r5306 - in glibc-package/branches/glibc-branch-squeeze/debian: . patches patches/any

Tue, 17 Jul 2012 08:03:15 -0700 

Author: aurel32
Date: 2012-07-17 14:47:36 +0000 (Tue, 17 Jul 2012)
New Revision: 5306

Added:
   
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff
   
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff
Modified:
   glibc-package/branches/glibc-branch-squeeze/debian/changelog
   glibc-package/branches/glibc-branch-squeeze/debian/patches/series
Log:
  * patches/any/cvs-vfprintf-positional.diff: new patch from upstream to
    fix a stack corruption in vfprintf with positional parameters
    (CVE-2012-3404). patches/any/cvs-vfprintf-many-format-strings.diff: new
    patch from upstream to fix a FORTIFY_SOURCE format string protection
    bypass (CVE-2012-3405).  Closes: #681473.



Modified: glibc-package/branches/glibc-branch-squeeze/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/changelog        
2012-07-17 14:12:04 UTC (rev 5305)
+++ glibc-package/branches/glibc-branch-squeeze/debian/changelog        
2012-07-17 14:47:36 UTC (rev 5306)
@@ -1,6 +1,10 @@
 eglibc (2.11.3-5) UNRELEASED; urgency=low
 
-  * 
+  * patches/any/cvs-vfprintf-positional.diff: new patch from upstream to
+    fix a stack corruption in vfprintf with positional parameters
+    (CVE-2012-3404). patches/any/cvs-vfprintf-many-format-strings.diff: new
+    patch from upstream to fix a FORTIFY_SOURCE format string protection
+    bypass (CVE-2012-3405).  Closes: #681473.
 
  -- Aurelien Jarno <aure...@debian.org>  Wed, 06 Jun 2012 23:59:32 +0200
 

Added: 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff
===================================================================
--- 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff
                                (rev 0)
+++ 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-many-format-strings.diff
        2012-07-17 14:47:36 UTC (rev 5306)
@@ -0,0 +1,41 @@
+2011-12-17  Ulrich Drepper  <drep...@gmail.com>
+
+       [BZ #13446]
+       * stdio-common/vfprintf.c (vfprintf): Fix extension of specs array.
+
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 753a5ac..952886b 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1640,9 +1640,9 @@ do_positional:
+     /* Array with information about the needed arguments.  This has to
+        be dynamically extensible.  */
+     size_t nspecs = 0;
+-    size_t nspecs_max = 32;   /* A more or less arbitrary start value.  */
+-    struct printf_spec *specs
+-      = alloca (nspecs_max * sizeof (struct printf_spec));
++    /* A more or less arbitrary start value.  */
++    size_t nspecs_size = 32 * sizeof (struct printf_spec);
++    struct printf_spec *specs = alloca (nspecs_size);
+ 
+     /* The number of arguments the format string requests.  This will
+        determine the size of the array needed to store the argument
+@@ -1679,15 +1679,14 @@ do_positional:
+ 
+     for (f = lead_str_end; *f != L_('\0'); f = specs[nspecs++].next_fmt)
+       {
+-      if (nspecs >= nspecs_max)
++      if (nspecs * sizeof (*specs) >= nspecs_size)
+         {
+           /* Extend the array of format specifiers.  */
+           struct printf_spec *old = specs;
+-          specs = extend_alloca (specs, nspecs_max,
+-                                 2 * nspecs_max * sizeof (*specs));
++          specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+ 
+           /* Copy the old array's elements to the new space.  */
+-          memmove (specs, old, nspecs * sizeof (struct printf_spec));
++          memmove (specs, old, nspecs * sizeof (*specs));
+         }
+ 
+       /* Parse the format specifier.  */

Added: 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff
===================================================================
--- 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff
                         (rev 0)
+++ 
glibc-package/branches/glibc-branch-squeeze/debian/patches/any/cvs-vfprintf-positional.diff
 2012-07-17 14:47:36 UTC (rev 5306)
@@ -0,0 +1,20 @@
+2011-01-27  Petr Baudis  <pa...@suse.cz>
+           Ulrich Drepper  <drep...@gmail.com>
+
+       * stdio-common/vfprintf.c (vfprintf): Pass correct newlen
+       to extend_alloca().
+ 
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index fc370e8..cfa4c30 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1682,7 +1682,8 @@ do_positional:
+         {
+           /* Extend the array of format specifiers.  */
+           struct printf_spec *old = specs;
+-          specs = extend_alloca (specs, nspecs_max, 2 * nspecs_max);
++          specs = extend_alloca (specs, nspecs_max,
++                                 2 * nspecs_max * sizeof (*specs));
+ 
+           /* Copy the old array's elements to the new space.  */
+           memmove (specs, old, nspecs * sizeof (struct printf_spec));

Modified: glibc-package/branches/glibc-branch-squeeze/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-squeeze/debian/patches/series   
2012-07-17 14:12:04 UTC (rev 5305)
+++ glibc-package/branches/glibc-branch-squeeze/debian/patches/series   
2012-07-17 14:47:36 UTC (rev 5306)
@@ -275,3 +275,5 @@
 any/cvs-dlopen-tls.diff
 any/cvs-FORTIFY_SOURCE-format-strings.diff
 any/local-sunrpc-dos.diff
+any/cvs-vfprintf-positional.diff
+any/cvs-vfprintf-many-format-strings.diff


-- 
To UNSUBSCRIBE, email to debian-glibc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1sr93o-000549...@vasks.debian.org

Reply via email to