summary refs log tree commit diff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2014-08-26 14:44:14 -0400
committerMark H Weaver <mhw@netris.org>2014-08-26 16:04:16 -0400
commitf5beb0caf31f227dbe3dd909ec318e84247a504a (patch)
treee835daf3c9b7b171a30dd15d3aa4ad51354f7aa6
parent48abd130217bd1645fefc4ca1817862672c6d782 (diff)
downloadguix-f5beb0caf31f227dbe3dd909ec318e84247a504a.tar.gz
gnu: glibc: Fix CVE-2014-5119.
* gnu/packages/patches/glibc-CVE-2014-5119.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/base.scm (glibc): Add the patch.
-rw-r--r--gnu-system.am1
-rw-r--r--gnu/packages/base.scm3
-rw-r--r--gnu/packages/patches/glibc-CVE-2014-5119.patch212
3 files changed, 215 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am
index f24da850c2..006fcab801 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -311,6 +311,7 @@ dist_patch_DATA =						\
   gnu/packages/patches/glib-tests-prlimit.patch			\
   gnu/packages/patches/glib-tests-timer.patch			\
   gnu/packages/patches/glibc-bootstrap-system.patch		\
+  gnu/packages/patches/glibc-CVE-2014-5119.patch		\
   gnu/packages/patches/glibc-ldd-x86_64.patch			\
   gnu/packages/patches/gnunet-fix-scheduler.patch		\
   gnu/packages/patches/gnunet-fix-tests.patch    		\
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 30176cfddb..6f340172e0 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -384,7 +384,8 @@ library for working with executable and object formats is also included.")
                 (("use_ldconfig=yes")
                  "use_ldconfig=no")))
             (modules '((guix build utils)))
-            (patches (list (search-patch "glibc-ldd-x86_64.patch")))))
+            (patches (list (search-patch "glibc-CVE-2014-5119.patch")
+                           (search-patch "glibc-ldd-x86_64.patch")))))
    (build-system gnu-build-system)
 
    ;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
diff --git a/gnu/packages/patches/glibc-CVE-2014-5119.patch b/gnu/packages/patches/glibc-CVE-2014-5119.patch
new file mode 100644
index 0000000000..de063a2da5
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2014-5119.patch
@@ -0,0 +1,212 @@
+Remove support for loadable gconv transliteration modules.
+The support for transliteration modules has been non-functional for
+over a decade, and the removal is prompted by security defects.  The
+normal gconv conversion modules are still supported.  Transliteration
+with //TRANSLIT is still possible, and the //IGNORE specifier
+continues to be  supported. (CVE-2014-5119)
+
+Based on upstream commits a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
+and f9df71e895d3552d557e783fdb9d133328195645
+by Florian Weimer <fweimer@redhat.com>.
+
+--- glibc-2.19/ChangeLog.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/ChangeLog	2014-08-26 14:35:12.368861387 -0400
+@@ -1,3 +1,10 @@
++2014-08-26  Florian Weimer  <fweimer@redhat.com>
++
++	[BZ #17187]
++	* iconv/gconv_trans.c (struct known_trans, search_tree, lock,
++	trans_compare, open_translit, __gconv_translit_find):
++	Remove module loading code.
++
+ 2014-02-06  Carlos O'Donell  <carlos@redhat.com>
+ 
+ 	[BZ #16529]
+--- glibc-2.19/iconv/gconv_trans.c.orig	2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/iconv/gconv_trans.c	2014-08-26 14:37:26.269525364 -0400
+@@ -238,181 +238,12 @@
+   return __GCONV_ILLEGAL_INPUT;
+ }
+ 
+-
+-/* Structure to represent results of found (or not) transliteration
+-   modules.  */
+-struct known_trans
+-{
+-  /* This structure must remain the first member.  */
+-  struct trans_struct info;
+-
+-  char *fname;
+-  void *handle;
+-  int open_count;
+-};
+-
+-
+-/* Tree with results of previous calls to __gconv_translit_find.  */
+-static void *search_tree;
+-
+-/* We modify global data.   */
+-__libc_lock_define_initialized (static, lock);
+-
+-
+-/* Compare two transliteration entries.  */
+-static int
+-trans_compare (const void *p1, const void *p2)
+-{
+-  const struct known_trans *s1 = (const struct known_trans *) p1;
+-  const struct known_trans *s2 = (const struct known_trans *) p2;
+-
+-  return strcmp (s1->info.name, s2->info.name);
+-}
+-
+-
+-/* Open (maybe reopen) the module named in the struct.  Get the function
+-   and data structure pointers we need.  */
+-static int
+-open_translit (struct known_trans *trans)
+-{
+-  __gconv_trans_query_fct queryfct;
+-
+-  trans->handle = __libc_dlopen (trans->fname);
+-  if (trans->handle == NULL)
+-    /* Not available.  */
+-    return 1;
+-
+-  /* Find the required symbol.  */
+-  queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
+-  if (queryfct == NULL)
+-    {
+-      /* We cannot live with that.  */
+-    close_and_out:
+-      __libc_dlclose (trans->handle);
+-      trans->handle = NULL;
+-      return 1;
+-    }
+-
+-  /* Get the context.  */
+-  if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
+-      != 0)
+-    goto close_and_out;
+-
+-  /* Of course we also have to have the actual function.  */
+-  trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
+-  if (trans->info.trans_fct == NULL)
+-    goto close_and_out;
+-
+-  /* Now the optional functions.  */
+-  trans->info.trans_init_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_init");
+-  trans->info.trans_context_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_context");
+-  trans->info.trans_end_fct =
+-    __libc_dlsym (trans->handle, "gconv_trans_end");
+-
+-  trans->open_count = 1;
+-
+-  return 0;
+-}
+-
+-
+ int
+ internal_function
+ __gconv_translit_find (struct trans_struct *trans)
+ {
+-  struct known_trans **found;
+-  const struct path_elem *runp;
+-  int res = 1;
+-
+-  /* We have to have a name.  */
+-  assert (trans->name != NULL);
+-
+-  /* Acquire the lock.  */
+-  __libc_lock_lock (lock);
+-
+-  /* See whether we know this module already.  */
+-  found = __tfind (trans, &search_tree, trans_compare);
+-  if (found != NULL)
+-    {
+-      /* Is this module available?  */
+-      if ((*found)->handle != NULL)
+-	{
+-	  /* Maybe we have to reopen the file.  */
+-	  if ((*found)->handle != (void *) -1)
+-	    /* The object is not unloaded.  */
+-	    res = 0;
+-	  else if (open_translit (*found) == 0)
+-	    {
+-	      /* Copy the data.  */
+-	      *trans = (*found)->info;
+-	      (*found)->open_count++;
+-	      res = 0;
+-	    }
+-	}
+-    }
+-  else
+-    {
+-      size_t name_len = strlen (trans->name) + 1;
+-      int need_so = 0;
+-      struct known_trans *newp;
+-
+-      /* We have to continue looking for the module.  */
+-      if (__gconv_path_elem == NULL)
+-	__gconv_get_path ();
+-
+-      /* See whether we have to append .so.  */
+-      if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
+-	need_so = 1;
+-
+-      /* Create a new entry.  */
+-      newp = (struct known_trans *) malloc (sizeof (struct known_trans)
+-					    + (__gconv_max_path_elem_len
+-					       + name_len + 3)
+-					    + name_len);
+-      if (newp != NULL)
+-	{
+-	  char *cp;
+-
+-	  /* Clear the struct.  */
+-	  memset (newp, '\0', sizeof (struct known_trans));
+-
+-	  /* Store a copy of the module name.  */
+-	  newp->info.name = cp = (char *) (newp + 1);
+-	  cp = __mempcpy (cp, trans->name, name_len);
+-
+-	  newp->fname = cp;
+-
+-	  /* Search in all the directories.  */
+-	  for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
+-	    {
+-	      cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
+-			      trans->name, name_len);
+-	      if (need_so)
+-		memcpy (cp, ".so", sizeof (".so"));
+-
+-	      if (open_translit (newp) == 0)
+-		{
+-		  /* We found a module.  */
+-		  res = 0;
+-		  break;
+-		}
+-	    }
+-
+-	  if (res)
+-	    newp->fname = NULL;
+-
+-	  /* In any case we'll add the entry to our search tree.  */
+-	  if (__tsearch (newp, &search_tree, trans_compare) == NULL)
+-	    {
+-	      /* Yickes, this should not happen.  Unload the object.  */
+-	      res = 1;
+-	      /* XXX unload here.  */
+-	    }
+-	}
+-    }
+-
+-  __libc_lock_unlock (lock);
+-
+-  return res;
++  /* Transliteration module loading has been removed because it never
++     worked as intended and suffered from a security vulnerability.
++     Consequently, this function always fails.  */
++  return 1;
+ }