* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
@ 2012-10-11 14:42 ` fweimer at redhat dot com
2012-10-12 11:48 ` fweimer at redhat dot com
` (16 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2012-10-11 14:42 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
AssignedTo|unassigned at sourceware |fweimer at redhat dot com
|dot org |
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
2012-10-11 14:42 ` [Bug libc/14699] " fweimer at redhat dot com
@ 2012-10-12 11:48 ` fweimer at redhat dot com
2012-11-29 15:06 ` fweimer at redhat dot com
` (15 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2012-10-12 11:48 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> 2012-10-12 11:48:29 UTC ---
This is somewhat related to bug 11333. For architectures where the fix is
active, the name is clipped and not properly NUL-terminated.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
2012-10-11 14:42 ` [Bug libc/14699] " fweimer at redhat dot com
2012-10-12 11:48 ` fweimer at redhat dot com
@ 2012-11-29 15:06 ` fweimer at redhat dot com
2012-11-29 16:03 ` fweimer at redhat dot com
` (14 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2012-11-29 15:06 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.17
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (2 preceding siblings ...)
2012-11-29 15:06 ` fweimer at redhat dot com
@ 2012-11-29 16:03 ` fweimer at redhat dot com
2013-05-09 14:58 ` aj at suse dot de
` (13 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2012-11-29 16:03 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> 2012-11-29 16:03:33 UTC ---
A patch is posted here:
http://sourceware.org/ml/libc-alpha/2012-10/msg00377.html
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (3 preceding siblings ...)
2012-11-29 16:03 ` fweimer at redhat dot com
@ 2013-05-09 14:58 ` aj at suse dot de
2013-05-14 11:34 ` fweimer at redhat dot com
` (12 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: aj at suse dot de @ 2013-05-09 14:58 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
Andreas Jaeger <aj at suse dot de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |aj at suse dot de
--- Comment #3 from Andreas Jaeger <aj at suse dot de> 2013-05-09 14:58:21 UTC ---
Florian, could you resend the patch and ask again for review, please? Sorry
that this one got lost.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (4 preceding siblings ...)
2013-05-09 14:58 ` aj at suse dot de
@ 2013-05-14 11:34 ` fweimer at redhat dot com
2013-08-16 13:38 ` fweimer at redhat dot com
` (11 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2013-05-14 11:34 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
--- Comment #4 from Florian Weimer <fweimer at redhat dot com> 2013-05-14 11:34:07 UTC ---
Patch with revised error handling posted:
http://sourceware.org/ml/libc-alpha/2013-05/msg00445.html
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (5 preceding siblings ...)
2013-05-14 11:34 ` fweimer at redhat dot com
@ 2013-08-16 13:38 ` fweimer at redhat dot com
2013-10-25 14:00 ` cvs-commit at gcc dot gnu.org
` (10 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2013-08-16 13:38 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
Target Milestone|2.17 |2.19
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
Fixed via:
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=91ce40854d0b7f865cf5024ef95a8026b76096f3
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (6 preceding siblings ...)
2013-08-16 13:38 ` fweimer at redhat dot com
@ 2013-10-25 14:00 ` cvs-commit at gcc dot gnu.org
2013-11-01 19:01 ` cvs-commit at gcc dot gnu.org
` (9 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2013-10-25 14:00 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
via 0b0e50ce9efe2fec10e147eddba4f0802235a042 (commit)
via 54377921e7092f709c6a5985688769404637055f (commit)
via 9a010a5f6328aa7ba353679e9a9e07465917d6a0 (commit)
via f03cfdf9bf62f776338171fe2ba6eebbf8948875 (commit)
via 6957bcb15456b5118c44bb49754b199462336639 (commit)
via 56532663f2881ce7b7996d75dbb6bbb438187457 (commit)
via 52b8d67f22068991f404c51b38b30e7e35c1bb99 (commit)
via dc7ba1835ba16cb49d6c38d50e153b70beb2a091 (commit)
via 8f29d3b5ae201ae4af368d2221381c5a856913d5 (commit)
via 63e9a36056fe53621fa3001fe22b4833a9ea9457 (commit)
via a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e (commit)
from 642c8732a111450a97e4ae41c12a920bc7f02ee0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0b0e50ce9efe2fec10e147eddba4f0802235a042
commit 0b0e50ce9efe2fec10e147eddba4f0802235a042
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
(cherry picked from commit 7cbcdb3699584db8913ca90f705d6337633ee10f)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=54377921e7092f709c6a5985688769404637055f
commit 54377921e7092f709c6a5985688769404637055f
Author: Allan McRae <allan@archlinux.org>
Date: Fri Oct 25 14:25:38 2013 +1000
Fix incorrect getaddrinfo assertion trigger
[BZ #9954]
With the following /etc/hosts:
127.0.0.1 www.my-domain.es
127.0.1.1 www.my-domain.es
192.168.0.1 www.my-domain.es
Using getaddrinfo() on www.my-domain.es, trigger the following assertion:
../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion
`src->results[i].native == -1 || src->results[i].native == a1_native'
failed.
This is due to two different bugs:
- In rfc3484_sort() rule 7, src->results[i].native is assigned even if
src->results[i].index is -1, meaning that no interface is associated.
- In getaddrinfo() the source IP address used with the lo interface needs a
special case, as it can be any IP within 127.X.Y.Z.
(cherry picked from commit 894f3f1049135dcbeaab8f18690973663ef3147c)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9a010a5f6328aa7ba353679e9a9e07465917d6a0
commit 9a010a5f6328aa7ba353679e9a9e07465917d6a0
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 01:44:38 2013 -0400
BZ #15754: Fix test case for ARM.
Statically built binaries use __pointer_chk_guard_local,
while dynamically built binaries use __pointer_chk_guard.
Provide the right definition depending on the test case
we are building.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f03cfdf9bf62f776338171fe2ba6eebbf8948875
commit f03cfdf9bf62f776338171fe2ba6eebbf8948875
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
Conflicts:
NEWS
ports/ChangeLog.ia64
ports/ChangeLog.tile
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6957bcb15456b5118c44bb49754b199462336639
commit 6957bcb15456b5118c44bb49754b199462336639
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:24:30 2013 +0530
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
(cherry picked from commit 303e567a8062200dc06acde7c76fc34679f08d8f)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=56532663f2881ce7b7996d75dbb6bbb438187457
commit 56532663f2881ce7b7996d75dbb6bbb438187457
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:20:02 2013 +0530
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
(cherry picked from commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52b8d67f22068991f404c51b38b30e7e35c1bb99
commit 52b8d67f22068991f404c51b38b30e7e35c1bb99
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Aug 20 08:40:05 2013 +0530
Simplify strcoll implementation
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
(cherry picked from commit 1326ba1af22068db9488c2328bdaf852b8a93dcf)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dc7ba1835ba16cb49d6c38d50e153b70beb2a091
commit dc7ba1835ba16cb49d6c38d50e153b70beb2a091
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
(cherry picked from commit b73ed247781d533628b681f57257dc85882645d3)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f29d3b5ae201ae4af368d2221381c5a856913d5
commit 8f29d3b5ae201ae4af368d2221381c5a856913d5
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
(cherry picked from commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=63e9a36056fe53621fa3001fe22b4833a9ea9457
commit 63e9a36056fe53621fa3001fe22b4833a9ea9457
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
(cherry picked from commit 1159a193696ad48ec86e5895f6dee3e539619c0e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e
commit a3ed3a127ca30b3b25aab0b441f9f3f0ecc07f7e
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Aug 16 09:38:52 2013 +0200
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
(cherry picked from commit 91ce40854d0b7f865cf5024ef95a8026b76096f3)
Conflicts:
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 118 +++
csu/libc-start.c | 16 +
elf/Makefile | 12 +-
elf/tst-ptrguard1-static.c | 1 +
elf/tst-ptrguard1.c | 202 +++++
malloc/malloc.c | 21 +
manual/conf.texi | 9 +
manual/filesys.texi | 73 ++-
ports/ChangeLog.ia64 | 5 +
ports/ChangeLog.tile | 5 +
ports/sysdeps/ia64/stackguard-macros.h | 3 +
ports/sysdeps/tile/stackguard-macros.h | 6 +
string/Makefile | 2 +
string/strcoll_l.c | 926 +++++++++++++----------
string/tst-strcoll-overflow.c | 61 ++
sysdeps/generic/stackguard-macros.h | 8 +
sysdeps/i386/stackguard-macros.h | 8 +
sysdeps/posix/dirstream.h | 2 +
sysdeps/posix/getaddrinfo.c | 33 +-
sysdeps/posix/opendir.c | 1 +
sysdeps/posix/readdir_r.c | 42 +-
sysdeps/posix/rewinddir.c | 1 +
sysdeps/powerpc/powerpc32/stackguard-macros.h | 10 +
sysdeps/powerpc/powerpc64/stackguard-macros.h | 10 +
sysdeps/s390/s390-32/stackguard-macros.h | 11 +
sysdeps/s390/s390-64/stackguard-macros.h | 14 +
sysdeps/sparc/sparc32/stackguard-macros.h | 3 +
sysdeps/sparc/sparc64/stackguard-macros.h | 3 +
sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 -
sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 -
sysdeps/x86_64/stackguard-macros.h | 5 +
31 files changed, 1159 insertions(+), 454 deletions(-)
create mode 100644 elf/tst-ptrguard1-static.c
create mode 100644 elf/tst-ptrguard1.c
create mode 100644 string/tst-strcoll-overflow.c
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (7 preceding siblings ...)
2013-10-25 14:00 ` cvs-commit at gcc dot gnu.org
@ 2013-11-01 19:01 ` cvs-commit at gcc dot gnu.org
2013-11-21 17:16 ` cvs-commit at gcc dot gnu.org
` (8 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2013-11-01 19:01 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
via dc3a1f98dc4c86cb454474f4912ae325573655cb (commit)
via e20644b3a6f96eb053ab4c2c900f7bef7f472916 (commit)
via c51d675c459aefef8d84d5a0b114010f916ea278 (commit)
via 6a6a386a3040726053a5fb8582ff26dc85d84741 (commit)
via 7e0e64ead52591b968df582b0ddc247ba5c4eab4 (commit)
via c779e9df75256f19c7be8d12b2d163e2016a63f4 (commit)
via c4733da3f8e4c54e30f048c9e8d2b2fe2f53fd24 (commit)
via b8053c6138c8835fb27d30c7e034e240e92bce0f (commit)
via 37d4728976aea69db23a061830828787a2fd05ed (commit)
via 1034d41c8fe7b31ba8ba304d1fff93cecb183520 (commit)
via 3874aa022b6f0f9aca9ad1ef703a77be1bc97b36 (commit)
via 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3 (commit)
via 4a3abd22ecbda2d7b718b133fae2d2abfdfab614 (commit)
via d1aac9a6ff01c226c42bb934c170dd1c00ba8071 (commit)
via 860ec8e62a01a9c9e5087aa4cfd3b5e03fc7649b (commit)
via 3f71830d35d7bf4ac11664f0c48c3c68d250618b (commit)
via 8e395175c4786ad9679851e3ed3c0c54a6f4e1f0 (commit)
via b51679672648410c6627a4bd169e076c5b36f47b (commit)
via a4faadaff25e19abf295556a23b7b889b4bf6df4 (commit)
via b502a3756d6979439130f1e46c2c27b62f493acd (commit)
via b3c7503940022f70ec8272c2c0d0a0e4489ae992 (commit)
via e53103749c19199b0ec23e8a5b330dd2e288f5ac (commit)
via 85ce5db8d835281c8beff6e750c02c799dee3f6f (commit)
via c3a4bddd656561cfffba2605e148e65d4ff07e21 (commit)
via 1778fd0a17a74422a58d8eada3fa08b80f0a0c27 (commit)
via 8df86a8394d0ea121f2066efe618f2b1cc799be3 (commit)
via f8a004f1fa412e3aae77faa30b4dfb654d721510 (commit)
via f166b9c6e90d631115c59b4357357bc168d8e51a (commit)
from 760b348db29b446efc760b4bc3627379cc61b0d8 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dc3a1f98dc4c86cb454474f4912ae325573655cb
commit dc3a1f98dc4c86cb454474f4912ae325573655cb
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e20644b3a6f96eb053ab4c2c900f7bef7f472916
commit e20644b3a6f96eb053ab4c2c900f7bef7f472916
Author: Will Newton <will.newton@linaro.org>
Date: Fri Sep 13 09:26:02 2013 +0100
Add CVE-2013-4332 to NEWS.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c51d675c459aefef8d84d5a0b114010f916ea278
commit c51d675c459aefef8d84d5a0b114010f916ea278
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6a6a386a3040726053a5fb8582ff26dc85d84741
commit 6a6a386a3040726053a5fb8582ff26dc85d84741
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7e0e64ead52591b968df582b0ddc247ba5c4eab4
commit 7e0e64ead52591b968df582b0ddc247ba5c4eab4
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c779e9df75256f19c7be8d12b2d163e2016a63f4
commit c779e9df75256f19c7be8d12b2d163e2016a63f4
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c4733da3f8e4c54e30f048c9e8d2b2fe2f53fd24
commit c4733da3f8e4c54e30f048c9e8d2b2fe2f53fd24
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:24:30 2013 +0530
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b8053c6138c8835fb27d30c7e034e240e92bce0f
commit b8053c6138c8835fb27d30c7e034e240e92bce0f
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:20:02 2013 +0530
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37d4728976aea69db23a061830828787a2fd05ed
commit 37d4728976aea69db23a061830828787a2fd05ed
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Aug 20 08:40:05 2013 +0530
Simplify strcoll implementation
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1034d41c8fe7b31ba8ba304d1fff93cecb183520
commit 1034d41c8fe7b31ba8ba304d1fff93cecb183520
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Oct 31 12:51:03 2013 +0100
Fix parsing of 0e+0 as float
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3874aa022b6f0f9aca9ad1ef703a77be1bc97b36
commit 3874aa022b6f0f9aca9ad1ef703a77be1bc97b36
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Sep 26 09:29:19 2013 -0500
PowerPC: strcpy/stpcpy optimization for PPC64/POWER7
This patch intends to unify both strcpy and stpcpy implementationsi
for PPC64 and PPC64/POWER7. The idead default powerpc64 implementation
is to provide both doubleword and word aligned memory access.
For PPC64/POWER7 is also provide doubleword and word memory access,
remove the branch hints, use the cmpb instruction for compare
doubleword/words, and add an optimization for inputs of same alignment.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6f95434fd488e9b72117f9b93ec2e2dbf397a4d3
commit 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a3abd22ecbda2d7b718b133fae2d2abfdfab614
commit 4a3abd22ecbda2d7b718b133fae2d2abfdfab614
Author: Joseph Myers <joseph@codesourcery.com>
Date: Thu Oct 10 19:11:30 2013 +0000
Avoid ordered comparisons of NaNs in ldbl-128ibm acosl and asinl.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d1aac9a6ff01c226c42bb934c170dd1c00ba8071
commit d1aac9a6ff01c226c42bb934c170dd1c00ba8071
Author: Anton Blanchard <anton@au1.ibm.com>
Date: Sat Aug 17 18:34:40 2013 +0930
PowerPC LE setjmp/longjmp
http://sourceware.org/ml/libc-alpha/2013-08/msg00089.html
Little-endian fixes for setjmp/longjmp. When writing these I noticed
the setjmp code corrupts the non volatile VMX registers when using an
unaligned buffer. Anton fixed this, and also simplified it quite a
bit.
The current code uses boilerplate for the case where we want to store
16 bytes to an unaligned address. For that we have to do a
read/modify/write of two aligned 16 byte quantities. In our case we
are storing a bunch of back to back data (consective VMX registers),
and only the start and end of the region need the read/modify/write.
[BZ #15723]
* sysdeps/powerpc/jmpbuf-offsets.h: Comment fix.
* sysdeps/powerpc/powerpc32/fpu/__longjmp-common.S: Correct
_dl_hwcap access for little-endian.
* sysdeps/powerpc/powerpc32/fpu/setjmp-common.S: Likewise. Don't
destroy vmx regs when saving unaligned.
* sysdeps/powerpc/powerpc64/__longjmp-common.S: Correct CR load.
* sysdeps/powerpc/powerpc64/setjmp-common.S: Likewise CR save. Don't
destroy vmx regs when saving unaligned.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=860ec8e62a01a9c9e5087aa4cfd3b5e03fc7649b
commit 860ec8e62a01a9c9e5087aa4cfd3b5e03fc7649b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Oct 1 20:35:28 2013 +0530
Fix PI mutex check in pthread_cond_broadcast and pthread_cond_signal
Fixes BZ #15988.
The check had a typo - it checked for PTHREAD_MUTEX_ROBUST_NP instead
of PTHREAD_MUTEX_ROBUST_NORMAL_NP. It has now been replaced by the
already existing convenience macro USE_REQUEUE_PI.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3f71830d35d7bf4ac11664f0c48c3c68d250618b
commit 3f71830d35d7bf4ac11664f0c48c3c68d250618b
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:52:58 2013 +1000
Fix memory leak in stdlib/isomac.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e395175c4786ad9679851e3ed3c0c54a6f4e1f0
commit 8e395175c4786ad9679851e3ed3c0c54a6f4e1f0
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:50:41 2013 +1000
Fix memory leaks in libio on allocation failure
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b51679672648410c6627a4bd169e076c5b36f47b
commit b51679672648410c6627a4bd169e076c5b36f47b
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Sep 5 09:32:56 2013 -0500
PowerPC: fix POWER7 memrchr for some large inputs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a4faadaff25e19abf295556a23b7b889b4bf6df4
commit a4faadaff25e19abf295556a23b7b889b4bf6df4
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Aug 29 15:28:00 2013 -0300
Add memrchr testcase
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b502a3756d6979439130f1e46c2c27b62f493acd
commit b502a3756d6979439130f1e46c2c27b62f493acd
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Sep 3 15:32:54 2013 +0000
Fix lgammaf spurious underflow (bug 15427).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b3c7503940022f70ec8272c2c0d0a0e4489ae992
commit b3c7503940022f70ec8272c2c0d0a0e4489ae992
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Sep 2 14:51:24 2013 +0000
Fix spurious jnf underflows (bug 14155).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e53103749c19199b0ec23e8a5b330dd2e288f5ac
commit e53103749c19199b0ec23e8a5b330dd2e288f5ac
Author: Thomas Schwinge <thomas@codesourcery.com>
Date: Thu May 23 18:00:10 2013 +0200
[BZ #15522] strtod ("nan(N)") returning a sNaN in some cases
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=85ce5db8d835281c8beff6e750c02c799dee3f6f
commit 85ce5db8d835281c8beff6e750c02c799dee3f6f
Author: Joseph Myers <joseph@codesourcery.com>
Date: Fri Aug 23 19:45:38 2013 +0000
Fix cexp (NaN + i0) (bug 15532).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c3a4bddd656561cfffba2605e148e65d4ff07e21
commit c3a4bddd656561cfffba2605e148e65d4ff07e21
Author: Joseph Myers <joseph@codesourcery.com>
Date: Wed Aug 21 19:56:48 2013 +0000
Fix fdim handling of infinities (bug 15797).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1778fd0a17a74422a58d8eada3fa08b80f0a0c27
commit 1778fd0a17a74422a58d8eada3fa08b80f0a0c27
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Tue Aug 20 15:01:59 2013 -0500
PowerPC: fix backtrace to handle signal trampolines
This patch fixes backtrace for PPC32 and PPC64 to correctly handle
signal trampolines. The 'debug/tst-backtrace6.c' also check for
SA_SIGINFO handling, where is triggers another vDSO symbols for PPC32.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8df86a8394d0ea121f2066efe618f2b1cc799be3
commit 8df86a8394d0ea121f2066efe618f2b1cc799be3
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Aug 20 19:41:15 2013 +0000
Fix cproj handling of (finite, NaN) arguments (bug 15531).
backport of c980f2f4fe0f5d301f706017a1f7e4e942193ec0
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f8a004f1fa412e3aae77faa30b4dfb654d721510
commit f8a004f1fa412e3aae77faa30b4dfb654d721510
Author: Andreas Arnez <arnez@linux.vnet.ibm.com>
Date: Thu Oct 31 09:57:33 2013 -0500
* elf/setup-vdso.h (setup_vdso): Fix missing string termination.
backport of f315524e034cfc644157cb4af5ecc99f645dd067
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f166b9c6e90d631115c59b4357357bc168d8e51a
commit f166b9c6e90d631115c59b4357357bc168d8e51a
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 31 09:55:52 2013 -0500
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
backport of 91ce40854d0b7f865cf5024ef95a8026b76096f3
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 204 +++++
NEWS | 57 ++-
csu/libc-start.c | 16 +
elf/Makefile | 9 +-
elf/setup-vdso.h | 2 +-
elf/tst-ptrguard1-static.c | 1 +
elf/tst-ptrguard1.c | 202 +++++
libio/memstream.c | 5 +-
libio/wmemstream.c | 6 +-
malloc/malloc.c | 21 +
manual/conf.texi | 9 +
manual/filesys.texi | 73 ++-
math/libm-test.inc | 175 ++++-
math/s_cexp.c | 14 +-
math/s_cexpf.c | 14 +-
math/s_cexpl.c | 14 +-
math/s_cproj.c | 4 +-
math/s_cprojf.c | 4 +-
math/s_cprojl.c | 4 +-
math/s_fdim.c | 8 +-
math/s_fdimf.c | 8 +-
math/s_fdiml.c | 8 +-
nptl/ChangeLog | 9 +
nptl/pthread_cond_broadcast.c | 5 +-
nptl/pthread_cond_signal.c | 7 +-
ports/ChangeLog.ia64 | 5 +
ports/ChangeLog.tile | 5 +
ports/sysdeps/ia64/stackguard-macros.h | 3 +
ports/sysdeps/tile/stackguard-macros.h | 6 +
stdio-common/tst-sscanf.c | 34 +
stdio-common/vfscanf.c | 2 +
stdlib/isomac.c | 1 +
stdlib/strtod_l.c | 9 +-
stdlib/strtof_l.c | 7 +-
stdlib/tst-strtod6.c | 24 +-
string/Makefile | 4 +-
string/strcoll_l.c | 926 +++++++++++++----------
string/test-memrchr-ifunc.c | 20 +
string/test-memrchr.c | 169 ++++
string/tst-strcoll-overflow.c | 61 ++
sysdeps/generic/stackguard-macros.h | 3 +
sysdeps/i386/fpu/libm-test-ulps | 72 ++-
sysdeps/i386/stackguard-macros.h | 8 +
sysdeps/ieee754/flt-32/e_jnf.c | 4 +-
sysdeps/ieee754/flt-32/e_lgammaf_r.c | 4 +-
sysdeps/ieee754/ldbl-128/strtold_l.c | 12 +-
sysdeps/ieee754/ldbl-128ibm/e_acosl.c | 8 +-
sysdeps/ieee754/ldbl-128ibm/e_asinl.c | 2 +
sysdeps/ieee754/ldbl-128ibm/ieee754.h | 19 +
sysdeps/ieee754/ldbl-128ibm/s_cprojl.c | 4 +-
sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 9 +-
sysdeps/ieee754/ldbl-64-128/strtold_l.c | 12 +-
sysdeps/ieee754/ldbl-96/strtold_l.c | 9 +-
sysdeps/posix/dirstream.h | 2 +
sysdeps/posix/getaddrinfo.c | 20 +-
sysdeps/posix/opendir.c | 1 +
sysdeps/posix/readdir_r.c | 42 +-
sysdeps/posix/rewinddir.c | 1 +
sysdeps/powerpc/jmpbuf-offsets.h | 6 +-
sysdeps/powerpc/powerpc32/fpu/setjmp-common.S | 65 +-
sysdeps/powerpc/powerpc32/power7/memrchr.S | 4 +-
sysdeps/powerpc/powerpc32/stackguard-macros.h | 10 +
sysdeps/powerpc/powerpc64/__longjmp-common.S | 4 +-
sysdeps/powerpc/powerpc64/power7/memrchr.S | 4 +-
sysdeps/powerpc/powerpc64/power7/stpcpy.S | 24 +
sysdeps/powerpc/powerpc64/power7/strcpy.S | 274 +++++++
sysdeps/powerpc/powerpc64/setjmp-common.S | 72 +-
sysdeps/powerpc/powerpc64/stackguard-macros.h | 10 +
sysdeps/powerpc/powerpc64/stpcpy.S | 83 +--
sysdeps/powerpc/powerpc64/strcpy.S | 153 +++-
sysdeps/s390/s390-32/stackguard-macros.h | 11 +
sysdeps/s390/s390-64/stackguard-macros.h | 14 +
sysdeps/sparc/sparc32/stackguard-macros.h | 3 +
sysdeps/sparc/sparc64/stackguard-macros.h | 3 +
sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 -
sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 -
sysdeps/x86_64/fpu/libm-test-ulps | 75 ++-
sysdeps/x86_64/stackguard-macros.h | 5 +
78 files changed, 2432 insertions(+), 777 deletions(-)
create mode 100644 elf/tst-ptrguard1-static.c
create mode 100644 elf/tst-ptrguard1.c
create mode 100644 string/test-memrchr-ifunc.c
create mode 100644 string/test-memrchr.c
create mode 100644 string/tst-strcoll-overflow.c
create mode 100644 sysdeps/powerpc/powerpc64/power7/stpcpy.S
create mode 100644 sysdeps/powerpc/powerpc64/power7/strcpy.S
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (8 preceding siblings ...)
2013-11-01 19:01 ` cvs-commit at gcc dot gnu.org
@ 2013-11-21 17:16 ` cvs-commit at gcc dot gnu.org
2014-01-06 16:55 ` cvs-commit at gcc dot gnu.org
` (7 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2013-11-21 17:16 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.18/master has been updated
via 8209beac4644af4c2875f52f82c53c0d4be589ca (commit)
via 38bf8b39f1b9dc7acf3af57b9545ed425e9d5417 (commit)
via dc3a1f98dc4c86cb454474f4912ae325573655cb (commit)
via e20644b3a6f96eb053ab4c2c900f7bef7f472916 (commit)
via c51d675c459aefef8d84d5a0b114010f916ea278 (commit)
via 6a6a386a3040726053a5fb8582ff26dc85d84741 (commit)
via 7e0e64ead52591b968df582b0ddc247ba5c4eab4 (commit)
via c779e9df75256f19c7be8d12b2d163e2016a63f4 (commit)
via c4733da3f8e4c54e30f048c9e8d2b2fe2f53fd24 (commit)
via b8053c6138c8835fb27d30c7e034e240e92bce0f (commit)
via 37d4728976aea69db23a061830828787a2fd05ed (commit)
via 1034d41c8fe7b31ba8ba304d1fff93cecb183520 (commit)
via 3874aa022b6f0f9aca9ad1ef703a77be1bc97b36 (commit)
via 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3 (commit)
via 4a3abd22ecbda2d7b718b133fae2d2abfdfab614 (commit)
via d1aac9a6ff01c226c42bb934c170dd1c00ba8071 (commit)
via 860ec8e62a01a9c9e5087aa4cfd3b5e03fc7649b (commit)
via 3f71830d35d7bf4ac11664f0c48c3c68d250618b (commit)
via 8e395175c4786ad9679851e3ed3c0c54a6f4e1f0 (commit)
via b51679672648410c6627a4bd169e076c5b36f47b (commit)
via a4faadaff25e19abf295556a23b7b889b4bf6df4 (commit)
via b502a3756d6979439130f1e46c2c27b62f493acd (commit)
via b3c7503940022f70ec8272c2c0d0a0e4489ae992 (commit)
via e53103749c19199b0ec23e8a5b330dd2e288f5ac (commit)
via 85ce5db8d835281c8beff6e750c02c799dee3f6f (commit)
via c3a4bddd656561cfffba2605e148e65d4ff07e21 (commit)
via 1778fd0a17a74422a58d8eada3fa08b80f0a0c27 (commit)
via 8df86a8394d0ea121f2066efe618f2b1cc799be3 (commit)
via f8a004f1fa412e3aae77faa30b4dfb654d721510 (commit)
via f166b9c6e90d631115c59b4357357bc168d8e51a (commit)
via 760b348db29b446efc760b4bc3627379cc61b0d8 (commit)
via 84dd3946e0e0aee66635ba4373943d113fd25ca1 (commit)
via 733a36d81544dad38726489b43523cc0ac95095d (commit)
via 2d16bebbeabd3ab312998c969e21d092ff348485 (commit)
via 975208ca8a02f332572edde22d3e4da6c100bdbc (commit)
from 40e9bbdd3d2ea22c2455949959ced90e054f6023 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8209beac4644af4c2875f52f82c53c0d4be589ca
commit 8209beac4644af4c2875f52f82c53c0d4be589ca
Merge: 40e9bbd 38bf8b3
Author: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Date: Thu Nov 21 15:02:35 2013 -0200
Merge the changes to add little endian support on PowerPC
Discard all the previous changes from ibm/2.18/master in order to keep a
clean branch.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=38bf8b39f1b9dc7acf3af57b9545ed425e9d5417
commit 38bf8b39f1b9dc7acf3af57b9545ed425e9d5417
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Nov 7 05:34:22 2013 -0600
PowerPC: Fix vDSO missing ODP entries
This patch fixes the vDSO symbol used directed in IFUNC resolver where
they do not have an associated ODP entry leading to undefined behavior
in some cases. It adds an artificial OPD static entry to such cases
and set its TOC to non 0 to avoid triggering lazy resolutions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dc3a1f98dc4c86cb454474f4912ae325573655cb
commit dc3a1f98dc4c86cb454474f4912ae325573655cb
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e20644b3a6f96eb053ab4c2c900f7bef7f472916
commit e20644b3a6f96eb053ab4c2c900f7bef7f472916
Author: Will Newton <will.newton@linaro.org>
Date: Fri Sep 13 09:26:02 2013 +0100
Add CVE-2013-4332 to NEWS.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c51d675c459aefef8d84d5a0b114010f916ea278
commit c51d675c459aefef8d84d5a0b114010f916ea278
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6a6a386a3040726053a5fb8582ff26dc85d84741
commit 6a6a386a3040726053a5fb8582ff26dc85d84741
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7e0e64ead52591b968df582b0ddc247ba5c4eab4
commit 7e0e64ead52591b968df582b0ddc247ba5c4eab4
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c779e9df75256f19c7be8d12b2d163e2016a63f4
commit c779e9df75256f19c7be8d12b2d163e2016a63f4
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c4733da3f8e4c54e30f048c9e8d2b2fe2f53fd24
commit c4733da3f8e4c54e30f048c9e8d2b2fe2f53fd24
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:24:30 2013 +0530
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b8053c6138c8835fb27d30c7e034e240e92bce0f
commit b8053c6138c8835fb27d30c7e034e240e92bce0f
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:20:02 2013 +0530
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37d4728976aea69db23a061830828787a2fd05ed
commit 37d4728976aea69db23a061830828787a2fd05ed
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Aug 20 08:40:05 2013 +0530
Simplify strcoll implementation
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1034d41c8fe7b31ba8ba304d1fff93cecb183520
commit 1034d41c8fe7b31ba8ba304d1fff93cecb183520
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Oct 31 12:51:03 2013 +0100
Fix parsing of 0e+0 as float
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3874aa022b6f0f9aca9ad1ef703a77be1bc97b36
commit 3874aa022b6f0f9aca9ad1ef703a77be1bc97b36
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Sep 26 09:29:19 2013 -0500
PowerPC: strcpy/stpcpy optimization for PPC64/POWER7
This patch intends to unify both strcpy and stpcpy implementationsi
for PPC64 and PPC64/POWER7. The idead default powerpc64 implementation
is to provide both doubleword and word aligned memory access.
For PPC64/POWER7 is also provide doubleword and word memory access,
remove the branch hints, use the cmpb instruction for compare
doubleword/words, and add an optimization for inputs of same alignment.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6f95434fd488e9b72117f9b93ec2e2dbf397a4d3
commit 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4a3abd22ecbda2d7b718b133fae2d2abfdfab614
commit 4a3abd22ecbda2d7b718b133fae2d2abfdfab614
Author: Joseph Myers <joseph@codesourcery.com>
Date: Thu Oct 10 19:11:30 2013 +0000
Avoid ordered comparisons of NaNs in ldbl-128ibm acosl and asinl.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d1aac9a6ff01c226c42bb934c170dd1c00ba8071
commit d1aac9a6ff01c226c42bb934c170dd1c00ba8071
Author: Anton Blanchard <anton@au1.ibm.com>
Date: Sat Aug 17 18:34:40 2013 +0930
PowerPC LE setjmp/longjmp
http://sourceware.org/ml/libc-alpha/2013-08/msg00089.html
Little-endian fixes for setjmp/longjmp. When writing these I noticed
the setjmp code corrupts the non volatile VMX registers when using an
unaligned buffer. Anton fixed this, and also simplified it quite a
bit.
The current code uses boilerplate for the case where we want to store
16 bytes to an unaligned address. For that we have to do a
read/modify/write of two aligned 16 byte quantities. In our case we
are storing a bunch of back to back data (consective VMX registers),
and only the start and end of the region need the read/modify/write.
[BZ #15723]
* sysdeps/powerpc/jmpbuf-offsets.h: Comment fix.
* sysdeps/powerpc/powerpc32/fpu/__longjmp-common.S: Correct
_dl_hwcap access for little-endian.
* sysdeps/powerpc/powerpc32/fpu/setjmp-common.S: Likewise. Don't
destroy vmx regs when saving unaligned.
* sysdeps/powerpc/powerpc64/__longjmp-common.S: Correct CR load.
* sysdeps/powerpc/powerpc64/setjmp-common.S: Likewise CR save. Don't
destroy vmx regs when saving unaligned.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=860ec8e62a01a9c9e5087aa4cfd3b5e03fc7649b
commit 860ec8e62a01a9c9e5087aa4cfd3b5e03fc7649b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Oct 1 20:35:28 2013 +0530
Fix PI mutex check in pthread_cond_broadcast and pthread_cond_signal
Fixes BZ #15988.
The check had a typo - it checked for PTHREAD_MUTEX_ROBUST_NP instead
of PTHREAD_MUTEX_ROBUST_NORMAL_NP. It has now been replaced by the
already existing convenience macro USE_REQUEUE_PI.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3f71830d35d7bf4ac11664f0c48c3c68d250618b
commit 3f71830d35d7bf4ac11664f0c48c3c68d250618b
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:52:58 2013 +1000
Fix memory leak in stdlib/isomac.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e395175c4786ad9679851e3ed3c0c54a6f4e1f0
commit 8e395175c4786ad9679851e3ed3c0c54a6f4e1f0
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:50:41 2013 +1000
Fix memory leaks in libio on allocation failure
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b51679672648410c6627a4bd169e076c5b36f47b
commit b51679672648410c6627a4bd169e076c5b36f47b
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Sep 5 09:32:56 2013 -0500
PowerPC: fix POWER7 memrchr for some large inputs
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a4faadaff25e19abf295556a23b7b889b4bf6df4
commit a4faadaff25e19abf295556a23b7b889b4bf6df4
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Aug 29 15:28:00 2013 -0300
Add memrchr testcase
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b502a3756d6979439130f1e46c2c27b62f493acd
commit b502a3756d6979439130f1e46c2c27b62f493acd
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Sep 3 15:32:54 2013 +0000
Fix lgammaf spurious underflow (bug 15427).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b3c7503940022f70ec8272c2c0d0a0e4489ae992
commit b3c7503940022f70ec8272c2c0d0a0e4489ae992
Author: Joseph Myers <joseph@codesourcery.com>
Date: Mon Sep 2 14:51:24 2013 +0000
Fix spurious jnf underflows (bug 14155).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e53103749c19199b0ec23e8a5b330dd2e288f5ac
commit e53103749c19199b0ec23e8a5b330dd2e288f5ac
Author: Thomas Schwinge <thomas@codesourcery.com>
Date: Thu May 23 18:00:10 2013 +0200
[BZ #15522] strtod ("nan(N)") returning a sNaN in some cases
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=85ce5db8d835281c8beff6e750c02c799dee3f6f
commit 85ce5db8d835281c8beff6e750c02c799dee3f6f
Author: Joseph Myers <joseph@codesourcery.com>
Date: Fri Aug 23 19:45:38 2013 +0000
Fix cexp (NaN + i0) (bug 15532).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c3a4bddd656561cfffba2605e148e65d4ff07e21
commit c3a4bddd656561cfffba2605e148e65d4ff07e21
Author: Joseph Myers <joseph@codesourcery.com>
Date: Wed Aug 21 19:56:48 2013 +0000
Fix fdim handling of infinities (bug 15797).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1778fd0a17a74422a58d8eada3fa08b80f0a0c27
commit 1778fd0a17a74422a58d8eada3fa08b80f0a0c27
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Tue Aug 20 15:01:59 2013 -0500
PowerPC: fix backtrace to handle signal trampolines
This patch fixes backtrace for PPC32 and PPC64 to correctly handle
signal trampolines. The 'debug/tst-backtrace6.c' also check for
SA_SIGINFO handling, where is triggers another vDSO symbols for PPC32.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8df86a8394d0ea121f2066efe618f2b1cc799be3
commit 8df86a8394d0ea121f2066efe618f2b1cc799be3
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Aug 20 19:41:15 2013 +0000
Fix cproj handling of (finite, NaN) arguments (bug 15531).
backport of c980f2f4fe0f5d301f706017a1f7e4e942193ec0
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f8a004f1fa412e3aae77faa30b4dfb654d721510
commit f8a004f1fa412e3aae77faa30b4dfb654d721510
Author: Andreas Arnez <arnez@linux.vnet.ibm.com>
Date: Thu Oct 31 09:57:33 2013 -0500
* elf/setup-vdso.h (setup_vdso): Fix missing string termination.
backport of f315524e034cfc644157cb4af5ecc99f645dd067
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f166b9c6e90d631115c59b4357357bc168d8e51a
commit f166b9c6e90d631115c59b4357357bc168d8e51a
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 31 09:55:52 2013 -0500
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
backport of 91ce40854d0b7f865cf5024ef95a8026b76096f3
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=760b348db29b446efc760b4bc3627379cc61b0d8
commit 760b348db29b446efc760b4bc3627379cc61b0d8
Merge: 84dd394 eefa3be
Author: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Date: Tue Aug 20 15:26:27 2013 -0300
Merge branch 'release/2.18/master' into ibm/2.18/master
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=84dd3946e0e0aee66635ba4373943d113fd25ca1
commit 84dd3946e0e0aee66635ba4373943d113fd25ca1
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Jul 25 10:53:11 2013 -0300
PowerPC: use libgcc _Unwind functions to get backtrace
This patch changes the way backtraces are obtained on PowerPC by
relaying on libgcc _Unwind function instead of just backchain parse.
It fixes debug/tst-backtrace5 for PPC32 and PPC64.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=733a36d81544dad38726489b43523cc0ac95095d
commit 733a36d81544dad38726489b43523cc0ac95095d
Merge: 2d16beb 85891ac
Author: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Date: Tue Aug 6 14:13:45 2013 -0300
Merge branch 'master' into ibm/2.18/master
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2d16bebbeabd3ab312998c969e21d092ff348485
commit 2d16bebbeabd3ab312998c969e21d092ff348485
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Thu Aug 1 13:11:18 2013 -0300
Remove assert() if DT_RUNPATH and DT_RPATH flags are found in ld.so.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=975208ca8a02f332572edde22d3e4da6c100bdbc
commit 975208ca8a02f332572edde22d3e4da6c100bdbc
Author: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Date: Thu Aug 1 12:54:00 2013 -0300
Partially revert commit 2663b74f8103a2a8a46b4896439b7a452480fc7c
This change is necessary in order to avoid the issue documented at
http://sourceware.org/ml/libc-alpha/2013-05/msg00350.html.
-----------------------------------------------------------------------
Summary of changes:
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (9 preceding siblings ...)
2013-11-21 17:16 ` cvs-commit at gcc dot gnu.org
@ 2014-01-06 16:55 ` cvs-commit at gcc dot gnu.org
2014-01-06 16:56 ` cvs-commit at gcc dot gnu.org
` (6 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2014-01-06 16:55 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, remotes/origin/gentoo/2.18 has been created
at 3cd70f9e650bafef5c73c19229e6f0176604bb9e (commit)
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3cd70f9e650bafef5c73c19229e6f0176604bb9e
commit 3cd70f9e650bafef5c73c19229e6f0176604bb9e
Author: David S. Miller <davem@davemloft.net>
Date: Tue Nov 12 12:48:01 2013 -0800
Fix sparc 64-bit GMP ifunc resolution in static builds.
[BZ #16150]
* sysdeps/sparc/sparc64/multiarch/add_n.S: Resolve to the correct
generic
symbol in the non-vis3 case in static builds.
* sysdeps/sparc/sparc64/multiarch/addmul_1.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/mul_1.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/sub_n.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/submul_1.S: Likewise.
(cherry picked from commit 2293d2b10a583486cd22ce578796848f4c3a8b6d)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02bebc1e960eb20099738b3ecce1ac780925729
commit e02bebc1e960eb20099738b3ecce1ac780925729
Author: David S. Miller <davem@davemloft.net>
Date: Wed Nov 6 13:01:36 2013 -0800
Fix build on pre-v9 32-bit Sparc.
We cannot use fnegd in this code, as fnegd was added in v9.
Only fnegs exists in v8 and earlier.
[BZ #15985]
* sysdeps/sparc/sparc32/fpu/s_fdim.S (__fdim): Do not use fnegd
on pre-v9 cpus, use a fnegs+fmovs sequence instead.
(cherry picked from commit 2216e48645dbd297cdc0f4050fdfc0b52e2a4ab8)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9695c981b9033f4a7e23ff7c35a4e66f13d68eb4
commit 9695c981b9033f4a7e23ff7c35a4e66f13d68eb4
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
(cherry picked from commit dc3a1f98dc4c86cb454474f4912ae325573655cb)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4da92b3ac5974326963532aa16c4437d801a0efe
commit 4da92b3ac5974326963532aa16c4437d801a0efe
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
(cherry picked from commit c51d675c459aefef8d84d5a0b114010f916ea278)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42b872e43db7c71cd40357724f1542252eb0c708
commit 42b872e43db7c71cd40357724f1542252eb0c708
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
(cherry picked from commit 6a6a386a3040726053a5fb8582ff26dc85d84741)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7e52cc7af467b6a8ba6367af4fecd4c3289db454
commit 7e52cc7af467b6a8ba6367af4fecd4c3289db454
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
(cherry picked from commit 7e0e64ead52591b968df582b0ddc247ba5c4eab4)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e3c791909a092489659d4359b73474febbd484a
commit 4e3c791909a092489659d4359b73474febbd484a
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
(cherry picked from commit c779e9df75256f19c7be8d12b2d163e2016a63f4)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=46ee9243f23f56ded21bf8507f86a55980b04ed1
commit 46ee9243f23f56ded21bf8507f86a55980b04ed1
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
(cherry picked from commit 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cbee0562887196f6c87dc538aaeeb494c79daa15
commit cbee0562887196f6c87dc538aaeeb494c79daa15
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:52:58 2013 +1000
Fix memory leak in stdlib/isomac.c
(cherry picked from commit 3f71830d35d7bf4ac11664f0c48c3c68d250618b)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=45560694ca0b6d80ccbba23b51d1c4aa8cd228ab
commit 45560694ca0b6d80ccbba23b51d1c4aa8cd228ab
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:50:41 2013 +1000
Fix memory leaks in libio on allocation failure
(cherry picked from commit 8e395175c4786ad9679851e3ed3c0c54a6f4e1f0)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6c42eca168f60bc50ed5e57ce59d1bfdf19120e2
commit 6c42eca168f60bc50ed5e57ce59d1bfdf19120e2
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Sep 5 09:32:56 2013 -0500
PowerPC: fix POWER7 memrchr for some large inputs
(cherry picked from commit b51679672648410c6627a4bd169e076c5b36f47b)
Conflicts:
ChangeLog
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c4efa458d767026ade69a4cb72362856a7495127
commit c4efa458d767026ade69a4cb72362856a7495127
Author: Andreas Arnez <arnez@linux.vnet.ibm.com>
Date: Thu Oct 31 09:57:33 2013 -0500
* elf/setup-vdso.h (setup_vdso): Fix missing string termination.
backport of f315524e034cfc644157cb4af5ecc99f645dd067
(cherry picked from commit f8a004f1fa412e3aae77faa30b4dfb654d721510)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f50548ac238605f133138f1c00be80b4e2ae3128
commit f50548ac238605f133138f1c00be80b4e2ae3128
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 31 09:55:52 2013 -0500
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
backport of 91ce40854d0b7f865cf5024ef95a8026b76096f3
(cherry picked from commit f166b9c6e90d631115c59b4357357bc168d8e51a)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=703be862e20ab99e0c241480658d372d3f71fd4e
commit 703be862e20ab99e0c241480658d372d3f71fd4e
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Thu Oct 3 08:26:21 2013 +0530
Fix PI mutex check in pthread_cond_broadcast and pthread_cond_signal
Fixes BZ #15996.
The check had a typo - it checked for PTHREAD_MUTEX_ROBUST_NP instead
of PTHREAD_MUTEX_ROBUST_NORMAL_NP. It has now been replaced by the
already existing convenience macro USE_REQUEUE_PI.
(cherry picked from commit 2770d15e7e880821fc586619c59eb45180628e16)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6987b2d519f836926540d6fee1ad8840b29865bf
commit 6987b2d519f836926540d6fee1ad8840b29865bf
Author: Will Newton <will.newton@linaro.org>
Date: Thu Aug 29 20:10:26 2013 +0100
ARM: Fix clone code when built for Thumb.
The mov lr, pc instruction will lose the Thumb bit from the return address
so use blx lr instead.
ports/ChangeLog.arm:
2013-08-30 Will Newton <will.newton@linaro.org>
[BZ #15909]
* sysdeps/unix/sysv/linux/arm/clone.S (__clone): Use blx
instead of mov lr, pc.
(cherry picked from commit 6b06ac56cdfc9293908724e51e827534e97819aa)
(cherry picked from commit 4f2bcda964d4fff56855e0c66198c9bcb682ea1e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=50219dba1e5108fd32de15b0533a6a53db0085ed
commit 50219dba1e5108fd32de15b0533a6a53db0085ed
Author: Mike Frysinger <vapier@gentoo.org>
Date: Sun Jan 5 16:23:42 2014 -0500
ia64: add __ prefix to pt_all_user_regs/ia64_fpreg [BZ #762]
This addresses a long standing collision between userspace headers and
kernel headers only on ia64 systems. All other types have a __ prefix
in the ptrace headers except these two. Let's finally namespace these.
Verified that at least strace still builds after this change, as well
as after deleting all the struct hacks it has specifically for ia64.
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=762
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=367416b057d5da2f719856c8ee9072b58600f48d
commit 367416b057d5da2f719856c8ee9072b58600f48d
Author: Mike Frysinger <vapier@gentoo.org>
Date: Sun Jan 5 16:07:13 2014 -0500
ptrace.h: add __ prefix to ptrace_peeksiginfo_args
All the other ptrace structures in this file have a __ prefix except this
new one. This in turn causes build problems for most packages that try to
use ptrace such as strace:
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../linux/x86_64 -I../../linux \
-I./linux -Wall -Wwrite-strings -g -O2 -MT process.o -MD -MP \
-MF .deps/process.Tpo -c -o process.o ../../process.c
In file included from ../../process.c:63:0:
/usr/include/linux/ptrace.h:58:8: error: redefinition of 'struct
ptrace_peeksiginfo_args'
struct ptrace_peeksiginfo_args {
^
In file included from ../../defs.h:159:0,
from ../../process.c:37:
/usr/include/sys/ptrace.h:191:8: note: originally defined here
struct ptrace_peeksiginfo_args
^
Since this struct was introduced in glibc-2.18, there shouldn't be any
real regressions with adding the __ prefix.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-----------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (10 preceding siblings ...)
2014-01-06 16:55 ` cvs-commit at gcc dot gnu.org
@ 2014-01-06 16:56 ` cvs-commit at gcc dot gnu.org
2014-06-12 18:53 ` [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237) fweimer at redhat dot com
` (5 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2014-01-06 16:56 UTC (permalink / raw)
To: glibc-bugs
http://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, gentoo/2.18 has been updated
via 3cd70f9e650bafef5c73c19229e6f0176604bb9e (commit)
via e02bebc1e960eb20099738b3ecce1ac780925729 (commit)
via 9695c981b9033f4a7e23ff7c35a4e66f13d68eb4 (commit)
via 4da92b3ac5974326963532aa16c4437d801a0efe (commit)
via 42b872e43db7c71cd40357724f1542252eb0c708 (commit)
via 7e52cc7af467b6a8ba6367af4fecd4c3289db454 (commit)
via 4e3c791909a092489659d4359b73474febbd484a (commit)
via 46ee9243f23f56ded21bf8507f86a55980b04ed1 (commit)
via cbee0562887196f6c87dc538aaeeb494c79daa15 (commit)
via 45560694ca0b6d80ccbba23b51d1c4aa8cd228ab (commit)
via 6c42eca168f60bc50ed5e57ce59d1bfdf19120e2 (commit)
via c4efa458d767026ade69a4cb72362856a7495127 (commit)
via f50548ac238605f133138f1c00be80b4e2ae3128 (commit)
via 703be862e20ab99e0c241480658d372d3f71fd4e (commit)
via 6987b2d519f836926540d6fee1ad8840b29865bf (commit)
via 50219dba1e5108fd32de15b0533a6a53db0085ed (commit)
via 367416b057d5da2f719856c8ee9072b58600f48d (commit)
from d1b29e58c17436b3e0cf92c12b1e99ec6b4cd9ba (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3cd70f9e650bafef5c73c19229e6f0176604bb9e
commit 3cd70f9e650bafef5c73c19229e6f0176604bb9e
Author: David S. Miller <davem@davemloft.net>
Date: Tue Nov 12 12:48:01 2013 -0800
Fix sparc 64-bit GMP ifunc resolution in static builds.
[BZ #16150]
* sysdeps/sparc/sparc64/multiarch/add_n.S: Resolve to the correct
generic
symbol in the non-vis3 case in static builds.
* sysdeps/sparc/sparc64/multiarch/addmul_1.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/mul_1.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/sub_n.S: Likewise.
* sysdeps/sparc/sparc64/multiarch/submul_1.S: Likewise.
(cherry picked from commit 2293d2b10a583486cd22ce578796848f4c3a8b6d)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02bebc1e960eb20099738b3ecce1ac780925729
commit e02bebc1e960eb20099738b3ecce1ac780925729
Author: David S. Miller <davem@davemloft.net>
Date: Wed Nov 6 13:01:36 2013 -0800
Fix build on pre-v9 32-bit Sparc.
We cannot use fnegd in this code, as fnegd was added in v9.
Only fnegs exists in v8 and earlier.
[BZ #15985]
* sysdeps/sparc/sparc32/fpu/s_fdim.S (__fdim): Do not use fnegd
on pre-v9 cpus, use a fnegs+fmovs sequence instead.
(cherry picked from commit 2216e48645dbd297cdc0f4050fdfc0b52e2a4ab8)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9695c981b9033f4a7e23ff7c35a4e66f13d68eb4
commit 9695c981b9033f4a7e23ff7c35a4e66f13d68eb4
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
(cherry picked from commit dc3a1f98dc4c86cb454474f4912ae325573655cb)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4da92b3ac5974326963532aa16c4437d801a0efe
commit 4da92b3ac5974326963532aa16c4437d801a0efe
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
(cherry picked from commit c51d675c459aefef8d84d5a0b114010f916ea278)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=42b872e43db7c71cd40357724f1542252eb0c708
commit 42b872e43db7c71cd40357724f1542252eb0c708
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
(cherry picked from commit 6a6a386a3040726053a5fb8582ff26dc85d84741)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7e52cc7af467b6a8ba6367af4fecd4c3289db454
commit 7e52cc7af467b6a8ba6367af4fecd4c3289db454
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
(cherry picked from commit 7e0e64ead52591b968df582b0ddc247ba5c4eab4)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e3c791909a092489659d4359b73474febbd484a
commit 4e3c791909a092489659d4359b73474febbd484a
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
(cherry picked from commit c779e9df75256f19c7be8d12b2d163e2016a63f4)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=46ee9243f23f56ded21bf8507f86a55980b04ed1
commit 46ee9243f23f56ded21bf8507f86a55980b04ed1
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
(cherry picked from commit 6f95434fd488e9b72117f9b93ec2e2dbf397a4d3)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cbee0562887196f6c87dc538aaeeb494c79daa15
commit cbee0562887196f6c87dc538aaeeb494c79daa15
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:52:58 2013 +1000
Fix memory leak in stdlib/isomac.c
(cherry picked from commit 3f71830d35d7bf4ac11664f0c48c3c68d250618b)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=45560694ca0b6d80ccbba23b51d1c4aa8cd228ab
commit 45560694ca0b6d80ccbba23b51d1c4aa8cd228ab
Author: Allan McRae <allan@archlinux.org>
Date: Mon Sep 9 22:50:41 2013 +1000
Fix memory leaks in libio on allocation failure
(cherry picked from commit 8e395175c4786ad9679851e3ed3c0c54a6f4e1f0)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6c42eca168f60bc50ed5e57ce59d1bfdf19120e2
commit 6c42eca168f60bc50ed5e57ce59d1bfdf19120e2
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Sep 5 09:32:56 2013 -0500
PowerPC: fix POWER7 memrchr for some large inputs
(cherry picked from commit b51679672648410c6627a4bd169e076c5b36f47b)
Conflicts:
ChangeLog
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c4efa458d767026ade69a4cb72362856a7495127
commit c4efa458d767026ade69a4cb72362856a7495127
Author: Andreas Arnez <arnez@linux.vnet.ibm.com>
Date: Thu Oct 31 09:57:33 2013 -0500
* elf/setup-vdso.h (setup_vdso): Fix missing string termination.
backport of f315524e034cfc644157cb4af5ecc99f645dd067
(cherry picked from commit f8a004f1fa412e3aae77faa30b4dfb654d721510)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f50548ac238605f133138f1c00be80b4e2ae3128
commit f50548ac238605f133138f1c00be80b4e2ae3128
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 31 09:55:52 2013 -0500
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
backport of 91ce40854d0b7f865cf5024ef95a8026b76096f3
(cherry picked from commit f166b9c6e90d631115c59b4357357bc168d8e51a)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=703be862e20ab99e0c241480658d372d3f71fd4e
commit 703be862e20ab99e0c241480658d372d3f71fd4e
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Thu Oct 3 08:26:21 2013 +0530
Fix PI mutex check in pthread_cond_broadcast and pthread_cond_signal
Fixes BZ #15996.
The check had a typo - it checked for PTHREAD_MUTEX_ROBUST_NP instead
of PTHREAD_MUTEX_ROBUST_NORMAL_NP. It has now been replaced by the
already existing convenience macro USE_REQUEUE_PI.
(cherry picked from commit 2770d15e7e880821fc586619c59eb45180628e16)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6987b2d519f836926540d6fee1ad8840b29865bf
commit 6987b2d519f836926540d6fee1ad8840b29865bf
Author: Will Newton <will.newton@linaro.org>
Date: Thu Aug 29 20:10:26 2013 +0100
ARM: Fix clone code when built for Thumb.
The mov lr, pc instruction will lose the Thumb bit from the return address
so use blx lr instead.
ports/ChangeLog.arm:
2013-08-30 Will Newton <will.newton@linaro.org>
[BZ #15909]
* sysdeps/unix/sysv/linux/arm/clone.S (__clone): Use blx
instead of mov lr, pc.
(cherry picked from commit 6b06ac56cdfc9293908724e51e827534e97819aa)
(cherry picked from commit 4f2bcda964d4fff56855e0c66198c9bcb682ea1e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=50219dba1e5108fd32de15b0533a6a53db0085ed
commit 50219dba1e5108fd32de15b0533a6a53db0085ed
Author: Mike Frysinger <vapier@gentoo.org>
Date: Sun Jan 5 16:23:42 2014 -0500
ia64: add __ prefix to pt_all_user_regs/ia64_fpreg [BZ #762]
This addresses a long standing collision between userspace headers and
kernel headers only on ia64 systems. All other types have a __ prefix
in the ptrace headers except these two. Let's finally namespace these.
Verified that at least strace still builds after this change, as well
as after deleting all the struct hacks it has specifically for ia64.
URL: https://sourceware.org/bugzilla/show_bug.cgi?id=762
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=367416b057d5da2f719856c8ee9072b58600f48d
commit 367416b057d5da2f719856c8ee9072b58600f48d
Author: Mike Frysinger <vapier@gentoo.org>
Date: Sun Jan 5 16:07:13 2014 -0500
ptrace.h: add __ prefix to ptrace_peeksiginfo_args
All the other ptrace structures in this file have a __ prefix except this
new one. This in turn causes build problems for most packages that try to
use ptrace such as strace:
gcc -DHAVE_CONFIG_H -I. -I../.. -I../../linux/x86_64 -I../../linux \
-I./linux -Wall -Wwrite-strings -g -O2 -MT process.o -MD -MP \
-MF .deps/process.Tpo -c -o process.o ../../process.c
In file included from ../../process.c:63:0:
/usr/include/linux/ptrace.h:58:8: error: redefinition of 'struct
ptrace_peeksiginfo_args'
struct ptrace_peeksiginfo_args {
^
In file included from ../../defs.h:159:0,
from ../../process.c:37:
/usr/include/sys/ptrace.h:191:8: note: originally defined here
struct ptrace_peeksiginfo_args
^
Since this struct was introduced in glibc-2.18, there shouldn't be any
real regressions with adding the __ prefix.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-----------------------------------------------------------------------
Summary of changes:
NEWS | 6 ++
csu/libc-start.c | 16 ++++
elf/Makefile | 9 ++-
elf/setup-vdso.h | 2 +-
elf/tst-ptrguard1-static.c | 1 +
elf/{tst-stackguard1.c => tst-ptrguard1.c} | 54 ++++++++-------
libio/memstream.c | 5 +-
libio/wmemstream.c | 6 +-
malloc/malloc.c | 21 ++++++
manual/conf.texi | 9 +++
manual/filesys.texi | 73 ++++++++++++++------
nptl/ChangeLog | 9 +++
nptl/pthread_cond_broadcast.c | 5 +-
nptl/pthread_cond_signal.c | 7 +--
ports/ChangeLog.arm | 6 ++
ports/sysdeps/ia64/stackguard-macros.h | 3 +
ports/sysdeps/tile/stackguard-macros.h | 6 ++
ports/sysdeps/unix/sysv/linux/aarch64/sys/ptrace.h | 2 +-
ports/sysdeps/unix/sysv/linux/arm/clone.S | 4 +-
.../sysdeps/unix/sysv/linux/ia64/bits/sigcontext.h | 4 +-
ports/sysdeps/unix/sysv/linux/ia64/sys/procfs.h | 2 +-
ports/sysdeps/unix/sysv/linux/ia64/sys/ptrace.h | 6 +-
ports/sysdeps/unix/sysv/linux/tile/sys/ptrace.h | 2 +-
stdlib/isomac.c | 1 +
sysdeps/generic/stackguard-macros.h | 3 +
sysdeps/i386/stackguard-macros.h | 8 ++
sysdeps/posix/dirstream.h | 2 +
sysdeps/posix/getaddrinfo.c | 20 +++++-
sysdeps/posix/opendir.c | 1 +
sysdeps/posix/readdir_r.c | 42 ++++++++---
sysdeps/posix/rewinddir.c | 1 +
sysdeps/powerpc/powerpc32/power7/memrchr.S | 4 +-
sysdeps/powerpc/powerpc32/stackguard-macros.h | 10 +++
sysdeps/powerpc/powerpc64/power7/memrchr.S | 4 +-
sysdeps/powerpc/powerpc64/stackguard-macros.h | 10 +++
sysdeps/s390/s390-32/stackguard-macros.h | 11 +++
sysdeps/s390/s390-64/stackguard-macros.h | 14 ++++
sysdeps/sparc/sparc32/fpu/s_fdim.S | 3 +-
sysdeps/sparc/sparc32/stackguard-macros.h | 3 +
sysdeps/sparc/sparc64/multiarch/add_n.S | 2 +-
sysdeps/sparc/sparc64/multiarch/addmul_1.S | 2 +-
sysdeps/sparc/sparc64/multiarch/mul_1.S | 2 +-
sysdeps/sparc/sparc64/multiarch/sub_n.S | 2 +-
sysdeps/sparc/sparc64/multiarch/submul_1.S | 2 +-
sysdeps/sparc/sparc64/stackguard-macros.h | 3 +
sysdeps/unix/sysv/linux/i386/readdir64_r.c | 1 -
sysdeps/unix/sysv/linux/powerpc/sys/ptrace.h | 2 +-
sysdeps/unix/sysv/linux/s390/sys/ptrace.h | 2 +-
sysdeps/unix/sysv/linux/sparc/sys/ptrace.h | 2 +-
sysdeps/unix/sysv/linux/sys/ptrace.h | 2 +-
sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c | 1 -
sysdeps/x86_64/stackguard-macros.h | 5 ++
52 files changed, 323 insertions(+), 100 deletions(-)
create mode 100644 elf/tst-ptrguard1-static.c
copy elf/{tst-stackguard1.c => tst-ptrguard1.c} (70%)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (11 preceding siblings ...)
2014-01-06 16:56 ` cvs-commit at gcc dot gnu.org
@ 2014-06-12 18:53 ` fweimer at redhat dot com
2014-06-30 18:44 ` fweimer at redhat dot com
` (4 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2014-06-12 18:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|readdir_r: does not enforce |readdir_r: does not enforce
|NAME_MAX limit |NAME_MAX limit
| |(CVE-2013-4237)
Flags| |security+
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (12 preceding siblings ...)
2014-06-12 18:53 ` [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237) fweimer at redhat dot com
@ 2014-06-30 18:44 ` fweimer at redhat dot com
2015-01-16 16:59 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2014-06-30 18:44 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=11333
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (13 preceding siblings ...)
2014-06-30 18:44 ` fweimer at redhat dot com
@ 2015-01-16 16:59 ` cvs-commit at gcc dot gnu.org
2015-01-29 18:49 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-01-16 16:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.16/master has been created
at dfc25d72984eb5a3354e104612d0ca0129af3f98 (commit)
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dfc25d72984eb5a3354e104612d0ca0129af3f98
commit dfc25d72984eb5a3354e104612d0ca0129af3f98
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1442655ba419867ce1a045a97cdd7904ac1ad516
commit 1442655ba419867ce1a045a97cdd7904ac1ad516
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Jan 20 12:29:51 2014 -0600
PowerPC: Fix gettimeofday ifunc selection
The IFUNC selector for gettimeofday runs before _libc_vdso_platform_setup
where
__vdso_gettimeofday is set. The selector then sets __gettimeofday (the
internal
version used within GLIBC) to use the system call version instead of the
vDSO one.
This patch changes the check if vDSO is available to get its value directly
instead of rely on __vdso_gettimeofday.
This patch changes it by getting the vDSO value directly.
It fixes BZ#16431.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1bdb6daceb10307543599df3b118afd2109d2ec8
commit 1bdb6daceb10307543599df3b118afd2109d2ec8
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Jan 16 06:53:18 2014 -0600
PowerPC: Fix ftime gettimeofday internal call returning bogus data
This patches fixes BZ#16430 by setting a different symbol for internal
GLIBC calls that points to ifunc resolvers. For PPC32, if the symbol
is defined as hidden (which is the case for gettimeofday and time) the
compiler will create local branches (symbol@local) and linker will not
create PLT calls (required for IFUNC). This will leads to internal symbol
calling the IFUNC resolver instead of the resolved symbol.
For PPC64 this behavior does not occur because a call to a function in
another translation unit might use a different toc pointer thus requiring
a PLT call.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3008132765936162552b15a77fe348c01074310
commit e3008132765936162552b15a77fe348c01074310
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Nov 7 05:34:22 2013 -0600
PowerPC: Fix vDSO missing ODP entries
This patch fixes the vDSO symbol used directed in IFUNC resolver where
they do not have an associated ODP entry leading to undefined behavior
in some cases. It adds an artificial OPD static entry to such cases
and set its TOC to non 0 to avoid triggering lazy resolutions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ff69e1eb81719ee907642f615cef889d5bf8b2c
commit 6ff69e1eb81719ee907642f615cef889d5bf8b2c
Author: Carlos O'Donell <carlos@redhat.com>
Date: Wed Nov 19 11:44:12 2014 -0500
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3ded3d365f0237e92e8af90c878b233f265d7b4a
commit 3ded3d365f0237e92e8af90c878b233f265d7b4a
Author: Allan McRae <allan@archlinux.org>
Date: Thu Dec 18 11:01:43 2014 +1000
Label CVE-2014-9402 in NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7093fd0fedd8a0b4ed5b01347e3798219ba22ec
commit c7093fd0fedd8a0b4ed5b01347e3798219ba22ec
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Dec 15 17:41:13 2014 +0100
Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c9b43ec3890d5c750a5127a543a55cd94aa73c94
commit c9b43ec3890d5c750a5127a543a55cd94aa73c94
Author: Jeff Law <law@redhat.com>
Date: Mon Dec 15 10:09:32 2014 +0100
CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b6ac4b1093333f364698ca3bb812c80b11c2f77
commit 3b6ac4b1093333f364698ca3bb812c80b11c2f77
Author: Allan McRae <allan@archlinux.org>
Date: Sat Jun 21 17:23:55 2014 +1000
Mention CVE-2014-4043 in NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7865ec21e8ad32929509796497fa3b44c3ef826
commit f7865ec21e8ad32929509796497fa3b44c3ef826
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Jan 15 15:16:54 2015 -0500
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.
Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
may have security implications.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7a91d241b095855e06e0bd00287968df2f6d87e
commit c7a91d241b095855e06e0bd00287968df2f6d87e
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon May 12 15:24:12 2014 +0200
_nl_find_locale: Improve handling of crafted locale names [BZ #17137]
Prevent directory traversal in locale-related environment variables
(CVE-2014-0475).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=588b214bc7fa3e54d6b679ed4b755e6d1310e61d
commit 588b214bc7fa3e54d6b679ed4b755e6d1310e61d
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Aug 26 19:38:59 2014 +0200
__gconv_translit_find: Disable function [BZ #17187]
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bd51e93f9305e37aa17e08dbdb86a2e146c09eff
commit bd51e93f9305e37aa17e08dbdb86a2e146c09eff
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 3 19:45:43 2014 +0200
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=97ef0b2223e10fe3053494defd8a008d7dd9d6d8
commit 97ef0b2223e10fe3053494defd8a008d7dd9d6d8
Author: Will Newton <will.newton@linaro.org>
Date: Fri Sep 13 09:26:02 2013 +0100
Add CVE-2013-4332 to NEWS.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ccb8f6bab96cfcc7aedf5cd0d1946f26b028d733
commit ccb8f6bab96cfcc7aedf5cd0d1946f26b028d733
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f1292792799a507711ce24b497e40f8fea8f9c9c
commit f1292792799a507711ce24b497e40f8fea8f9c9c
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b1e934aed5170eb8948e0f3c6618c9431d6810ad
commit b1e934aed5170eb8948e0f3c6618c9431d6810ad
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bcd619797e785f90cc9fd67208267c26c8e4b40d
commit bcd619797e785f90cc9fd67208267c26c8e4b40d
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Aug 16 09:38:52 2013 +0200
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6fd8e941423354e6c7a951d37a60d2f1424d568e
commit 6fd8e941423354e6c7a951d37a60d2f1424d568e
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a243b1a0797180e142d525d1325a173c758c3714
commit a243b1a0797180e142d525d1325a173c758c3714
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:24:30 2013 +0530
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c1132021659d22753104762a074d6339ae6cbd01
commit c1132021659d22753104762a074d6339ae6cbd01
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:20:02 2013 +0530
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2dc811b78adc97b5f5d951716df30053a24da1a1
commit 2dc811b78adc97b5f5d951716df30053a24da1a1
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Aug 20 08:40:05 2013 +0530
Simplify strcoll implementation
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9b951f59aa3c2f2d58d398aab146951216f9ff8d
commit 9b951f59aa3c2f2d58d398aab146951216f9ff8d
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=302c61e2d3536a6ff99d518499771afd6a951b0c
commit 302c61e2d3536a6ff99d518499771afd6a951b0c
Author: Andreas Schwab <schwab@suse.de>
Date: Tue Jan 29 14:45:15 2013 +0100
Fix buffer overrun in regexp matcher
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7e0492e183efc24e5658c860ca5711e00524dd7
commit b7e0492e183efc24e5658c860ca5711e00524dd7
Author: Carlos O'Donell <carlos@redhat.com>
Date: Fri Jul 19 02:42:03 2013 -0400
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Cherry-pick of e4608715e6e1dd2adc91982fd151d5ba4f761d69.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=02a002fe9c0b65532643a88b01253e95ba8ba8c6
commit 02a002fe9c0b65532643a88b01253e95ba8ba8c6
Author: Jeff Law <law@redhat.com>
Date: Wed Nov 28 14:12:28 2012 -0700
[BZ #14889]
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
Cherry-pick of 14bc93a967e62abf8cf2704725b6f76619399f83
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b498440aac70e994f32f45a31102964313af690
commit 3b498440aac70e994f32f45a31102964313af690
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Nov 28 10:24:06 2012 +0100
Properly handle indirect functions in ABI check on powerpc64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8282b7f2aa6380e8a91515f748d4693d8151fc4f
commit 8282b7f2aa6380e8a91515f748d4693d8151fc4f
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Fri Apr 26 13:00:56 2013 -0500
PowerPC: modf optimization fix
This patch fix the 3c0265394d9ffedff2b0de508602dc52e077ce5c commits
by correctly setting minimum architecture for modf PPC optimization
to power5+ instead of power5 (since only on power5+ round/ceil will
be inline to inline assembly).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17e599d2613c2a2e4cb6d5c3f9d5f626879aa63f
commit 17e599d2613c2a2e4cb6d5c3f9d5f626879aa63f
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Mar 25 16:10:06 2013 -0500
PowerPC: modf optimization
This patch implements modf/modff optimization for POWER by focus
on FP operations instead of relying in integer ones.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=60dc6d12c5c61b05013cb15f63349dd3d343f26d
commit 60dc6d12c5c61b05013cb15f63349dd3d343f26d
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Mar 13 10:46:08 2013 -0300
PowerPC: Change sched_getcpu to use vDSO getcpu instead of syscall.
Backport of d5e0b9bd6e296f3ec5263fa296d39f3fed9b8fa2.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cc328ae264f5b97d2811a95d84112bb1c6c7cae3
commit cc328ae264f5b97d2811a95d84112bb1c6c7cae3
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Mar 4 22:02:41 2013 -0300
PowerPC: gettimeofday optimization by using IFUNC
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36016f626e72f5d1cb6107deeab29768d82ff7e3
commit 36016f626e72f5d1cb6107deeab29768d82ff7e3
Merge: 4e1f97c 043c748
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Fri Mar 1 16:20:18 2013 -0600
Merge remote branch 'remotes/origin/release/2.16/master' into
local_ibm_2.16
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e1f97ccdcc257eba262667f7a3179a7d530330d
commit 4e1f97ccdcc257eba262667f7a3179a7d530330d
Author: Mike Frysinger <vapier@gentoo.org>
Date: Wed Nov 28 23:04:32 2012 -0500
byteswap.h: fix gcc ver test for __builtin_bswap{32,64}
The __builtin_bswap* functions were introduced in gcc-4.3, not gcc-4.2.
Fix the __GNUC_PREREQ tests to reflect this.
Otherwise trying to compile code with gcc-4.2 falls down:
In file included from /usr/include/endian.h:60,
from /usr/include/ctype.h:40,
/usr/include/bits/byteswap.h: In function 'unsigned int __bswap_32(unsigned
int)':
/usr/include/bits/byteswap.h:46: error: '__builtin_bswap32' was not
declared in this scope
/usr/include/bits/byteswap.h: In function 'long long unsigned int
__bswap_64(long long unsigned int)':
/usr/include/bits/byteswap.h:110: error: '__builtin_bswap64' was not
declared in this scope
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit c9d6789ebe028a260d3e5be0c26b7d02fdfe99fe)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=025b233a88a30f5f0474ff2c6051313eb33e5689
commit 025b233a88a30f5f0474ff2c6051313eb33e5689
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Nov 20 00:04:45 2012 +0000
Fix __bswap_64 return type in generic bits/byteswap.h.
(cherry picked from commit ecd4caf9783c99fb068a100c35899a0c3a3c6d98)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2c739e2cffb65d80787cfa861f9f6c62de327ad6
commit 2c739e2cffb65d80787cfa861f9f6c62de327ad6
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Fri Oct 12 09:21:47 2012 -0700
Use __uint64_t in x86 __bswap_64
(cherry picked from commit d394eb742a3565d7fe7a4b02710a60b5f219ee64)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a24f8ac8e65b451efc81839dd653d0a0e95a23ab
commit a24f8ac8e65b451efc81839dd653d0a0e95a23ab
Author: Andreas Schwab <schwab@linux-m68k.org>
Date: Tue May 1 17:10:10 2012 +0200
Fix missing _mcount@GLIBC_2.0 on powerpc32
(cherry picked from commit 261f485936b283f4327fc1f2fc8fd1705d805c12)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94464655b576985fdd5f66f7f6126ee1f92a41cc
commit 94464655b576985fdd5f66f7f6126ee1f92a41cc
Author: Peter Bergner <bergner@vnet.ibm.com>
Date: Fri Jul 6 13:24:49 2012 -0500
Add AT_PLATFORM env variable to ld.so to override auxv AT_PLATFORM.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d846920271a0f4dc54c0dbbd56998228e75e776c
commit d846920271a0f4dc54c0dbbd56998228e75e776c
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Fri Jul 6 13:03:09 2012 -0500
Remove assert() if DT_RUNPATH and DT_RPATH flags are found in ld.so.
-----------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (14 preceding siblings ...)
2015-01-16 16:59 ` cvs-commit at gcc dot gnu.org
@ 2015-01-29 18:49 ` cvs-commit at gcc dot gnu.org
2015-02-23 15:03 ` cvs-commit at gcc dot gnu.org
2015-02-24 10:56 ` fweimer at redhat dot com
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-01-29 18:49 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.16/master has been created
at ec36394743c15fedca294219f2254b180c4e327c (commit)
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ec36394743c15fedca294219f2254b180c4e327c
commit ec36394743c15fedca294219f2254b180c4e327c
Author: Andreas Schwab <schwab@suse.de>
Date: Mon Jan 21 17:41:28 2013 +0100
Fix parsing of numeric hosts in gethostbyname_r
Conflicts:
ChangeLog
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=20ac5d44837b82c064dfabd3646ec1f4f6826263
commit 20ac5d44837b82c064dfabd3646ec1f4f6826263
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Nov 19 13:01:43 2012 +0530
Return EAI_SYSTEM if we're out of file descriptors
Resolves BZ #14719.
Conflicts:
ChangeLog
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dfc25d72984eb5a3354e104612d0ca0129af3f98
commit dfc25d72984eb5a3354e104612d0ca0129af3f98
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1442655ba419867ce1a045a97cdd7904ac1ad516
commit 1442655ba419867ce1a045a97cdd7904ac1ad516
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Jan 20 12:29:51 2014 -0600
PowerPC: Fix gettimeofday ifunc selection
The IFUNC selector for gettimeofday runs before _libc_vdso_platform_setup
where
__vdso_gettimeofday is set. The selector then sets __gettimeofday (the
internal
version used within GLIBC) to use the system call version instead of the
vDSO one.
This patch changes the check if vDSO is available to get its value directly
instead of rely on __vdso_gettimeofday.
This patch changes it by getting the vDSO value directly.
It fixes BZ#16431.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1bdb6daceb10307543599df3b118afd2109d2ec8
commit 1bdb6daceb10307543599df3b118afd2109d2ec8
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Jan 16 06:53:18 2014 -0600
PowerPC: Fix ftime gettimeofday internal call returning bogus data
This patches fixes BZ#16430 by setting a different symbol for internal
GLIBC calls that points to ifunc resolvers. For PPC32, if the symbol
is defined as hidden (which is the case for gettimeofday and time) the
compiler will create local branches (symbol@local) and linker will not
create PLT calls (required for IFUNC). This will leads to internal symbol
calling the IFUNC resolver instead of the resolved symbol.
For PPC64 this behavior does not occur because a call to a function in
another translation unit might use a different toc pointer thus requiring
a PLT call.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3008132765936162552b15a77fe348c01074310
commit e3008132765936162552b15a77fe348c01074310
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Nov 7 05:34:22 2013 -0600
PowerPC: Fix vDSO missing ODP entries
This patch fixes the vDSO symbol used directed in IFUNC resolver where
they do not have an associated ODP entry leading to undefined behavior
in some cases. It adds an artificial OPD static entry to such cases
and set its TOC to non 0 to avoid triggering lazy resolutions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ff69e1eb81719ee907642f615cef889d5bf8b2c
commit 6ff69e1eb81719ee907642f615cef889d5bf8b2c
Author: Carlos O'Donell <carlos@redhat.com>
Date: Wed Nov 19 11:44:12 2014 -0500
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3ded3d365f0237e92e8af90c878b233f265d7b4a
commit 3ded3d365f0237e92e8af90c878b233f265d7b4a
Author: Allan McRae <allan@archlinux.org>
Date: Thu Dec 18 11:01:43 2014 +1000
Label CVE-2014-9402 in NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7093fd0fedd8a0b4ed5b01347e3798219ba22ec
commit c7093fd0fedd8a0b4ed5b01347e3798219ba22ec
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Dec 15 17:41:13 2014 +0100
Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c9b43ec3890d5c750a5127a543a55cd94aa73c94
commit c9b43ec3890d5c750a5127a543a55cd94aa73c94
Author: Jeff Law <law@redhat.com>
Date: Mon Dec 15 10:09:32 2014 +0100
CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b6ac4b1093333f364698ca3bb812c80b11c2f77
commit 3b6ac4b1093333f364698ca3bb812c80b11c2f77
Author: Allan McRae <allan@archlinux.org>
Date: Sat Jun 21 17:23:55 2014 +1000
Mention CVE-2014-4043 in NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7865ec21e8ad32929509796497fa3b44c3ef826
commit f7865ec21e8ad32929509796497fa3b44c3ef826
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Jan 15 15:16:54 2015 -0500
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.
Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
may have security implications.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7a91d241b095855e06e0bd00287968df2f6d87e
commit c7a91d241b095855e06e0bd00287968df2f6d87e
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon May 12 15:24:12 2014 +0200
_nl_find_locale: Improve handling of crafted locale names [BZ #17137]
Prevent directory traversal in locale-related environment variables
(CVE-2014-0475).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=588b214bc7fa3e54d6b679ed4b755e6d1310e61d
commit 588b214bc7fa3e54d6b679ed4b755e6d1310e61d
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Aug 26 19:38:59 2014 +0200
__gconv_translit_find: Disable function [BZ #17187]
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bd51e93f9305e37aa17e08dbdb86a2e146c09eff
commit bd51e93f9305e37aa17e08dbdb86a2e146c09eff
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 3 19:45:43 2014 +0200
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=97ef0b2223e10fe3053494defd8a008d7dd9d6d8
commit 97ef0b2223e10fe3053494defd8a008d7dd9d6d8
Author: Will Newton <will.newton@linaro.org>
Date: Fri Sep 13 09:26:02 2013 +0100
Add CVE-2013-4332 to NEWS.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ccb8f6bab96cfcc7aedf5cd0d1946f26b028d733
commit ccb8f6bab96cfcc7aedf5cd0d1946f26b028d733
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f1292792799a507711ce24b497e40f8fea8f9c9c
commit f1292792799a507711ce24b497e40f8fea8f9c9c
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b1e934aed5170eb8948e0f3c6618c9431d6810ad
commit b1e934aed5170eb8948e0f3c6618c9431d6810ad
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bcd619797e785f90cc9fd67208267c26c8e4b40d
commit bcd619797e785f90cc9fd67208267c26c8e4b40d
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Aug 16 09:38:52 2013 +0200
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6fd8e941423354e6c7a951d37a60d2f1424d568e
commit 6fd8e941423354e6c7a951d37a60d2f1424d568e
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a243b1a0797180e142d525d1325a173c758c3714
commit a243b1a0797180e142d525d1325a173c758c3714
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:24:30 2013 +0530
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c1132021659d22753104762a074d6339ae6cbd01
commit c1132021659d22753104762a074d6339ae6cbd01
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:20:02 2013 +0530
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2dc811b78adc97b5f5d951716df30053a24da1a1
commit 2dc811b78adc97b5f5d951716df30053a24da1a1
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Aug 20 08:40:05 2013 +0530
Simplify strcoll implementation
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9b951f59aa3c2f2d58d398aab146951216f9ff8d
commit 9b951f59aa3c2f2d58d398aab146951216f9ff8d
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=302c61e2d3536a6ff99d518499771afd6a951b0c
commit 302c61e2d3536a6ff99d518499771afd6a951b0c
Author: Andreas Schwab <schwab@suse.de>
Date: Tue Jan 29 14:45:15 2013 +0100
Fix buffer overrun in regexp matcher
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7e0492e183efc24e5658c860ca5711e00524dd7
commit b7e0492e183efc24e5658c860ca5711e00524dd7
Author: Carlos O'Donell <carlos@redhat.com>
Date: Fri Jul 19 02:42:03 2013 -0400
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Cherry-pick of e4608715e6e1dd2adc91982fd151d5ba4f761d69.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=02a002fe9c0b65532643a88b01253e95ba8ba8c6
commit 02a002fe9c0b65532643a88b01253e95ba8ba8c6
Author: Jeff Law <law@redhat.com>
Date: Wed Nov 28 14:12:28 2012 -0700
[BZ #14889]
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
Cherry-pick of 14bc93a967e62abf8cf2704725b6f76619399f83
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b498440aac70e994f32f45a31102964313af690
commit 3b498440aac70e994f32f45a31102964313af690
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Nov 28 10:24:06 2012 +0100
Properly handle indirect functions in ABI check on powerpc64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8282b7f2aa6380e8a91515f748d4693d8151fc4f
commit 8282b7f2aa6380e8a91515f748d4693d8151fc4f
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Fri Apr 26 13:00:56 2013 -0500
PowerPC: modf optimization fix
This patch fix the 3c0265394d9ffedff2b0de508602dc52e077ce5c commits
by correctly setting minimum architecture for modf PPC optimization
to power5+ instead of power5 (since only on power5+ round/ceil will
be inline to inline assembly).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17e599d2613c2a2e4cb6d5c3f9d5f626879aa63f
commit 17e599d2613c2a2e4cb6d5c3f9d5f626879aa63f
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Mar 25 16:10:06 2013 -0500
PowerPC: modf optimization
This patch implements modf/modff optimization for POWER by focus
on FP operations instead of relying in integer ones.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=60dc6d12c5c61b05013cb15f63349dd3d343f26d
commit 60dc6d12c5c61b05013cb15f63349dd3d343f26d
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Mar 13 10:46:08 2013 -0300
PowerPC: Change sched_getcpu to use vDSO getcpu instead of syscall.
Backport of d5e0b9bd6e296f3ec5263fa296d39f3fed9b8fa2.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cc328ae264f5b97d2811a95d84112bb1c6c7cae3
commit cc328ae264f5b97d2811a95d84112bb1c6c7cae3
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Mar 4 22:02:41 2013 -0300
PowerPC: gettimeofday optimization by using IFUNC
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36016f626e72f5d1cb6107deeab29768d82ff7e3
commit 36016f626e72f5d1cb6107deeab29768d82ff7e3
Merge: 4e1f97c 043c748
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Fri Mar 1 16:20:18 2013 -0600
Merge remote branch 'remotes/origin/release/2.16/master' into
local_ibm_2.16
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e1f97ccdcc257eba262667f7a3179a7d530330d
commit 4e1f97ccdcc257eba262667f7a3179a7d530330d
Author: Mike Frysinger <vapier@gentoo.org>
Date: Wed Nov 28 23:04:32 2012 -0500
byteswap.h: fix gcc ver test for __builtin_bswap{32,64}
The __builtin_bswap* functions were introduced in gcc-4.3, not gcc-4.2.
Fix the __GNUC_PREREQ tests to reflect this.
Otherwise trying to compile code with gcc-4.2 falls down:
In file included from /usr/include/endian.h:60,
from /usr/include/ctype.h:40,
/usr/include/bits/byteswap.h: In function 'unsigned int __bswap_32(unsigned
int)':
/usr/include/bits/byteswap.h:46: error: '__builtin_bswap32' was not
declared in this scope
/usr/include/bits/byteswap.h: In function 'long long unsigned int
__bswap_64(long long unsigned int)':
/usr/include/bits/byteswap.h:110: error: '__builtin_bswap64' was not
declared in this scope
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit c9d6789ebe028a260d3e5be0c26b7d02fdfe99fe)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=025b233a88a30f5f0474ff2c6051313eb33e5689
commit 025b233a88a30f5f0474ff2c6051313eb33e5689
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Nov 20 00:04:45 2012 +0000
Fix __bswap_64 return type in generic bits/byteswap.h.
(cherry picked from commit ecd4caf9783c99fb068a100c35899a0c3a3c6d98)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2c739e2cffb65d80787cfa861f9f6c62de327ad6
commit 2c739e2cffb65d80787cfa861f9f6c62de327ad6
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Fri Oct 12 09:21:47 2012 -0700
Use __uint64_t in x86 __bswap_64
(cherry picked from commit d394eb742a3565d7fe7a4b02710a60b5f219ee64)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a24f8ac8e65b451efc81839dd653d0a0e95a23ab
commit a24f8ac8e65b451efc81839dd653d0a0e95a23ab
Author: Andreas Schwab <schwab@linux-m68k.org>
Date: Tue May 1 17:10:10 2012 +0200
Fix missing _mcount@GLIBC_2.0 on powerpc32
(cherry picked from commit 261f485936b283f4327fc1f2fc8fd1705d805c12)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94464655b576985fdd5f66f7f6126ee1f92a41cc
commit 94464655b576985fdd5f66f7f6126ee1f92a41cc
Author: Peter Bergner <bergner@vnet.ibm.com>
Date: Fri Jul 6 13:24:49 2012 -0500
Add AT_PLATFORM env variable to ld.so to override auxv AT_PLATFORM.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d846920271a0f4dc54c0dbbd56998228e75e776c
commit d846920271a0f4dc54c0dbbd56998228e75e776c
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Fri Jul 6 13:03:09 2012 -0500
Remove assert() if DT_RUNPATH and DT_RPATH flags are found in ld.so.
-----------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (15 preceding siblings ...)
2015-01-29 18:49 ` cvs-commit at gcc dot gnu.org
@ 2015-02-23 15:03 ` cvs-commit at gcc dot gnu.org
2015-02-24 10:56 ` fweimer at redhat dot com
17 siblings, 0 replies; 19+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-02-23 15:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.16/master has been created
at 627eabb20f2b70faa3698e2c0124094c6d51af8e (commit)
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=627eabb20f2b70faa3698e2c0124094c6d51af8e
commit 627eabb20f2b70faa3698e2c0124094c6d51af8e
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Fri Feb 6 00:30:42 2015 -0500
CVE-2015-1472: wscanf allocates too little memory
BZ #16618
Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer. The
implementation now correctly computes the required buffer size when
using malloc.
A regression test was added to tst-sscanf.
Conflicts:
ChangeLog
NEWS
stdio-common/tst-sscanf.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ec36394743c15fedca294219f2254b180c4e327c
commit ec36394743c15fedca294219f2254b180c4e327c
Author: Andreas Schwab <schwab@suse.de>
Date: Mon Jan 21 17:41:28 2013 +0100
Fix parsing of numeric hosts in gethostbyname_r
Conflicts:
ChangeLog
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=20ac5d44837b82c064dfabd3646ec1f4f6826263
commit 20ac5d44837b82c064dfabd3646ec1f4f6826263
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Nov 19 13:01:43 2012 +0530
Return EAI_SYSTEM if we're out of file descriptors
Resolves BZ #14719.
Conflicts:
ChangeLog
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=dfc25d72984eb5a3354e104612d0ca0129af3f98
commit dfc25d72984eb5a3354e104612d0ca0129af3f98
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Sep 25 13:43:04 2013 -0500
PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1442655ba419867ce1a045a97cdd7904ac1ad516
commit 1442655ba419867ce1a045a97cdd7904ac1ad516
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Jan 20 12:29:51 2014 -0600
PowerPC: Fix gettimeofday ifunc selection
The IFUNC selector for gettimeofday runs before _libc_vdso_platform_setup
where
__vdso_gettimeofday is set. The selector then sets __gettimeofday (the
internal
version used within GLIBC) to use the system call version instead of the
vDSO one.
This patch changes the check if vDSO is available to get its value directly
instead of rely on __vdso_gettimeofday.
This patch changes it by getting the vDSO value directly.
It fixes BZ#16431.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1bdb6daceb10307543599df3b118afd2109d2ec8
commit 1bdb6daceb10307543599df3b118afd2109d2ec8
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Jan 16 06:53:18 2014 -0600
PowerPC: Fix ftime gettimeofday internal call returning bogus data
This patches fixes BZ#16430 by setting a different symbol for internal
GLIBC calls that points to ifunc resolvers. For PPC32, if the symbol
is defined as hidden (which is the case for gettimeofday and time) the
compiler will create local branches (symbol@local) and linker will not
create PLT calls (required for IFUNC). This will leads to internal symbol
calling the IFUNC resolver instead of the resolved symbol.
For PPC64 this behavior does not occur because a call to a function in
another translation unit might use a different toc pointer thus requiring
a PLT call.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3008132765936162552b15a77fe348c01074310
commit e3008132765936162552b15a77fe348c01074310
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Thu Nov 7 05:34:22 2013 -0600
PowerPC: Fix vDSO missing ODP entries
This patch fixes the vDSO symbol used directed in IFUNC resolver where
they do not have an associated ODP entry leading to undefined behavior
in some cases. It adds an artificial OPD static entry to such cases
and set its TOC to non 0 to avoid triggering lazy resolutions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ff69e1eb81719ee907642f615cef889d5bf8b2c
commit 6ff69e1eb81719ee907642f615cef889d5bf8b2c
Author: Carlos O'Donell <carlos@redhat.com>
Date: Wed Nov 19 11:44:12 2014 -0500
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3ded3d365f0237e92e8af90c878b233f265d7b4a
commit 3ded3d365f0237e92e8af90c878b233f265d7b4a
Author: Allan McRae <allan@archlinux.org>
Date: Thu Dec 18 11:01:43 2014 +1000
Label CVE-2014-9402 in NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7093fd0fedd8a0b4ed5b01347e3798219ba22ec
commit c7093fd0fedd8a0b4ed5b01347e3798219ba22ec
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon Dec 15 17:41:13 2014 +0100
Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c9b43ec3890d5c750a5127a543a55cd94aa73c94
commit c9b43ec3890d5c750a5127a543a55cd94aa73c94
Author: Jeff Law <law@redhat.com>
Date: Mon Dec 15 10:09:32 2014 +0100
CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b6ac4b1093333f364698ca3bb812c80b11c2f77
commit 3b6ac4b1093333f364698ca3bb812c80b11c2f77
Author: Allan McRae <allan@archlinux.org>
Date: Sat Jun 21 17:23:55 2014 +1000
Mention CVE-2014-4043 in NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f7865ec21e8ad32929509796497fa3b44c3ef826
commit f7865ec21e8ad32929509796497fa3b44c3ef826
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Jan 15 15:16:54 2015 -0500
posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.
Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
may have security implications.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c7a91d241b095855e06e0bd00287968df2f6d87e
commit c7a91d241b095855e06e0bd00287968df2f6d87e
Author: Florian Weimer <fweimer@redhat.com>
Date: Mon May 12 15:24:12 2014 +0200
_nl_find_locale: Improve handling of crafted locale names [BZ #17137]
Prevent directory traversal in locale-related environment variables
(CVE-2014-0475).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=588b214bc7fa3e54d6b679ed4b755e6d1310e61d
commit 588b214bc7fa3e54d6b679ed4b755e6d1310e61d
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Aug 26 19:38:59 2014 +0200
__gconv_translit_find: Disable function [BZ #17187]
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bd51e93f9305e37aa17e08dbdb86a2e146c09eff
commit bd51e93f9305e37aa17e08dbdb86a2e146c09eff
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 3 19:45:43 2014 +0200
CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=97ef0b2223e10fe3053494defd8a008d7dd9d6d8
commit 97ef0b2223e10fe3053494defd8a008d7dd9d6d8
Author: Will Newton <will.newton@linaro.org>
Date: Fri Sep 13 09:26:02 2013 +0100
Add CVE-2013-4332 to NEWS.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ccb8f6bab96cfcc7aedf5cd0d1946f26b028d733
commit ccb8f6bab96cfcc7aedf5cd0d1946f26b028d733
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 12:54:29 2013 +0100
malloc: Check for integer overflow in memalign.
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f1292792799a507711ce24b497e40f8fea8f9c9c
commit f1292792799a507711ce24b497e40f8fea8f9c9c
Author: Will Newton <will.newton@linaro.org>
Date: Fri Aug 16 11:59:37 2013 +0100
malloc: Check for integer overflow in valloc.
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b1e934aed5170eb8948e0f3c6618c9431d6810ad
commit b1e934aed5170eb8948e0f3c6618c9431d6810ad
Author: Will Newton <will.newton@linaro.org>
Date: Mon Aug 12 15:08:02 2013 +0100
malloc: Check for integer overflow in pvalloc.
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bcd619797e785f90cc9fd67208267c26c8e4b40d
commit bcd619797e785f90cc9fd67208267c26c8e4b40d
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Aug 16 09:38:52 2013 +0200
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6fd8e941423354e6c7a951d37a60d2f1424d568e
commit 6fd8e941423354e6c7a951d37a60d2f1424d568e
Author: Carlos O'Donell <carlos@redhat.com>
Date: Mon Sep 23 00:52:09 2013 -0400
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a243b1a0797180e142d525d1325a173c758c3714
commit a243b1a0797180e142d525d1325a173c758c3714
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:24:30 2013 +0530
Check for integer overflow in cache size computation in strcoll
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c1132021659d22753104762a074d6339ae6cbd01
commit c1132021659d22753104762a074d6339ae6cbd01
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon Sep 23 11:20:02 2013 +0530
Fall back to non-cached sequence traversal and comparison on malloc fail
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2dc811b78adc97b5f5d951716df30053a24da1a1
commit 2dc811b78adc97b5f5d951716df30053a24da1a1
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Tue Aug 20 08:40:05 2013 +0530
Simplify strcoll implementation
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9b951f59aa3c2f2d58d398aab146951216f9ff8d
commit 9b951f59aa3c2f2d58d398aab146951216f9ff8d
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Fri Oct 25 10:22:12 2013 +0530
Fix stack overflow due to large AF_INET6 requests
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=302c61e2d3536a6ff99d518499771afd6a951b0c
commit 302c61e2d3536a6ff99d518499771afd6a951b0c
Author: Andreas Schwab <schwab@suse.de>
Date: Tue Jan 29 14:45:15 2013 +0100
Fix buffer overrun in regexp matcher
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7e0492e183efc24e5658c860ca5711e00524dd7
commit b7e0492e183efc24e5658c860ca5711e00524dd7
Author: Carlos O'Donell <carlos@redhat.com>
Date: Fri Jul 19 02:42:03 2013 -0400
CVE-2013-2207, BZ #15755: Disable pt_chown.
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Cherry-pick of e4608715e6e1dd2adc91982fd151d5ba4f761d69.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=02a002fe9c0b65532643a88b01253e95ba8ba8c6
commit 02a002fe9c0b65532643a88b01253e95ba8ba8c6
Author: Jeff Law <law@redhat.com>
Date: Wed Nov 28 14:12:28 2012 -0700
[BZ #14889]
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
Cherry-pick of 14bc93a967e62abf8cf2704725b6f76619399f83
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3b498440aac70e994f32f45a31102964313af690
commit 3b498440aac70e994f32f45a31102964313af690
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Nov 28 10:24:06 2012 +0100
Properly handle indirect functions in ABI check on powerpc64
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8282b7f2aa6380e8a91515f748d4693d8151fc4f
commit 8282b7f2aa6380e8a91515f748d4693d8151fc4f
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Fri Apr 26 13:00:56 2013 -0500
PowerPC: modf optimization fix
This patch fix the 3c0265394d9ffedff2b0de508602dc52e077ce5c commits
by correctly setting minimum architecture for modf PPC optimization
to power5+ instead of power5 (since only on power5+ round/ceil will
be inline to inline assembly).
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17e599d2613c2a2e4cb6d5c3f9d5f626879aa63f
commit 17e599d2613c2a2e4cb6d5c3f9d5f626879aa63f
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Mar 25 16:10:06 2013 -0500
PowerPC: modf optimization
This patch implements modf/modff optimization for POWER by focus
on FP operations instead of relying in integer ones.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=60dc6d12c5c61b05013cb15f63349dd3d343f26d
commit 60dc6d12c5c61b05013cb15f63349dd3d343f26d
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Wed Mar 13 10:46:08 2013 -0300
PowerPC: Change sched_getcpu to use vDSO getcpu instead of syscall.
Backport of d5e0b9bd6e296f3ec5263fa296d39f3fed9b8fa2.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cc328ae264f5b97d2811a95d84112bb1c6c7cae3
commit cc328ae264f5b97d2811a95d84112bb1c6c7cae3
Author: Adhemerval Zanella <azanella@linux.vnet.ibm.com>
Date: Mon Mar 4 22:02:41 2013 -0300
PowerPC: gettimeofday optimization by using IFUNC
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36016f626e72f5d1cb6107deeab29768d82ff7e3
commit 36016f626e72f5d1cb6107deeab29768d82ff7e3
Merge: 4e1f97c 043c748
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Fri Mar 1 16:20:18 2013 -0600
Merge remote branch 'remotes/origin/release/2.16/master' into
local_ibm_2.16
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e1f97ccdcc257eba262667f7a3179a7d530330d
commit 4e1f97ccdcc257eba262667f7a3179a7d530330d
Author: Mike Frysinger <vapier@gentoo.org>
Date: Wed Nov 28 23:04:32 2012 -0500
byteswap.h: fix gcc ver test for __builtin_bswap{32,64}
The __builtin_bswap* functions were introduced in gcc-4.3, not gcc-4.2.
Fix the __GNUC_PREREQ tests to reflect this.
Otherwise trying to compile code with gcc-4.2 falls down:
In file included from /usr/include/endian.h:60,
from /usr/include/ctype.h:40,
/usr/include/bits/byteswap.h: In function 'unsigned int __bswap_32(unsigned
int)':
/usr/include/bits/byteswap.h:46: error: '__builtin_bswap32' was not
declared in this scope
/usr/include/bits/byteswap.h: In function 'long long unsigned int
__bswap_64(long long unsigned int)':
/usr/include/bits/byteswap.h:110: error: '__builtin_bswap64' was not
declared in this scope
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit c9d6789ebe028a260d3e5be0c26b7d02fdfe99fe)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=025b233a88a30f5f0474ff2c6051313eb33e5689
commit 025b233a88a30f5f0474ff2c6051313eb33e5689
Author: Joseph Myers <joseph@codesourcery.com>
Date: Tue Nov 20 00:04:45 2012 +0000
Fix __bswap_64 return type in generic bits/byteswap.h.
(cherry picked from commit ecd4caf9783c99fb068a100c35899a0c3a3c6d98)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2c739e2cffb65d80787cfa861f9f6c62de327ad6
commit 2c739e2cffb65d80787cfa861f9f6c62de327ad6
Author: H.J. Lu <hjl.tools@gmail.com>
Date: Fri Oct 12 09:21:47 2012 -0700
Use __uint64_t in x86 __bswap_64
(cherry picked from commit d394eb742a3565d7fe7a4b02710a60b5f219ee64)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a24f8ac8e65b451efc81839dd653d0a0e95a23ab
commit a24f8ac8e65b451efc81839dd653d0a0e95a23ab
Author: Andreas Schwab <schwab@linux-m68k.org>
Date: Tue May 1 17:10:10 2012 +0200
Fix missing _mcount@GLIBC_2.0 on powerpc32
(cherry picked from commit 261f485936b283f4327fc1f2fc8fd1705d805c12)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94464655b576985fdd5f66f7f6126ee1f92a41cc
commit 94464655b576985fdd5f66f7f6126ee1f92a41cc
Author: Peter Bergner <bergner@vnet.ibm.com>
Date: Fri Jul 6 13:24:49 2012 -0500
Add AT_PLATFORM env variable to ld.so to override auxv AT_PLATFORM.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d846920271a0f4dc54c0dbbd56998228e75e776c
commit d846920271a0f4dc54c0dbbd56998228e75e776c
Author: Ryan S. Arnold <rsa@linux.vnet.ibm.com>
Date: Fri Jul 6 13:03:09 2012 -0500
Remove assert() if DT_RUNPATH and DT_RPATH flags are found in ld.so.
-----------------------------------------------------------------------
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread* [Bug libc/14699] readdir_r: does not enforce NAME_MAX limit (CVE-2013-4237)
2012-10-11 9:49 [Bug libc/14699] New: readdir_r: does not enforce NAME_MAX limit fweimer at redhat dot com
` (16 preceding siblings ...)
2015-02-23 15:03 ` cvs-commit at gcc dot gnu.org
@ 2015-02-24 10:56 ` fweimer at redhat dot com
17 siblings, 0 replies; 19+ messages in thread
From: fweimer at redhat dot com @ 2015-02-24 10:56 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=14699
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Alias| |CVE-2013-4237
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 19+ messages in thread