summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorLudovic Courtès <ludo@gnu.org>2015-02-11 14:11:14 +0100
committerLudovic Courtès <ludo@gnu.org>2015-02-11 14:11:14 +0100
commitfdaae613712077f9325141024da395ef315db130 (patch)
tree8fd6bd552a948274004298252fe479abd7e7a34e /gnu/packages/patches
parentf6408bc584bd3c01713e7703b052e966ee616209 (diff)
downloadguix-fdaae613712077f9325141024da395ef315db130.tar.gz
gnu: glibc: Update to 2.21.
* gnu/packages/base.scm (glibc): Update to 2.21.  Remove 3 patches no
  longer needed.
* gnu/packages/patches/glibc-CVE-2012-3406.patch,
  gnu/packages/patches/glibc-CVE-2014-7817.patch,
  gnu/packages/patches/glibc-mips-dangling-vfork-ref.patch: Remove.
* gnu-system.am (dist_patch_DATA): Adjust accordingly.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/glibc-CVE-2012-3406.patch282
-rw-r--r--gnu/packages/patches/glibc-CVE-2014-7817.patch171
-rw-r--r--gnu/packages/patches/glibc-mips-dangling-vfork-ref.patch45
3 files changed, 0 insertions, 498 deletions
diff --git a/gnu/packages/patches/glibc-CVE-2012-3406.patch b/gnu/packages/patches/glibc-CVE-2012-3406.patch
deleted file mode 100644
index 9147a2aeee..0000000000
--- a/gnu/packages/patches/glibc-CVE-2012-3406.patch
+++ /dev/null
@@ -1,282 +0,0 @@
-Fix CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
-
-Note: Here the ChangeLog and NEWS updates are removed from Jeff's
-      patch, since they depend on other earlier commits.
-
-From: Jeff Law <law@redhat.com>
-Date: Mon, 15 Dec 2014 09:09:32 +0000 (+0100)
-Subject: CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
-X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff_plain;h=a3a1f4163c4d0f9a36056c8640661a88674ae8a2
-
-CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
-
-A larger number of format specifiers coudld cause a stack overflow,
-potentially allowing to bypass _FORTIFY_SOURCE format string
-protection.
-
-(cherry picked from commit a5357b7ce2a2982c5778435704bcdb55ce3667a0)
-(cherry picked from commit ae61fc7b33d9d99d2763c16de8275227dc9748ba)
-
-Conflicts:
-	NEWS
----
-
-diff --git a/stdio-common/Makefile b/stdio-common/Makefile
-index 5f8e534..e5e45b6 100644
---- a/stdio-common/Makefile
-+++ b/stdio-common/Makefile
-@@ -57,7 +57,7 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
- 	 bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
- 	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
- 	 bug-vfprintf-nargs tst-long-dbl-fphex tst-fphex-wide tst-sprintf3 \
--	 bug25 tst-printf-round bug26
-+	 bug25 tst-printf-round bug23-2 bug23-3 bug23-4 bug26
- 
- test-srcs = tst-unbputc tst-printf
- 
-diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c
-new file mode 100644
-index 0000000..9e0cfe6
---- /dev/null
-+++ b/stdio-common/bug23-2.c
-@@ -0,0 +1,70 @@
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+
-+static const char expected[] = "\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55\
-+\n\
-+a\n\
-+abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
-+
-+static int
-+do_test (void)
-+{
-+  char *buf = malloc (strlen (expected) + 1);
-+  snprintf (buf, strlen (expected) + 1,
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+	    "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
-+	    "a", "b", "c", "d", 5);
-+  return strcmp (buf, expected) != 0;
-+}
-+
-+#define TEST_FUNCTION do_test ()
-+#include "../test-skeleton.c"
-diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c
-new file mode 100644
-index 0000000..57c8cef
---- /dev/null
-+++ b/stdio-common/bug23-3.c
-@@ -0,0 +1,50 @@
-+#include <stdio.h>
-+#include <string.h>
-+#include <stdlib.h>
-+
-+int
-+do_test (void)
-+{
-+  size_t instances = 16384;
-+#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
-+  const char *item = "\na\nabbcd55";
-+#define X3 X0 X0 X0 X0 X0 X0 X0 X0
-+#define X6 X3 X3 X3 X3 X3 X3 X3 X3
-+#define X9 X6 X6 X6 X6 X6 X6 X6 X6
-+#define X12 X9 X9 X9 X9 X9 X9 X9 X9
-+#define X14 X12 X12 X12 X12
-+#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
-+#define TRAILER2 TRAILER TRAILER
-+  size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
-+
-+  char *buf = malloc (length + 1);
-+  snprintf (buf, length + 1,
-+	    X14 TRAILER2 "\n",
-+	    "a", "b", "c", "d", 5);
-+
-+  const char *p = buf;
-+  size_t i;
-+  for (i = 0; i < instances; ++i)
-+    {
-+      const char *expected;
-+      for (expected = item; *expected; ++expected)
-+	{
-+	  if (*p != *expected)
-+	    {
-+	      printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
-+		      (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF);
-+	      return 1;
-+	    }
-+	  ++p;
-+	}
-+    }
-+  if (strcmp (p, TRAILER "\n") != 0)
-+    {
-+      printf ("mismatch at trailer: [%s]\n", p);
-+      return 1;
-+    }
-+  free (buf);
-+  return 0;
-+}
-+#define TEST_FUNCTION do_test ()
-+#include "../test-skeleton.c"
-diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c
-new file mode 100644
-index 0000000..a478564
---- /dev/null
-+++ b/stdio-common/bug23-4.c
-@@ -0,0 +1,31 @@
-+#include <stdio.h>
-+#include <stdlib.h>
-+#include <string.h>
-+#include <sys/resource.h>
-+
-+#define LIMIT 1000000
-+
-+int
-+main (void)
-+{
-+  struct rlimit lim;
-+  getrlimit (RLIMIT_STACK, &lim);
-+  lim.rlim_cur = 1048576;
-+  setrlimit (RLIMIT_STACK, &lim);
-+  char *fmtstr = malloc (4 * LIMIT + 1);
-+  if (fmtstr == NULL)
-+    abort ();
-+  char *output = malloc (LIMIT + 1);
-+  if (output == NULL)
-+    abort ();
-+  for (size_t i = 0; i < LIMIT; i++)
-+    memcpy (fmtstr + 4 * i, "%1$d", 4);
-+  fmtstr[4 * LIMIT] = '\0';
-+  int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
-+  if (ret != LIMIT)
-+    abort ();
-+  for (size_t i = 0; i < LIMIT; i++)
-+    if (output[i] != '0')
-+      abort ();
-+  return 0;
-+}
-diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
-index c4ff833..429a3d1 100644
---- a/stdio-common/vfprintf.c
-+++ b/stdio-common/vfprintf.c
-@@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
-   /* For the argument descriptions, which may be allocated on the heap.  */
-   void *args_malloced = NULL;
- 
-+  /* For positional argument handling.  */
-+  struct printf_spec *specs;
-+
-+  /* Track if we malloced the SPECS array and thus must free it.  */
-+  bool specs_malloced = false;
-+
-   /* This table maps a character into a number representing a
-      class.  In each step there is a destination label for each
-      class.  */
-@@ -1679,8 +1685,8 @@ do_positional:
-     size_t nspecs = 0;
-     /* A more or less arbitrary start value.  */
-     size_t nspecs_size = 32 * sizeof (struct printf_spec);
--    struct printf_spec *specs = alloca (nspecs_size);
- 
-+    specs = alloca (nspecs_size);
-     /* The number of arguments the format string requests.  This will
-        determine the size of the array needed to store the argument
-        attributes.  */
-@@ -1721,11 +1727,39 @@ do_positional:
- 	if (nspecs * sizeof (*specs) >= nspecs_size)
- 	  {
- 	    /* Extend the array of format specifiers.  */
-+	    if (nspecs_size * 2 < nspecs_size)
-+	      {
-+		__set_errno (ENOMEM);
-+		done = -1;
-+		goto all_done;
-+	      }
- 	    struct printf_spec *old = specs;
--	    specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
-+	    if (__libc_use_alloca (2 * nspecs_size))
-+	      specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
-+	    else
-+	      {
-+		nspecs_size *= 2;
-+		specs = malloc (nspecs_size);
-+		if (specs == NULL)
-+		  {
-+		    __set_errno (ENOMEM);
-+		    specs = old;
-+		    done = -1;
-+		    goto all_done;
-+		  }
-+	      }
- 
- 	    /* Copy the old array's elements to the new space.  */
- 	    memmove (specs, old, nspecs * sizeof (*specs));
-+
-+	    /* If we had previously malloc'd space for SPECS, then
-+	       release it after the copy is complete.  */
-+	    if (specs_malloced)
-+	      free (old);
-+
-+	    /* Now set SPECS_MALLOCED if needed.  */
-+	    if (!__libc_use_alloca (nspecs_size))
-+	      specs_malloced = true;
- 	  }
- 
- 	/* Parse the format specifier.  */
-@@ -2046,6 +2080,8 @@ do_positional:
-   }
- 
- all_done:
-+  if (specs_malloced)
-+    free (specs);
-   if (__glibc_unlikely (args_malloced != NULL))
-     free (args_malloced);
-   if (__glibc_unlikely (workstart != NULL))
diff --git a/gnu/packages/patches/glibc-CVE-2014-7817.patch b/gnu/packages/patches/glibc-CVE-2014-7817.patch
deleted file mode 100644
index 14c885523c..0000000000
--- a/gnu/packages/patches/glibc-CVE-2014-7817.patch
+++ /dev/null
@@ -1,171 +0,0 @@
-Fix CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
-
-Note: Here the ChangeLog and NEWS updates are removed from Carlos's
-      patch, since they depend on other earlier commits.
-
-From: Carlos O'Donell <carlos@redhat.com>
-Date: Wed, 19 Nov 2014 16:44:12 +0000 (-0500)
-Subject: CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
-X-Git-Url: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff_plain;h=33ceaf6187b31ea15284ac65131749e1cb68d2ae
-
-CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
-
-The function wordexp() fails to properly handle the WRDE_NOCMD
-flag when processing arithmetic inputs in the form of "$((... ``))"
-where "..." can be anything valid. The backticks in the arithmetic
-epxression are evaluated by in a shell even if WRDE_NOCMD forbade
-command substitution. This allows an attacker to attempt to pass
-dangerous commands via constructs of the above form, and bypass
-the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
-in exec_comm(), the only place that can execute a shell. All other
-checks for WRDE_NOCMD are superfluous and removed.
-
-We expand the testsuite and add 3 new regression tests of roughly
-the same form but with a couple of nested levels.
-
-On top of the 3 new tests we add fork validation to the WRDE_NOCMD
-testing. If any forks are detected during the execution of a wordexp()
-call with WRDE_NOCMD, the test is marked as failed. This is slightly
-heuristic since vfork might be used in the future, but it provides a
-higher level of assurance that no shells were executed as part of
-command substitution with WRDE_NOCMD in effect. In addition it doesn't
-require libpthread or libdl, instead we use the public implementation
-namespace function __register_atfork (already part of the public ABI
-for libpthread).
-
-Tested on x86_64 with no regressions.
-
-(cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)
----
-
-diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
-index 4957006..bdd65e4 100644
---- a/posix/wordexp-test.c
-+++ b/posix/wordexp-test.c
-@@ -27,6 +27,25 @@
- 
- #define IFS " \n\t"
- 
-+extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
-+extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
-+
-+static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
-+{
-+  return __register_atfork (prepare, parent, child,
-+			    &__dso_handle == NULL ? NULL : __dso_handle);
-+}
-+
-+/* Number of forks seen.  */
-+static int registered_forks;
-+
-+/* For each fork increment the fork count.  */
-+static void
-+register_fork (void)
-+{
-+  registered_forks++;
-+}
-+
- struct test_case_struct
- {
-   int retval;
-@@ -206,6 +225,12 @@ struct test_case_struct
-     { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
-     { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
-     { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
-+    /* Test for CVE-2014-7817. We test 3 combinations of command
-+       substitution inside an arithmetic expression to make sure that
-+       no commands are executed and error is returned.  */
-+    { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
-+    { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
-+    { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
- 
-     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
-   };
-@@ -258,6 +283,15 @@ main (int argc, char *argv[])
- 	  return -1;
-     }
- 
-+  /* If we are not allowed to do command substitution, we install
-+     fork handlers to verify that no forks happened.  No forks should
-+     happen at all if command substitution is disabled.  */
-+  if (__app_register_atfork (register_fork, NULL, NULL) != 0)
-+    {
-+      printf ("Failed to register fork handler.\n");
-+      return -1;
-+    }
-+
-   for (test = 0; test_case[test].retval != -1; test++)
-     if (testit (&test_case[test]))
-       ++fail;
-@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
- 
-   printf ("Test %d (%s): ", ++tests, tc->words);
- 
-+  if (tc->flags & WRDE_NOCMD)
-+    registered_forks = 0;
-+
-   if (tc->flags & WRDE_APPEND)
-     {
-       /* initial wordexp() call, to be appended to */
-@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
-     }
-   retval = wordexp (tc->words, &we, tc->flags);
- 
-+  if ((tc->flags & WRDE_NOCMD)
-+      && (registered_forks > 0))
-+    {
-+	  printf ("FAILED fork called for WRDE_NOCMD\n");
-+	  return 1;
-+    }
-+
-   if (tc->flags & WRDE_DOOFFS)
-       start_offs = sav_we.we_offs;
- 
-diff --git a/posix/wordexp.c b/posix/wordexp.c
-index b6b65dd..26f3a26 100644
---- a/posix/wordexp.c
-+++ b/posix/wordexp.c
-@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length,
-   pid_t pid;
-   int noexec = 0;
- 
-+  /* Do nothing if command substitution should not succeed.  */
-+  if (flags & WRDE_NOCMD)
-+    return WRDE_CMDSUB;
-+
-   /* Don't fork() unless necessary */
-   if (!comm || !*comm)
-     return 0;
-@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length,
- 	    }
- 	}
- 
--      if (flags & WRDE_NOCMD)
--	return WRDE_CMDSUB;
--
-       (*offset) += 2;
-       return parse_comm (word, word_length, max_length, words, offset, flags,
- 			 quoted? NULL : pwordexp, ifs, ifs_white);
-@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length,
- 	  break;
- 
- 	case '`':
--	  if (flags & WRDE_NOCMD)
--	    return WRDE_CMDSUB;
--
- 	  ++(*offset);
- 	  error = parse_backtick (word, word_length, max_length, words,
- 				  offset, flags, NULL, NULL, NULL);
-@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
- 	break;
- 
-       case '`':
--	if (flags & WRDE_NOCMD)
--	  {
--	    error = WRDE_CMDSUB;
--	    goto do_error;
--	  }
--
- 	++words_offset;
- 	error = parse_backtick (&word, &word_length, &max_length, words,
- 				&words_offset, flags, pwordexp, ifs,
diff --git a/gnu/packages/patches/glibc-mips-dangling-vfork-ref.patch b/gnu/packages/patches/glibc-mips-dangling-vfork-ref.patch
deleted file mode 100644
index 852b6de669..0000000000
--- a/gnu/packages/patches/glibc-mips-dangling-vfork-ref.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-Avoid a dangling `vfork@GLIBC_2.0' reference on MIPS.
-
-Note: Here the ChangeLog and NEWS updates are removed from Maciej's
-      patch, since they depend on other earlier commits.
-
-From: Maciej W. Rozycki <macro@codesourcery.com>
-Date: Wed, 22 Oct 2014 14:20:37 +0000 (+0100)
-Subject: MIPS: Avoid a dangling `vfork@GLIBC_2.0' reference
-X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=c14e752fc73d34c75d4f84f37fea8e0b1734cf98
-
-MIPS: Avoid a dangling `vfork@GLIBC_2.0' reference
-
-This satisfies a symbol reference created with:
-
-	.symver	__libc_vfork, vfork@GLIBC_2.0
-
-where `__libc_vfork' has not been defined or referenced.  In this case
-the `vfork@GLIBC_2.0' reference is supposed to be discarded, however a
-bug present in GAS since forever causes an undefined symbol table entry
-to be created.  This in turn triggers a problem in the linker that can
-manifest itself by link errors such as:
-
-ld: libpthread.so: invalid string offset 2765592330 >= 5154 for section `.dynstr'
-
-The GAS and linker bugs need to be resolved, but we can avoid them too
-by providing a `__libc_vfork' definition just like our other platforms.
-
-	[BZ #17485]
-	* sysdeps/unix/sysv/linux/mips/vfork.S (__libc_vfork): Define.
-
-(cherry picked from commit b5af9297d51a43f96c5be1bafab032184690dd6f)
-
-Conflicts:
-	NEWS
----
-
-diff --git a/sysdeps/unix/sysv/linux/mips/vfork.S b/sysdeps/unix/sysv/linux/mips/vfork.S
-index 80c362d..2c1a747 100644
---- a/sysdeps/unix/sysv/linux/mips/vfork.S
-+++ b/sysdeps/unix/sysv/linux/mips/vfork.S
-@@ -108,3 +108,4 @@ L(error):
- 
- libc_hidden_def(__vfork)
- weak_alias (__vfork, vfork)
-+strong_alias (__vfork, __libc_vfork)