = realloc (*buffer, *buffer_size); +- +- if (new_buf == NULL) +- { +- save = errno; +- free (*buffer); +- __set_errno (save); +- *buffer = NULL; +- *buffer_size = 0; +- *result = NULL; +- goto done; +- } +- *buffer = new_buf; +- } +- +- memset (*buffer, '\0', size_needed); +- +- host_addr = (host_addr_t *) *buffer; +- h_addr_ptrs = (host_addr_list_t *) +- ((char *) host_addr + sizeof (*host_addr)); +- hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); +- + for (cp = name;; ++cp) + { + if (!*cp) +@@ -281,7 +246,9 @@ + if (inet_pton (AF_INET6, name, host_addr) <= 0) + { + *h_errnop = HOST_NOT_FOUND; +- if (buffer_size) ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_NOTFOUND; ++ else + *result = NULL; + goto done; + } +diff -Naur glibc-2.16.0/nss/getXXbyYY_r.c glibc-2.16.0.new/nss/getXXbyYY_r.c +--- glibc-2.16.0/nss/getXXbyYY_r.c 2012-06-30 21:12:34.000000000 +0200 ++++ glibc-2.16.0.new/nss/getXXbyYY_r.c 2015-01-28 13:45:05.482023654 +0100 +@@ -179,6 +179,9 @@ + case -1: + return errno; + case 1: ++#ifdef NEED_H_ERRNO ++ any_service = true; ++#endif + goto done; + } + #endif +diff -Naur glibc-2.16.0/nss/Makefile glibc-2.16.0.new/nss/Makefile +--- glibc-2.16.0/nss/Makefile 2012-06-30 21:12:34.000000000 +0200 ++++ glibc-2.16.0.new/nss/Makefile 2015-01-28 13:52:01.367041544 +0100 +@@ -38,7 +38,7 @@ + makedb-modules = xmalloc hash-string + extra-objs += $(makedb-modules:=.o) + +-tests = test-netdb tst-nss-test1 ++tests = test-netdb tst-nss-test1 test-digits-dots + xtests = bug-erange + + include ../Makeconfig +diff -Naur glibc-2.16.0/nss/test-digits-dots.c glibc-2.16.0.new/nss/test-digits-dots.c +--- glibc-2.16.0/nss/test-digits-dots.c 1970-01-01 01:00:00.000000000 +0100 ++++ glibc-2.16.0.new/nss/test-digits-dots.c 2015-01-28 13:45:05.483023654 +0100 +@@ -0,0 +1,38 @@ ++/* Copyright (C) 2013 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++/* Testcase for BZ #15014 */ ++ ++#include <stdlib.h> ++#include <netdb.h> ++#include <errno.h> ++ ++static int ++do_test (void) ++{ ++ char buf[32]; ++ struct hostent *result = NULL; ++ struct hostent ret; ++ int h_err = 0; ++ int err; ++ ++ err = gethostbyname_r ("1.2.3.4", &ret, buf, sizeof (buf), &result, &h_err); ++ return err == ERANGE && h_err == NETDB_INTERNAL ? EXIT_SUCCESS : EXIT_FAILURE; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" diff --git a/glibc/glibc-ghost-CVE-2015-0235.patch b/glibc/glibc-ghost-CVE-2015-0235.patch new file mode 100644 index 0000000..b1b49d0 --- /dev/null +++ b/glibc/glibc-ghost-CVE-2015-0235.patch @@ -0,0 +1,212 @@ +diff -Naur glibc-2.16.0/nss/digits_dots.c glibc-2.16.0.new/nss/digits_dots.c +--- glibc-2.16.0/nss/digits_dots.c 2012-06-30 21:12:34.000000000 +0200 ++++ glibc-2.16.0.new/nss/digits_dots.c 2015-01-28 13:45:05.481023654 +0100 +@@ -46,7 +46,10 @@ + { + if (h_errnop) + *h_errnop = NETDB_INTERNAL; +- *result = NULL; ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_TRYAGAIN; ++ else ++ *result = NULL; + return -1; + } + +@@ -83,14 +86,16 @@ + } + + size_needed = (sizeof (*host_addr) +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); ++ + sizeof (*h_addr_ptrs) ++ + sizeof (*h_alias_ptr) + strlen (name) + 1); + + if (buffer_size == NULL) + { + if (buflen < size_needed) + { ++ *status = NSS_STATUS_TRYAGAIN; + if (h_errnop != NULL) +- *h_errnop = TRY_AGAIN; ++ *h_errnop = NETDB_INTERNAL; + __set_errno (ERANGE); + goto done; + } +@@ -109,7 +114,7 @@ + *buffer_size = 0; + __set_errno (save); + if (h_errnop != NULL) +- *h_errnop = TRY_AGAIN; ++ *h_errnop = NETDB_INTERNAL; + *result = NULL; + goto done; + } +@@ -149,7 +154,9 @@ + if (! ok) + { + *h_errnop = HOST_NOT_FOUND; +- if (buffer_size) ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_NOTFOUND; ++ else + *result = NULL; + goto done; + } +@@ -190,7 +197,7 @@ + if (buffer_size == NULL) + *status = NSS_STATUS_SUCCESS; + else +- *result = resbuf; ++ *result = resbuf; + goto done; + } + +@@ -201,15 +208,6 @@ + + if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':') + { +- const char *cp; +- char *hostname; +- typedef unsigned char host_addr_t[16]; +- host_addr_t *host_addr; +- typedef char *host_addr_list_t[2]; +- host_addr_list_t *h_addr_ptrs; +- size_t size_needed; +- int addr_size; +- + switch (af) + { + default: +@@ -225,7 +223,10 @@ + /* This is not possible. We cannot represent an IPv6 address + in an `struct in_addr' variable. */ + *h_errnop = HOST_NOT_FOUND; +- *result = NULL; ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_NOTFOUND; ++ else ++ *result = NULL; + goto done; + + case AF_INET6: +@@ -233,42 +234,6 @@ + break; + } + +- size_needed = (sizeof (*host_addr) +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); +- +- if (buffer_size == NULL && buflen < size_needed) +- { +- if (h_errnop != NULL) +- *h_errnop = TRY_AGAIN; +- __set_errno (ERANGE); +- goto done; +- } +- else if (buffer_size != NULL && *buffer_size < size_needed) +- { +- char *new_buf; +- *buffer_size = size_needed; +- new_buf = realloc (*buffer, *buffer_size); +- +- if (new_buf == NULL) +- { +- save = errno; +- free (*buffer); +- __set_errno (save); +- *buffer = NULL; +- *buffer_size = 0; +- *result = NULL; +- goto done; +- } +- *buffer = new_buf; +- } +- +- memset (*buffer, '\0', size_needed); +- +- host_addr = (host_addr_t *) *buffer; +- h_addr_ptrs = (host_addr_list_t *) +- ((char *) host_addr + sizeof (*host_addr)); +- hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); +- + for (cp = name;; ++cp) + { + if (!*cp) +@@ -281,7 +246,9 @@ + if (inet_pton (AF_INET6, name, host_addr) <= 0) + { + *h_errnop = HOST_NOT_FOUND; +- if (buffer_size) ++ if (buffer_size == NULL) ++ *status = NSS_STATUS_NOTFOUND; ++ else + *result = NULL; + goto done; + } +diff -Naur glibc-2.16.0/nss/getXXbyYY_r.c glibc-2.16.0.new/nss/getXXbyYY_r.c +--- glibc-2.16.0/nss/getXXbyYY_r.c 2012-06-30 21:12:34.000000000 +0200 ++++ glibc-2.16.0.new/nss/getXXbyYY_r.c 2015-01-28 13:45:05.482023654 +0100 +@@ -179,6 +179,9 @@ + case -1: + return errno; + case 1: ++#ifdef NEED_H_ERRNO ++ any_service = true; ++#endif + goto done; + } + #endif +diff -Naur glibc-2.16.0/nss/Makefile glibc-2.16.0.new/nss/Makefile +--- glibc-2.16.0/nss/Makefile 2012-06-30 21:12:34.000000000 +0200 ++++ glibc-2.16.0.new/nss/Makefile 2015-01-28 13:52:01.367041544 +0100 +@@ -38,7 +38,7 @@ + makedb-modules = xmalloc hash-string + extra-objs += $(makedb-modules:=.o) + +-tests = test-netdb tst-nss-test1 ++tests = test-netdb tst-nss-test1 test-digits-dots + xtests = bug-erange + + include ../Makeconfig +diff -Naur glibc-2.16.0/nss/test-digits-dots.c glibc-2.16.0.new/nss/test-digits-dots.c +--- glibc-2.16.0/nss/test-digits-dots.c 1970-01-01 01:00:00.000000000 +0100 ++++ glibc-2.16.0.new/nss/test-digits-dots.c 2015-01-28 13:45:05.483023654 +0100 +@@ -0,0 +1,38 @@ ++/* Copyright (C) 2013 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++/* Testcase for BZ #15014 */ ++ ++#include <stdlib.h> ++#include <netdb.h> ++#include <errno.h> ++ ++static int ++do_test (void) ++{ ++ char buf[32]; ++ struct hostent *result = NULL; ++ struct hostent ret; ++ int h_err = 0; ++ int err; ++ ++ err = gethostbyname_r ("1.2.3.4", &ret, buf, sizeof (buf), &result, &h_err); ++ return err == ERANGE && h_err == NETDB_INTERNAL ? EXIT_SUCCESS : EXIT_FAILURE; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c"