Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Paul Eggert]

On 3/18/19 4:18 PM, Rafal Luzynski wrote:
> As far as I know the date in the ChangeLog should be the date
> when the change was pushed to the git repository, not when the
> patch was authored.  In case of the stable branches it should be
> the date when it was pushed to the stable branch, not when it was
> pushed to master.  Shall we change this?

I prefer ChangeLog dates to be in temporal order, so I like the rule
you're suggesting. Although Git works wonders with branching time, it
can still be a pain to spelunk when the timestamps aren't linear.

If/when we start generating ChangeLogs automatically, I hope the dates
will continue to be in temporal order.

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Rafal Luzynski]

19.03.2019 13:03 Aurelien Jarno <aurelien@aurel32.net> wrote:
> [...]
> In practice looking at the glibc 2.28 branch (the 2.29 has very few
> commit, and most of them backported immediately after being committed to
> the master branch), it appears that both practices are common. I have
> attached a patch fixing the commit dates to give an example of the
> impact.

Now I have looked at ChangeLog in 2.28 and I agree with you.  The dates
look pretty random and nobody complains.  I am not going to be the only
one who complains, this really does not hurt me.  I only (wrongly) thought
this was required.

In case of 2.29, as you said, there are few commits after the release
so we may fix the dates or just ignore, if nobody cares.

> I think we should just decide a rule, fix the wrong entries if needed,
> and apply it to new commits. On my side I am undecided what is the best
> option.

I am undecided as well but I will not ask for an additional work for
maintainers if nobody needs this.

> [1]
> https://sourceware.org/glibc/wiki/GlibcGit?Cherry_Pick_Changes_From_Another_Branch

Thanks for this link, by the way.

Regards,

Rafal

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Rafal Luzynski]

19.03.2019 17:32 Florian Weimer <fw@deneb.enyo.de> wrote:
> 
> * Rafal Luzynski:
> 
> > As far as I know the date in the ChangeLog should be the date
> > when the change was pushed to the git repository, not when the
> > patch was authored.
> 
> I have been following this more or less meticulously for master, but

Thank you.

> does anyone know the rationale for it?

I guess the original reason was to know when a particular change was
actually pushed to master and thus made official.  It's not much helpful
to know when a patch was authored which may actually be the date when
the original author had started working on this (rather than finished).

I think somebody told this on libc-alpha but indeed, it was in the
context of the master branch.

> [...]
> At commit/push time (not at contribution time), the copyright
> assignment may no longer be in effect for new contributions from the
> same person, after all.

I am not a lawyer so I should not speak about it... But should the
commit/push ever happen if the copyright assignment is no longer in
effect?

Just to summarize, I am not asking for any specific rule for dates
in ChangeLog in stable branches because I can see now that nobody
needs such a rule.  Regarding the master branch, I'm not sure about
the rules but I can see that everybody (or almost everybody) update
the dates to the current date when pushing which is OK.

Regards,

Rafal

[2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Aurelien Jarno]

From: Paul Eggert <eggert@cs.ucla.edu>

Problem found by AddressSanitizer, reported by Hongxu Chen in:
https://debbugs.gnu.org/34140
* posix/regexec.c (proceed_next_node):
Do not read past end of input buffer.

(cherry picked from commit 583dd860d5b833037175247230a328f0050dbfe9)
---
 ChangeLog       | 8 ++++++++
 posix/regexec.c | 6 ++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 90558e434ce..fb88626efe1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
+
+	regex: fix read overrun [BZ #24114]
+	Problem found by AddressSanitizer, reported by Hongxu Chen in:
+	https://debbugs.gnu.org/34140
+	* posix/regexec.c (proceed_next_node):
+	Do not read past end of input buffer.
+
 2019-03-13  Stefan Liebler  <stli@linux.ibm.com>
 
 	* elf/dl-sysdep.c (_dl_show_auxv): Remove condition and always
diff --git a/posix/regexec.c b/posix/regexec.c
index 91d5a797b82..084b1222d95 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_context_t *mctx, Idx nregs, regmatch_t *regs,
 	      else if (naccepted)
 		{
 		  char *buf = (char *) re_string_get_buffer (&mctx->input);
-		  if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
-			      naccepted) != 0)
+		  if (mctx->input.valid_len - *pidx < naccepted
+		      || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx,
+				  naccepted)
+			  != 0))
 		    return -1;
 		}
 	    }
-- 
2.20.1

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Florian Weimer]

* Rafal Luzynski:

>> [...]
>> At commit/push time (not at contribution time), the copyright
>> assignment may no longer be in effect for new contributions from the
>> same person, after all.
>
> I am not a lawyer so I should not speak about it... But should the
> commit/push ever happen if the copyright assignment is no longer in
> effect?

I wrote “new contributions”.  We deal with past contributions all the
time whose author would no longer be covered by a copyright assignment
for a hypothetical new contribution.  Most of the time, these
contributions are already in the source tree, and we adapt them, but
not always.  The usual cause of such discrepancies is when authors do
not enter copyright assignments with the FSF, but rely on their
employers' pre-existing assignments and the fact that the employer
owns the copyright in a work-for-hire scenario.

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Florian Weimer]

* Rafal Luzynski:

> As far as I know the date in the ChangeLog should be the date
> when the change was pushed to the git repository, not when the
> patch was authored.

I have been following this more or less meticulously for master, but
does anyone know the rationale for it?  I find it peculiar because we
may end up with a date/email address combination that is completely
bogus.  I find it difficult to believe that anyone would prefer this.
At commit/push time (not at contribution time), the copyright
assignment may no longer be in effect for new contributions from the
same person, after all.

I don't adjust dates for backports, mostly due to the risk of making
mistakes.

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Aurelien Jarno]

[-- Attachment #1: Type: text/plain, Size: 1737 bytes --]

On 2019-03-19 00:18, Rafal Luzynski wrote:
> 16.03.2019 23:31 Aurelien Jarno <aurelien@aurel32.net> wrote:
> > [...]
> > diff --git a/ChangeLog b/ChangeLog
> > index 90558e434ce..fb88626efe1 100644
> > --- a/ChangeLog
> > +++ b/ChangeLog
> > @@ -1,3 +1,11 @@
> > +2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
> > +
> > +	regex: fix read overrun [BZ #24114]
> > +	Problem found by AddressSanitizer, reported by Hongxu Chen in:
> > +	https://debbugs.gnu.org/34140
> > +	* posix/regexec.c (proceed_next_node):
> > +	Do not read past end of input buffer.
> > +
> 
> As far as I know the date in the ChangeLog should be the date
> when the change was pushed to the git repository, not when the
> patch was authored.  In case of the stable branches it should be
> the date when it was pushed to the stable branch, not when it was
> pushed to master.  Shall we change this?

Thanks for pointing that out. It appears we do not have a clear process
about that, at least [1] doesn't say the date should be updated after a
cherry-pick, and it doesn't say the contrary either.

In practice looking at the glibc 2.28 branch (the 2.29 has very few
commit, and most of them backported immediately after being committed to
the master branch), it appears that both practices are common. I have
attached a patch fixing the commit dates to give an example of the
impact.

I think we should just decide a rule, fix the wrong entries if needed,
and apply it to new commits. On my side I am undecided what is the best
option.

Regards,
Aurelien

[1] https://sourceware.org/glibc/wiki/GlibcGit?Cherry_Pick_Changes_From_Another_Branch

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

[-- Attachment #2: glibc-2.28-changelog-fix-date.patch --]
[-- Type: text/x-diff, Size: 13554 bytes --]

diff --git a/ChangeLog b/ChangeLog
index 5667d9262b..4b52e4754e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,4 @@
-2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
+2019-03-16  Paul Eggert  <eggert@cs.ucla.edu>
 
 	CVE-2019-9169
 	regex: fix read overrun [BZ #24114]
@@ -7,14 +7,14 @@
 	* posix/regexec.c (proceed_next_node):
 	Do not read past end of input buffer.
 
-2018-11-07  Andreas Schwab  <schwab@suse.de>
+2019-03-14  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #23864]
 	* sysdeps/unix/sysv/linux/riscv/kernel-features.h
 	(__ASSUME_SET_ROBUST_LIST) [__LINUX_KERNEL_VERSION < 0x041400]:
 	Undef.
 
-2018-09-21  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+2019-02-27  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
 	* NEWS: Add note about new TLE support on powerpc64le.
 	* sysdeps/powerpc/nptl/tcb-offsets.sym (TM_CAPABLE): Remove.
@@ -34,7 +34,7 @@
 	usage.
 	* sysdeps/unix/sysv/linux/powerpc/not-errno.h: Remove file.
 
-2019-01-13  Jim Wilson  <jimw@sifive.com>
+2019-02-19  Jim Wilson  <jimw@sifive.com>
 
 	[BZ #24040]
 	* elf/Makefile (CFLAGS-tst-unwind-main.c): Add -DUSE_PTHREADS=0.
@@ -48,7 +48,7 @@
 	* sysdeps/unix/sysv/linux/riscv/clone.S (__thread_start): Mark ra
 	as undefined.
 
-2019-01-31  Carlos O'Donell  <carlos@redhat.com>
+2019-02-17  Carlos O'Donell  <carlos@redhat.com>
 	    Torvald Riegel  <triegel@redhat.com>
 	    Rik Prohaska  <prohaska7@gmail.com>
 
@@ -91,7 +91,7 @@
 	* nscd/gai.c: Include <arpa/inet.h> and change visibility of
 	__inet_aton_exact.
 
-2019-01-21  Florian Weimer  <fweimer@redhat.com>
+2019-02-04  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #20018]
 	CVE-2016-10739
@@ -124,7 +124,7 @@
 	* resolv/tst-resolv-nondecimal.c: Likewise.
 	* sysdeps/posix/getaddrinfo.c (gaih_inet): Call __inet_aton_exact.
 
-2019-01-18  Florian Weimer  <fweimer@redhat.com>
+2019-02-04  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #24112]
 	resolv: Do not send queries for non-host-names in nss_dns.
@@ -133,7 +133,7 @@
 	(_nss_dns_gethostbyname_r): Likewise.
 	(_nss_dns_gethostbyname4_r): Likewise.
 
-2019-01-21  Florian Weimer  <fweimer@redhat.com>
+2019-02-04  Florian Weimer  <fweimer@redhat.com>
 
 	* resolv/inet_addr.c: Reformat to GNU style.
 	(__inet_addr, __inet_aton): Update comment.
@@ -250,7 +250,7 @@
 	* math/libm-test-fma.inc (fma_test_data): Set
 	XFAIL_ROUNDING_IBM128_LIBGCC to more tests.
 
-2019-01-07  Aurelien Jarno  <aurelien@aurel32.net>
+2019-01-08  Aurelien Jarno  <aurelien@aurel32.net>
 
 	[BZ #24024]
 	* Makeconfig: Build libm with -fno-math-errno but build the remaining
@@ -266,14 +266,14 @@
 	DIAG_PUSH_NEEDS_COMMENT, DIAG_IGNORE_NEEDS_COMMENT and
 	DIAG_POP_NEEDS_COMMENT to disable -Wmaybe-uninitialized.
 
-2019-01-02  Aurelien Jarno  <aurelien@aurel32.net>
+2019-01-03  Aurelien Jarno  <aurelien@aurel32.net>
 
 	[BZ #24034]
 	* sysdeps/unix/sysv/linux/arm/atomic-machine.h
 	(__arm_assisted_compare_and_exchange_val_32_acq): Use uint32_t rather
 	than __typeof (...) for the a_ptr variable.
 
-2018-12-31  H.J. Lu  <hongjiu.lu@intel.com>
+2019-01-03  H.J. Lu  <hongjiu.lu@intel.com>
 
 	[BZ #24022]
 	* sysdeps/unix/sysv/linux/riscv/flush-icache.c: Check if
@@ -285,7 +285,7 @@
 	* intl/dcigettext.c (DCIGETTEXT): Do not return NULL on asprintf
 	failure.
 
-2018-12-31  Florian Weimer  <fw@deneb.enyo.de>
+2019-01-01  Florian Weimer  <fw@deneb.enyo.de>
 
 	[BZ #24027]
 	* malloc/malloc.c (_int_realloc): Always call memcpy for the
@@ -296,7 +296,7 @@
 
 	* sysdeps/alpha/fpu/libm-test-ulps: Regenerated.
 
-2018-12-18  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+2018-12-19  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 	    James Clarke  <jrtc27@jrtc27.com>
 
 	[BZ #23967]
@@ -318,7 +318,7 @@
 	* sysdeps/unix/sysv/linux/s390/kernel_sigaction.h: Likewise.
 	* sysdeps/unix/sysv/linux/x86_64/sigaction.c: Likewise.
 
-2018-10-30  Andreas Schwab  <schwab@suse.de>
+2018-12-15  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #23125]
 	* sysdeps/riscv/start.S (ENTRY_POINT): Mark ra as undefined.
@@ -342,7 +342,7 @@
 	* nptl/tst-rwlock-pwn.c: New file.
 	* nptl/Makefile (tests): Add tst-rwlock-pwn.
 
-2018-12-12  Tulio Magno Quites Machado Filho  <tuliom@linux.ibm.com>
+2018-12-13  Tulio Magno Quites Machado Filho  <tuliom@linux.ibm.com>
 
 	[BZ #23614]
 	* sysdeps/powerpc/powerpc64/addmul_1.S (FUNC): Add CFI offset for
@@ -350,20 +350,20 @@
 	* sysdeps/powerpc/powerpc64/lshift.S (__mpn_lshift): Likewise.
 	* sysdeps/powerpc/powerpc64/mul_1.S (__mpn_mul_1): Likewise.
 
-2018-12-07  DJ Delorie  <dj@redhat.com>
+2018-12-12  DJ Delorie  <dj@redhat.com>
 
 	[BZ #23907]
 	* malloc/tst-tcfree3.c: New.
 	* malloc/Makefile: Add it.
 
-2018-12-07  Florian Weimer  <fweimer@redhat.com>
+2018-12-12  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #23927]
 	CVE-2018-19591
 	* inet/tst-if_index-long.c: New file.
 	* inet/Makefile (tests): Add tst-if_index-long.
 
-2018-12-07  Florian Weimer  <fweimer@redhat.com>
+2018-12-12  Florian Weimer  <fweimer@redhat.com>
 
 	* support/check.h (support_record_failure_is_failed): Declare.
 	* support/descriptors.h: New file.
@@ -374,18 +374,18 @@
 	* support/Makefile (libsupport-routines): Add support_descriptors.
 	(tests): Add tst-support_descriptors.
 
-2018-12-01  Florian Weimer  <fweimer@redhat.com>
+2018-12-12  Florian Weimer  <fweimer@redhat.com>
 
 	* support/support_capture_subprocess.c
 	(support_capture_subprocess): Check that pipe descriptors have
 	expected values.  Close original pipe descriptors in subprocess.
 
-2018-11-28  Florian Weimer  <fweimer@redhat.com>
+2018-12-12  Florian Weimer  <fweimer@redhat.com>
 
 	* support/support.h (support_quote_string): Do not use str
 	parameter name.
 
-2018-11-27  Florian Weimer  <fweimer@redhat.com>
+2018-12-12  Florian Weimer  <fweimer@redhat.com>
 
 	* support/support.h (support_quote_string): Declare.
 	* support/support_quote_string.c: New file.
@@ -404,7 +404,7 @@
 	* sysdeps/unix/sysv/linux/tst-readdir64-compat.c (do_test): Check
 	that d_off is never zero.
 
-2018-11-30  Tulio Magno Quites Machado Filho  <tuliom@linux.ibm.com>
+2018-12-07  Tulio Magno Quites Machado Filho  <tuliom@linux.ibm.com>
 
 	[BZ #23690]
 	* elf/dl-runtime.c (_dl_profile_fixup): Guarantee memory
@@ -419,7 +419,7 @@
 	* nptl/tst-audit-threads.c: Likewise.
 	* nptl/tst-audit-threads.h: Likewise.
 
-2018-11-26  Florian Weimer  <fweimer@redhat.com>
+2018-11-28  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #23907]
 	* malloc/malloc.c (_int_free): Validate tc_idx before checking for
@@ -439,7 +439,7 @@
 
 	* dlfcn/dlerror.c (check_free): Prevent double frees.
 
-2018-11-27  Florian Weimer  <fweimer@redhat.com>
+2018-12-12  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #23927]
 	CVE-2018-19591
@@ -453,23 +453,23 @@
 	(signal_handler): Use it to print the termination time and the
 	time of the last write to standard output.
 
-2018-10-09  Szabolcs Nagy  <szabolcs.nagy@arm.com>
+2018-11-19  Szabolcs Nagy  <szabolcs.nagy@arm.com>
 
 	* libio/tst-readline.c (TIMEOUT): Define.
 
-2018-10-22  Joseph Myers  <joseph@codesourcery.com>
+2018-11-09  Joseph Myers  <joseph@codesourcery.com>
 
 	* sysdeps/unix/sysv/linux/syscall-names.list: Update kernel
 	version to 4.19.
 
-2018-09-18  Paul Eggert  <eggert@cs.ucla.edu>
+2018-11-09  Paul Eggert  <eggert@cs.ucla.edu>
 
 	Fix tzfile low-memory assertion failure
 	[BZ #21716]
 	* time/tzfile.c (__tzfile_read): Check for memory exhaustion
 	when registering time zone abbreviations.
 
-2018-08-31  Paul Pluzhnikov  <ppluzhnikov@google.com>
+2018-11-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
 	[BZ #20271]
 	* include/stdio.h (__libc_fatal): Mention newline in comment.
@@ -491,7 +491,7 @@
 	* sysdeps/unix/sysv/linux/netlink_assert_response.c
 	(__netlink_assert_response): Likewise.
 
-2018-08-28  Florian Weimer  <fweimer@redhat.com>
+2018-11-09  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #23520]
 	nscd: Fix use-after-free in addgetnetgrentX and its callers.
@@ -503,23 +503,23 @@
 	(addgetnetgrent): Call it.
 	(readdgetnetgrent): Likewise.
 
-2018-08-16  DJ Delorie  <dj@delorie.com>
+2018-11-09  DJ Delorie  <dj@delorie.com>
 
 	* malloc/malloc.c (_int_free): Check for corrupt prev_size vs size.
 	(malloc_consolidate): Likewise.
 
-2018-08-16  Pochang Chen  <johnchen902@gmail.com>
+2018-11-09  Pochang Chen  <johnchen902@gmail.com>
 
 	* malloc/malloc.c (_int_malloc.c): Verify size of top chunk.
 
-2018-08-13  Joseph Myers  <joseph@codesourcery.com>
+2018-11-09  Joseph Myers  <joseph@codesourcery.com>
 
 	* sysdeps/unix/sysv/linux/syscall-names.list: Update kernel
 	version to 4.18.
 	(io_pgetevents): New syscall.
 	(rseq): Likewise.
 
-2018-11-08  Alexandra Hájková  <ahajkova@redhat.com>
+2018-11-09  Alexandra Hájková  <ahajkova@redhat.com>
 
 	[BZ #17630]
 	* resolv/tst-resolv-network.c: Add test for getnetbyname.
@@ -534,33 +534,33 @@
 	* sysdeps/x86/link_map.h (l_cet): Expand to 3 bits,  Add
 	lc_unknown.
 
-2018-11-05  Andreas Schwab  <schwab@suse.de>
+2018-11-06  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #22927]
 	* resolv/gai_misc.c (__gai_enqueue_request): Don't crash if
 	creating the first helper thread failed.
 
-2018-10-23  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+2018-11-02  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
 	[BZ #23709]
 	* sysdeps/x86/cpu-features.c (init_cpu_features): Set TSX bits
 	independently of other flags.
 
-2018-10-30  Florian Weimer  <fweimer@redhat.com>
+2018-11-02  Florian Weimer  <fweimer@redhat.com>
 
 	* stdlib/tst-strtod-overflow.c (do_test): Switch to
 	support_blob_repeat.
 
-2018-10-30  Florian Weimer  <fweimer@redhat.com>
+2018-11-02  Florian Weimer  <fweimer@redhat.com>
 
 	* support/blob_repeat.c (allocate_big): Call mkstemp directly.
 
-2018-10-30  Florian Weimer  <fweimer@redhat.com>
+2018-11-02  Florian Weimer  <fweimer@redhat.com>
 
 	* stdlib/test-bz22786.c (do_test): Additional free calls to avoid
 	memory leaks.
 
-2018-10-30  Florian Weimer  <fweimer@redhat.com>
+2018-11-02  Florian Weimer  <fweimer@redhat.com>
 
 	Avoid spurious test failures in stdlib/test-bz22786.
 	* support/Makefile (libsupport-routines): Add blob_repeat.
@@ -571,12 +571,12 @@
 	* stdlib/test-bz22786.c (do_test): Replace malloc and memset with
 	support_blob_repeat_allocate.
 
-2018-08-30  Stefan Liebler  <stli@linux.ibm.com>
+2018-11-02  Stefan Liebler  <stli@linux.ibm.com>
 
 	* stdlib/test-bz22786.c (do_test): Return EXIT_UNSUPPORTED
 	if malloc fails.
 
-2018-08-24  Paul Pluzhnikov  <ppluzhnikov@google.com>
+2018-11-02  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
         [BZ #23400]
         * stdlib/test-bz22786.c (do_test): Fix undefined behavior, don't
@@ -589,7 +589,7 @@
 	* sysdeps/ia64/fpu/e_log2f.S (log2f): Likewise.
 	* sysdeps/ia64/fpu/e_exp2f.S (powf): Likewise.
 
-2018-10-25  Florian Weimer  <fweimer@redhat.com>
+2018-10-26  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #23562]
 	[BZ #23821]
@@ -602,13 +602,13 @@
 	sparc64.
 	* conform/data/sys/wait.h-data (siginfo_t): Likewise.
 
-2018-10-19  Ilya Yu. Malakhov  <malakhov@mcst.ru>
+2018-10-22  Ilya Yu. Malakhov  <malakhov@mcst.ru>
 
 	[BZ #23562]
 	* sysdeps/unix/sysv/linux/bits/types/siginfo_t.h
 	(struct siginfo_t): Use correct type for si_band.
 
-2018-10-17  Stefan Liebler  <stli@linux.ibm.com>
+2018-10-18  Stefan Liebler  <stli@linux.ibm.com>
 
 	[BZ #23275]
 	* nptl/tst-mutex10.c: New File.
@@ -685,7 +685,7 @@
 	(_start): Use ENTRY/END to insert ENDBR32 at entry when CET is
 	enabled.  Add cfi_undefined (eip).
 
-2018-09-19  Wilco Dijkstra  <wdijkstr@arm.com>
+2018-09-21  Wilco Dijkstra  <wdijkstr@arm.com>
 
 	[BZ #23637]
 	* string/test-strstr.c (pr23637): New function.
@@ -693,7 +693,7 @@
 	* string/strcasestr.c (AVAILABLE): Fix readahead distance.
 	* string/strstr.c (AVAILABLE): Likewise.
 
-2018-09-19  Carlos O'Donell  <carlos@redhat.com>
+2018-09-20  Carlos O'Donell  <carlos@redhat.com>
 
 	* stdlib/tst-setcontext9.c (f1): Rename to...
 	(f1a): ... this.
@@ -710,7 +710,7 @@
 	* sysdeps/unix/sysv/linux/gethostid.c (gethostid): Check for NULL
 	value from gethostbyname_r.
 
-2018-09-06  Stefan Liebler  <stli@linux.ibm.com>
+2018-09-10  Stefan Liebler  <stli@linux.ibm.com>
 
 	* sysdeps/unix/sysv/linux/spawni.c (maybe_script_execute):
 	Increment size of new_argv by one.
@@ -722,7 +722,7 @@
 	* posix/Makefile (tests): Add it.
 	(tst-regcomp-truncated.out): Depend on generated locales.
 
-2018-08-25  Paul Eggert  <eggert@cs.ucla.edu>
+2018-08-28  Paul Eggert  <eggert@cs.ucla.edu>
 
 	[BZ #23578]
 	regex: fix uninitialized memory access
@@ -745,7 +745,7 @@
 	Update r to include the set wake-request flag if waiters are
 	remaining after spinning.
 
-2018-08-03  DJ Delorie  <dj@redhat.com>
+2018-08-22  DJ Delorie  <dj@redhat.com>
 
 	* sysdeps/riscv/rvf/math_private.h (libc_feholdexcept_setround_riscv):
 	Move libc_fesetround_riscv after libc_feholdexcept_riscv.
@@ -770,7 +770,7 @@
 	* nscd/nscd_conf.c (nscd_parse_file): Deallocate old storage for
 	server_user, stat_user.
 
-2018-08-13  Florian Weimer  <fweimer@redhat.com>
+2018-08-14  Florian Weimer  <fweimer@redhat.com>
 
 	* misc/error.c (error): Add missing va_end call.
 	(error_at_line): Likewise.

Re: [2.29 COMMITTED] regex: fix read overrun [BZ #24114]

[Rafal Luzynski]

16.03.2019 23:31 Aurelien Jarno <aurelien@aurel32.net> wrote:
> [...]
> diff --git a/ChangeLog b/ChangeLog
> index 90558e434ce..fb88626efe1 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,11 @@
> +2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
> +
> +	regex: fix read overrun [BZ #24114]
> +	Problem found by AddressSanitizer, reported by Hongxu Chen in:
> +	https://debbugs.gnu.org/34140
> +	* posix/regexec.c (proceed_next_node):
> +	Do not read past end of input buffer.
> +

As far as I know the date in the ChangeLog should be the date
when the change was pushed to the git repository, not when the
patch was authored.  In case of the stable branches it should be
the date when it was pushed to the stable branch, not when it was
pushed to master.  Shall we change this?

Here is a correct example:

>  2019-03-13  Stefan Liebler  <stli@linux.ibm.com>
>  
>  	* elf/dl-sysdep.c (_dl_show_auxv): Remove condition and always

The same issue in 2.28 branch.

Regards,

Rafal

[2.29 COMMITTED] Record CVE-2019-9169 in NEWS and ChangeLog [BZ #24114]

[Aurelien Jarno]

(cherry picked from commit b626c5aa5d0673a9caa48fb79fba8bda237e6fa8)
---
 ChangeLog | 1 +
 NEWS      | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index fb88626efe1..80413dd5608 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 2019-01-31  Paul Eggert  <eggert@cs.ucla.edu>
 
+	CVE-2019-9169
 	regex: fix read overrun [BZ #24114]
 	Problem found by AddressSanitizer, reported by Hongxu Chen in:
 	https://debbugs.gnu.org/34140
diff --git a/NEWS b/NEWS
index 340e06d0f4f..271bf7a2cd6 100644
--- a/NEWS
+++ b/NEWS
@@ -24,6 +24,10 @@ Security related changes:
   memcmp gave the wrong result since it treated the size argument as
   zero.  Reported by H.J. Lu.
 
+  CVE-2019-9169: Attempted case-insensitive regular-expression match
+  via proceed_next_node in posix/regexec.c leads to heap-based buffer
+  over-read.  Reported by Hongxu Chen.
+
 \f
 Version 2.29
 
-- 
2.20.1