[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH] gnu: glibc: Fix CVE-2014-5519
From: |
mhw |
Subject: |
[PATCH] gnu: glibc: Fix CVE-2014-5519 |
Date: |
Tue, 26 Aug 2014 15:16:18 -0400 |
I'll push this patch to core-updates as soon as I've tested it.
https://sourceware.org/bugzilla/show_bug.cgi?id=17187
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html
I'm not sure what we should do on 'master'. Thoughts?
Mark
>From 4b5770796955011e2a7b2166b38f8f6b3a6d6757 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <address@hidden>
Date: Tue, 26 Aug 2014 14:44:14 -0400
Subject: [PATCH] gnu: glibc: Fix CVE-2014-5519.
* gnu/packages/patches/glibc-CVE-2014-5519.patch: New file.
* gnu-system.am (dist_patch_DATA): Add it.
* gnu/packages/base.scm (glibc): Add the patch.
---
gnu-system.am | 1 +
gnu/packages/base.scm | 3 +-
gnu/packages/patches/glibc-CVE-2014-5519.patch | 211 +++++++++++++++++++++++++
3 files changed, 214 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/glibc-CVE-2014-5519.patch
diff --git a/gnu-system.am b/gnu-system.am
index f24da85..a14781b 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -311,6 +311,7 @@ dist_patch_DATA =
\
gnu/packages/patches/glib-tests-prlimit.patch \
gnu/packages/patches/glib-tests-timer.patch \
gnu/packages/patches/glibc-bootstrap-system.patch \
+ gnu/packages/patches/glibc-CVE-2014-5519.patch \
gnu/packages/patches/glibc-ldd-x86_64.patch \
gnu/packages/patches/gnunet-fix-scheduler.patch \
gnu/packages/patches/gnunet-fix-tests.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 30176cf..8c4f0eb 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -384,7 +384,8 @@ library for working with executable and object formats is
also included.")
(("use_ldconfig=yes")
"use_ldconfig=no")))
(modules '((guix build utils)))
- (patches (list (search-patch "glibc-ldd-x86_64.patch")))))
+ (patches (list (search-patch "glibc-CVE-2014-5519.patch")
+ (search-patch "glibc-ldd-x86_64.patch")))))
(build-system gnu-build-system)
;; Glibc's <limits.h> refers to <linux/limit.h>, for instance, so glibc
diff --git a/gnu/packages/patches/glibc-CVE-2014-5519.patch
b/gnu/packages/patches/glibc-CVE-2014-5519.patch
new file mode 100644
index 0000000..fc9acd4
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2014-5519.patch
@@ -0,0 +1,211 @@
+Remove support for loadable gconv transliteration modules.
+The support for transliteration modules has been non-functional for
+over a decade, and the removal is prompted by security defects. The
+normal gconv conversion modules are still supported. Transliteration
+with //TRANSLIT is still possible, and the //IGNORE specifier
+continues to be supported. (CVE-2014-5519)
+
+Based on upstream commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 by
+Florian Weimer <address@hidden>.
+
+--- glibc-2.19/ChangeLog.orig 2014-02-07 04:04:38.000000000 -0500
++++ glibc-2.19/ChangeLog 2014-08-26 14:35:12.368861387 -0400
+@@ -1,3 +1,10 @@
++2014-08-26 Florian Weimer <address@hidden>
++
++ [BZ #17187]
++ * iconv/gconv_trans.c (struct known_trans, search_tree, lock,
++ trans_compare, open_translit, __gconv_translit_find):
++ Remove module loading code.
++
+ 2014-02-06 Carlos O'Donell <address@hidden>
+
+ [BZ #16529]
+--- glibc-2.19/iconv/gconv_trans.c.orig 2014-02-07 04:04:38.000000000
-0500
++++ glibc-2.19/iconv/gconv_trans.c 2014-08-26 14:37:26.269525364 -0400
+@@ -238,181 +238,12 @@
+ return __GCONV_ILLEGAL_INPUT;
+ }
+
+-
+-/* Structure to represent results of found (or not) transliteration
+- modules. */
+-struct known_trans
+-{
+- /* This structure must remain the first member. */
+- struct trans_struct info;
+-
+- char *fname;
+- void *handle;
+- int open_count;
+-};
+-
+-
+-/* Tree with results of previous calls to __gconv_translit_find. */
+-static void *search_tree;
+-
+-/* We modify global data. */
+-__libc_lock_define_initialized (static, lock);
+-
+-
+-/* Compare two transliteration entries. */
+-static int
+-trans_compare (const void *p1, const void *p2)
+-{
+- const struct known_trans *s1 = (const struct known_trans *) p1;
+- const struct known_trans *s2 = (const struct known_trans *) p2;
+-
+- return strcmp (s1->info.name, s2->info.name);
+-}
+-
+-
+-/* Open (maybe reopen) the module named in the struct. Get the function
+- and data structure pointers we need. */
+-static int
+-open_translit (struct known_trans *trans)
+-{
+- __gconv_trans_query_fct queryfct;
+-
+- trans->handle = __libc_dlopen (trans->fname);
+- if (trans->handle == NULL)
+- /* Not available. */
+- return 1;
+-
+- /* Find the required symbol. */
+- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
+- if (queryfct == NULL)
+- {
+- /* We cannot live with that. */
+- close_and_out:
+- __libc_dlclose (trans->handle);
+- trans->handle = NULL;
+- return 1;
+- }
+-
+- /* Get the context. */
+- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
+- != 0)
+- goto close_and_out;
+-
+- /* Of course we also have to have the actual function. */
+- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
+- if (trans->info.trans_fct == NULL)
+- goto close_and_out;
+-
+- /* Now the optional functions. */
+- trans->info.trans_init_fct =
+- __libc_dlsym (trans->handle, "gconv_trans_init");
+- trans->info.trans_context_fct =
+- __libc_dlsym (trans->handle, "gconv_trans_context");
+- trans->info.trans_end_fct =
+- __libc_dlsym (trans->handle, "gconv_trans_end");
+-
+- trans->open_count = 1;
+-
+- return 0;
+-}
+-
+-
+ int
+ internal_function
+ __gconv_translit_find (struct trans_struct *trans)
+ {
+- struct known_trans **found;
+- const struct path_elem *runp;
+- int res = 1;
+-
+- /* We have to have a name. */
+- assert (trans->name != NULL);
+-
+- /* Acquire the lock. */
+- __libc_lock_lock (lock);
+-
+- /* See whether we know this module already. */
+- found = __tfind (trans, &search_tree, trans_compare);
+- if (found != NULL)
+- {
+- /* Is this module available? */
+- if ((*found)->handle != NULL)
+- {
+- /* Maybe we have to reopen the file. */
+- if ((*found)->handle != (void *) -1)
+- /* The object is not unloaded. */
+- res = 0;
+- else if (open_translit (*found) == 0)
+- {
+- /* Copy the data. */
+- *trans = (*found)->info;
+- (*found)->open_count++;
+- res = 0;
+- }
+- }
+- }
+- else
+- {
+- size_t name_len = strlen (trans->name) + 1;
+- int need_so = 0;
+- struct known_trans *newp;
+-
+- /* We have to continue looking for the module. */
+- if (__gconv_path_elem == NULL)
+- __gconv_get_path ();
+-
+- /* See whether we have to append .so. */
+- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
+- need_so = 1;
+-
+- /* Create a new entry. */
+- newp = (struct known_trans *) malloc (sizeof (struct known_trans)
+- + (__gconv_max_path_elem_len
+- + name_len + 3)
+- + name_len);
+- if (newp != NULL)
+- {
+- char *cp;
+-
+- /* Clear the struct. */
+- memset (newp, '\0', sizeof (struct known_trans));
+-
+- /* Store a copy of the module name. */
+- newp->info.name = cp = (char *) (newp + 1);
+- cp = __mempcpy (cp, trans->name, name_len);
+-
+- newp->fname = cp;
+-
+- /* Search in all the directories. */
+- for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
+- {
+- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
+- trans->name, name_len);
+- if (need_so)
+- memcpy (cp, ".so", sizeof (".so"));
+-
+- if (open_translit (newp) == 0)
+- {
+- /* We found a module. */
+- res = 0;
+- break;
+- }
+- }
+-
+- if (res)
+- newp->fname = NULL;
+-
+- /* In any case we'll add the entry to our search tree. */
+- if (__tsearch (newp, &search_tree, trans_compare) == NULL)
+- {
+- /* Yickes, this should not happen. Unload the object. */
+- res = 1;
+- /* XXX unload here. */
+- }
+- }
+- }
+-
+- __libc_lock_unlock (lock);
+-
+- return res;
++ /* Transliteration module loading has been removed because it never
++ worked as intended and suffered from a security vulnerability.
++ Consequently, this function always fails. */
++ return 1;
+ }
--
1.8.4
- [PATCH] gnu: glibc: Fix CVE-2014-5519,
mhw <=