commit 82ff7b38d97f65850e247f0239f4732f01edb7b6 Author: Fredrik Rinnestam <fredrik@crux.nu> Date: Sat Feb 21 17:11:07 2015 +0100 [notify] glibc: added patches for CVE-2012-3406, CVE-2014-7817, CVE-2014-9402 and CVE-2015-1472 diff --git a/glibc/.md5sum b/glibc/.md5sum index fedcfaa..471c4d1 100644 --- a/glibc/.md5sum +++ b/glibc/.md5sum @@ -1,4 +1,8 @@ +c241d3240d0d98af4f1b948cd940dbd8 CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch 1d06c7a6084db7710bec7215143c5799 CVE-2014-0475.patch +59f56ab2c3b3334074c07dec6c217301 CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch +27ae57547600f9c6a9a897aa6f4e5555 CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetbyname.patch +b2a77e95e8694f37415f86e8bc0a1fe5 CVE-2015-1472-wscanf-allocates-too-little-memory.patch a568134a222776d8fc23059dfb25d835 glibc-2.19-multilib-dirs.patch e26b8cc666b162f999404b03970f14e4 glibc-2.19.tar.xz 96156bec8e05de67384dc93e72bdc313 host.conf diff --git a/glibc/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch b/glibc/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch new file mode 100644 index 0000000..6b40c96 --- /dev/null +++ b/glibc/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch @@ -0,0 +1,274 @@ +From 6143805bb45e716829d86851e9372f55a136064b Mon Sep 17 00:00:00 2001 +From: Jeff Law <law@redhat.com> +Date: Mon, 15 Dec 2014 10:09:32 +0100 +Subject: [PATCH 35/37] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617] + +A larger number of format specifiers coudld cause a stack overflow, +potentially allowing to bypass _FORTIFY_SOURCE format string +protection. + +Conflicts: + ChangeLog + NEWS +--- + ChangeLog | 13 +++++++++ + NEWS | 57 ++++++++++++++++++++++++++++++++++++++++ + stdio-common/Makefile | 2 +- + stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++ + stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++ + stdio-common/bug23-4.c | 31 ++++++++++++++++++++++ + stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++-- + 7 files changed, 260 insertions(+), 3 deletions(-) + create mode 100644 stdio-common/bug23-2.c + create mode 100644 stdio-common/bug23-3.c + create mode 100644 stdio-common/bug23-4.c + +diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c +new file mode 100644 +index 0000000..9e0cfe6 +--- /dev/null ++++ b/stdio-common/bug23-2.c +@@ -0,0 +1,70 @@ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++ ++static const char expected[] = "\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55\ ++\n\ ++a\n\ ++abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n"; ++ ++static int ++do_test (void) ++{ ++ char *buf = malloc (strlen (expected) + 1); ++ snprintf (buf, strlen (expected) + 1, ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n", ++ "a", "b", "c", "d", 5); ++ return strcmp (buf, expected) != 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c +new file mode 100644 +index 0000000..57c8cef +--- /dev/null ++++ b/stdio-common/bug23-3.c +@@ -0,0 +1,50 @@ ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++ ++int ++do_test (void) ++{ ++ size_t instances = 16384; ++#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" ++ const char *item = "\na\nabbcd55"; ++#define X3 X0 X0 X0 X0 X0 X0 X0 X0 ++#define X6 X3 X3 X3 X3 X3 X3 X3 X3 ++#define X9 X6 X6 X6 X6 X6 X6 X6 X6 ++#define X12 X9 X9 X9 X9 X9 X9 X9 X9 ++#define X14 X12 X12 X12 X12 ++#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%" ++#define TRAILER2 TRAILER TRAILER ++ size_t length = instances * strlen (item) + strlen (TRAILER) + 1; ++ ++ char *buf = malloc (length + 1); ++ snprintf (buf, length + 1, ++ X14 TRAILER2 "\n", ++ "a", "b", "c", "d", 5); ++ ++ const char *p = buf; ++ size_t i; ++ for (i = 0; i < instances; ++i) ++ { ++ const char *expected; ++ for (expected = item; *expected; ++expected) ++ { ++ if (*p != *expected) ++ { ++ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n", ++ (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF); ++ return 1; ++ } ++ ++p; ++ } ++ } ++ if (strcmp (p, TRAILER "\n") != 0) ++ { ++ printf ("mismatch at trailer: [%s]\n", p); ++ return 1; ++ } ++ free (buf); ++ return 0; ++} ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c +new file mode 100644 +index 0000000..a478564 +--- /dev/null ++++ b/stdio-common/bug23-4.c +@@ -0,0 +1,31 @@ ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <sys/resource.h> ++ ++#define LIMIT 1000000 ++ ++int ++main (void) ++{ ++ struct rlimit lim; ++ getrlimit (RLIMIT_STACK, &lim); ++ lim.rlim_cur = 1048576; ++ setrlimit (RLIMIT_STACK, &lim); ++ char *fmtstr = malloc (4 * LIMIT + 1); ++ if (fmtstr == NULL) ++ abort (); ++ char *output = malloc (LIMIT + 1); ++ if (output == NULL) ++ abort (); ++ for (size_t i = 0; i < LIMIT; i++) ++ memcpy (fmtstr + 4 * i, "%1$d", 4); ++ fmtstr[4 * LIMIT] = '\0'; ++ int ret = snprintf (output, LIMIT + 1, fmtstr, 0); ++ if (ret != LIMIT) ++ abort (); ++ for (size_t i = 0; i < LIMIT; i++) ++ if (output[i] != '0') ++ abort (); ++ return 0; ++} +diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c +index f7e5f61..f423be6 100644 +--- a/stdio-common/vfprintf.c ++++ b/stdio-common/vfprintf.c +@@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap) + /* For the argument descriptions, which may be allocated on the heap. */ + void *args_malloced = NULL; + ++ /* For positional argument handling. */ ++ struct printf_spec *specs; ++ ++ /* Track if we malloced the SPECS array and thus must free it. */ ++ bool specs_malloced = false; ++ + /* This table maps a character into a number representing a + class. In each step there is a destination label for each + class. */ +@@ -1678,8 +1684,8 @@ do_positional: + size_t nspecs = 0; + /* A more or less arbitrary start value. */ + size_t nspecs_size = 32 * sizeof (struct printf_spec); +- struct printf_spec *specs = alloca (nspecs_size); + ++ specs = alloca (nspecs_size); + /* The number of arguments the format string requests. This will + determine the size of the array needed to store the argument + attributes. */ +@@ -1720,11 +1726,39 @@ do_positional: + if (nspecs * sizeof (*specs) >= nspecs_size) + { + /* Extend the array of format specifiers. */ ++ if (nspecs_size * 2 < nspecs_size) ++ { ++ __set_errno (ENOMEM); ++ done = -1; ++ goto all_done; ++ } + struct printf_spec *old = specs; +- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); ++ if (__libc_use_alloca (2 * nspecs_size)) ++ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size); ++ else ++ { ++ nspecs_size *= 2; ++ specs = malloc (nspecs_size); ++ if (specs == NULL) ++ { ++ __set_errno (ENOMEM); ++ specs = old; ++ done = -1; ++ goto all_done; ++ } ++ } + + /* Copy the old array's elements to the new space. */ + memmove (specs, old, nspecs * sizeof (*specs)); ++ ++ /* If we had previously malloc'd space for SPECS, then ++ release it after the copy is complete. */ ++ if (specs_malloced) ++ free (old); ++ ++ /* Now set SPECS_MALLOCED if needed. */ ++ if (!__libc_use_alloca (nspecs_size)) ++ specs_malloced = true; + } + + /* Parse the format specifier. */ +@@ -2045,6 +2079,8 @@ do_positional: + } + + all_done: ++ if (specs_malloced) ++ free (specs); + if (__glibc_unlikely (args_malloced != NULL)) + free (args_malloced); + if (__glibc_unlikely (workstart != NULL)) +-- +2.2.1 + diff --git a/glibc/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch b/glibc/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch new file mode 100644 index 0000000..8e4a32f --- /dev/null +++ b/glibc/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch @@ -0,0 +1,174 @@ +From b9b6e3f01655942891bf4c66a2c5e8246cdad7e1 Mon Sep 17 00:00:00 2001 +From: Carlos O'Donell <carlos@redhat.com> +Date: Wed, 19 Nov 2014 11:44:12 -0500 +Subject: [PATCH 1/2] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD. + +The function wordexp() fails to properly handle the WRDE_NOCMD +flag when processing arithmetic inputs in the form of "$((... ``))" +where "..." can be anything valid. The backticks in the arithmetic +epxression are evaluated by in a shell even if WRDE_NOCMD forbade +command substitution. This allows an attacker to attempt to pass +dangerous commands via constructs of the above form, and bypass +the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD +in exec_comm(), the only place that can execute a shell. All other +checks for WRDE_NOCMD are superfluous and removed. + +We expand the testsuite and add 3 new regression tests of roughly +the same form but with a couple of nested levels. + +On top of the 3 new tests we add fork validation to the WRDE_NOCMD +testing. If any forks are detected during the execution of a wordexp() +call with WRDE_NOCMD, the test is marked as failed. This is slightly +heuristic since vfork might be used in the future, but it provides a +higher level of assurance that no shells were executed as part of +command substitution with WRDE_NOCMD in effect. In addition it doesn't +require libpthread or libdl, instead we use the public implementation +namespace function __register_atfork (already part of the public ABI +for libpthread). + +Tested on x86_64 with no regressions. + +Conflicts: + ChangeLog + NEWS +--- + ChangeLog | 266 +++++++++++++++++++++++++++++++++++++++++++++++++++ + NEWS | 10 ++ + posix/wordexp-test.c | 44 +++++++++ + posix/wordexp.c | 16 +--- + 4 files changed, 324 insertions(+), 12 deletions(-) + +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c +index 4957006..bdd65e4 100644 +--- a/posix/wordexp-test.c ++++ b/posix/wordexp-test.c +@@ -27,6 +27,25 @@ + + #define IFS " \n\t" + ++extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden"))); ++extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *); ++ ++static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void)) ++{ ++ return __register_atfork (prepare, parent, child, ++ &__dso_handle == NULL ? NULL : __dso_handle); ++} ++ ++/* Number of forks seen. */ ++static int registered_forks; ++ ++/* For each fork increment the fork count. */ ++static void ++register_fork (void) ++{ ++ registered_forks++; ++} ++ + struct test_case_struct + { + int retval; +@@ -206,6 +225,12 @@ struct test_case_struct + { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS }, + { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS }, + { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS }, ++ /* Test for CVE-2014-7817. We test 3 combinations of command ++ substitution inside an arithmetic expression to make sure that ++ no commands are executed and error is returned. */ ++ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, ++ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, ++ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS }, + + { -1, NULL, NULL, 0, 0, { NULL, }, IFS }, + }; +@@ -258,6 +283,15 @@ main (int argc, char *argv[]) + return -1; + } + ++ /* If we are not allowed to do command substitution, we install ++ fork handlers to verify that no forks happened. No forks should ++ happen at all if command substitution is disabled. */ ++ if (__app_register_atfork (register_fork, NULL, NULL) != 0) ++ { ++ printf ("Failed to register fork handler.\n"); ++ return -1; ++ } ++ + for (test = 0; test_case[test].retval != -1; test++) + if (testit (&test_case[test])) + ++fail; +@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc) + + printf ("Test %d (%s): ", ++tests, tc->words); + ++ if (tc->flags & WRDE_NOCMD) ++ registered_forks = 0; ++ + if (tc->flags & WRDE_APPEND) + { + /* initial wordexp() call, to be appended to */ +@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc) + } + retval = wordexp (tc->words, &we, tc->flags); + ++ if ((tc->flags & WRDE_NOCMD) ++ && (registered_forks > 0)) ++ { ++ printf ("FAILED fork called for WRDE_NOCMD\n"); ++ return 1; ++ } ++ + if (tc->flags & WRDE_DOOFFS) + start_offs = sav_we.we_offs; + +diff --git a/posix/wordexp.c b/posix/wordexp.c +index 366ec18..36a1367 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length, + pid_t pid; + int noexec = 0; + ++ /* Do nothing if command substitution should not succeed. */ ++ if (flags & WRDE_NOCMD) ++ return WRDE_CMDSUB; ++ + /* Don't fork() unless necessary */ + if (!comm || !*comm) + return 0; +@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length, + } + } + +- if (flags & WRDE_NOCMD) +- return WRDE_CMDSUB; +- + (*offset) += 2; + return parse_comm (word, word_length, max_length, words, offset, flags, + quoted? NULL : pwordexp, ifs, ifs_white); +@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length, + break; + + case '`': +- if (flags & WRDE_NOCMD) +- return WRDE_CMDSUB; +- + ++(*offset); + error = parse_backtick (word, word_length, max_length, words, + offset, flags, NULL, NULL, NULL); +@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags) + break; + + case '`': +- if (flags & WRDE_NOCMD) +- { +- error = WRDE_CMDSUB; +- goto do_error; +- } +- + ++words_offset; + error = parse_backtick (&word, &word_length, &max_length, words, + &words_offset, flags, pwordexp, ifs, +-- +2.2.1 + diff --git a/glibc/CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetbyname.patch b/glibc/CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetbyname.patch new file mode 100644 index 0000000..d9c01fa --- /dev/null +++ b/glibc/CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetbyname.patch @@ -0,0 +1,32 @@ +From c9e9c2e4b1bdd880e11ad1d0756da87634456b95 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 15 Dec 2014 17:41:13 +0100 +Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630] + +Conflicts: + ChangeLog + NEWS +--- + ChangeLog | 14 ++++++++++++++ + NEWS | 8 ++++++++ + resolv/nss_dns/dns-network.c | 4 ++-- + 3 files changed, 24 insertions(+), 2 deletions(-) + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 13ad38c..1993ec1 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int anslen, struct netent *result, + + case BYNAME: + { +- char **ap = result->n_aliases++; +- while (*ap != NULL) ++ char **ap; ++ for (ap = result->n_aliases; *ap != NULL; ++ap) + { + /* Check each alias name for being of the forms: + 4.3.2.1.in-addr.arpa = net 1.2.3.4 +-- +2.2.1 + diff --git a/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch b/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch new file mode 100644 index 0000000..e472684 --- /dev/null +++ b/glibc/CVE-2015-1472-wscanf-allocates-too-little-memory.patch @@ -0,0 +1,105 @@ +From 18d9cd1d9d95503074db705686d0236c99db5d00 Mon Sep 17 00:00:00 2001 +From: Paul Pluzhnikov <ppluzhnikov@google.com> +Date: Fri, 6 Feb 2015 00:30:42 -0500 +Subject: [PATCH 2/2] CVE-2015-1472: wscanf allocates too little memory + +BZ #16618 + +Under certain conditions wscanf can allocate too little memory for the +to-be-scanned arguments and overflow the allocated buffer. The +implementation now correctly computes the required buffer size when +using malloc. + +A regression test was added to tst-sscanf. + +Conflicts: + ChangeLog + NEWS +--- + ChangeLog | 133 ++++++++++++++++++++++++++++++++++++++++++++++ + NEWS | 44 +++++++++++++++ + stdio-common/tst-sscanf.c | 33 ++++++++++++ + stdio-common/vfscanf.c | 12 ++--- + 4 files changed, 216 insertions(+), 6 deletions(-) + +diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c +index 1214c7d..c62bee6 100644 +--- a/stdio-common/tst-sscanf.c ++++ b/stdio-common/tst-sscanf.c +@@ -232,5 +232,38 @@ main (void) + } + } + ++ /* BZ #16618 ++ The test will segfault during SSCANF if the buffer overflow ++ is not fixed. The size of `s` is such that it forces the use ++ of malloc internally and this triggers the incorrect computation. ++ Thus the value for SIZE is arbitrariy high enough that malloc ++ is used. */ ++ { ++#define SIZE 131072 ++ CHAR *s = malloc ((SIZE + 1) * sizeof (*s)); ++ if (s == NULL) ++ abort (); ++ for (size_t i = 0; i < SIZE; i++) ++ s[i] = L('0'); ++ s[SIZE] = L('\0'); ++ int i = 42; ++ /* Scan multi-digit zero into `i`. */ ++ if (SSCANF (s, L("%d"), &i) != 1) ++ { ++ printf ("FAIL: bug16618: SSCANF did not read one input item.\n"); ++ result = 1; ++ } ++ if (i != 0) ++ { ++ printf ("FAIL: bug16618: Value of `i` was not zero as expected.\n"); ++ result = 1; ++ } ++ free (s); ++ if (result != 1) ++ printf ("PASS: bug16618: Did not crash.\n"); ++#undef SIZE ++ } ++ ++ + return result; + } +diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c +index 2e1e91a..d7a18e3 100644 +--- a/stdio-common/vfscanf.c ++++ b/stdio-common/vfscanf.c +@@ -272,9 +272,10 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + if (__builtin_expect (wpsize == wpmax, 0)) \ + { \ + CHAR_T *old = wp; \ +- size_t newsize = (UCHAR_MAX + 1 > 2 * wpmax \ +- ? UCHAR_MAX + 1 : 2 * wpmax); \ +- if (use_malloc || !__libc_use_alloca (newsize)) \ ++ bool fits = __glibc_likely (wpmax <= SIZE_MAX / sizeof (CHAR_T) / 2); \ ++ size_t wpneed = MAX (UCHAR_MAX + 1, 2 * wpmax); \ ++ size_t newsize = fits ? wpneed * sizeof (CHAR_T) : SIZE_MAX; \ ++ if (!__libc_use_alloca (newsize)) \ + { \ + wp = realloc (use_malloc ? wp : NULL, newsize); \ + if (wp == NULL) \ +@@ -286,14 +287,13 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr, + } \ + if (! use_malloc) \ + MEMCPY (wp, old, wpsize); \ +- wpmax = newsize; \ ++ wpmax = wpneed; \ + use_malloc = true; \ + } \ + else \ + { \ + size_t s = wpmax * sizeof (CHAR_T); \ +- wp = (CHAR_T *) extend_alloca (wp, s, \ +- newsize * sizeof (CHAR_T)); \ ++ wp = (CHAR_T *) extend_alloca (wp, s, newsize); \ + wpmax = s / sizeof (CHAR_T); \ + if (old != NULL) \ + MEMCPY (wp, old, wpsize); \ +-- +2.2.1 + diff --git a/glibc/Pkgfile b/glibc/Pkgfile index e4910ed..5bd7570 100644 --- a/glibc/Pkgfile +++ b/glibc/Pkgfile @@ -4,11 +4,15 @@ name=glibc version=2.19 -release=4 +release=5 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ http://crux.nu/files/distfiles/kernel-headers-3.12.tar.bz2 \ $name-$version-multilib-dirs.patch \ CVE-2014-0475.patch iconv-gconv_trans.c.patch \ + CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ + CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ + CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetbyname.patch \ + CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ hosts resolv.conf nsswitch.conf host.conf ld.so.conf) build() { @@ -20,6 +24,10 @@ build() { patch -p1 -d $SRC/$name-$version -i $SRC/$name-$version-multilib-dirs.patch patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2014-0475.patch patch -p1 -d $SRC/$name-$version -i $SRC/iconv-gconv_trans.c.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2014-9402-Avoid-infinite-loop-in-nss_dns-getnetbyname.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-1472-wscanf-allocates-too-little-memory.patch mkdir $SRC/build cd $SRC/build