Bug#802371: wheezy-pu: package eglibc/2.13-38+deb7u9

Mon, 19 Oct 2015 12:10:00 -0700 

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian....@packages.debian.org
Usertags: pu

Dear oldstable release team,

I would like to update the eglibc package in wheezy to fix the known
security issues for which there is a patch available. The changes match
the security bugs opened by the security team, their severity wasn't
high enough to warrant a DSA.

You'll find the corresponding diff against the current version in 
wheezy below.

Thanks,
Aurelien


Index: debian/patches/any/cvs-CVE-2014-8121.diff
===================================================================
--- debian/patches/any/cvs-CVE-2014-8121.diff   (révision 0)
+++ debian/patches/any/cvs-CVE-2014-8121.diff   (révision 6665)
@@ -0,0 +1,17 @@
+2015-04-29  Florian Weimer  <fwei...@redhat.com>
+
+       [BZ #18007]
+       * nss/nss_files/files-XXX.c (CONCAT): Always enable stayopen.
+       (CVE-2014-8121)
+
+--- a/nss/nss_files/files-XXX.c
++++ b/nss/nss_files/files-XXX.c
+@@ -134,7 +134,7 @@ CONCAT(_nss_files_set,ENTNAME) (int stayopen)
+ 
+   __libc_lock_lock (lock);
+ 
+-  status = internal_setent (stayopen);
++  status = internal_setent (1);
+ 
+   if (status == NSS_STATUS_SUCCESS && fgetpos (stream, &position) < 0)
+     {
Index: debian/patches/any/cvs-CVE-2015-1781.diff
===================================================================
--- debian/patches/any/cvs-CVE-2015-1781.diff   (révision 0)
+++ debian/patches/any/cvs-CVE-2015-1781.diff   (révision 6665)
@@ -0,0 +1,18 @@
+2015-04-21  Arjun Shankar  <arjun...@lostca.se>
+
+       [BZ #18287]
+       * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+       based on padding.  (CVE-2015-1781)
+
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const 
char *qname, int qtype,
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
+     {
+       /* The buffer is too small.  */
+     too_small:
Index: debian/patches/any/cvs-_IO_wstr_overflow.diff
===================================================================
--- debian/patches/any/cvs-_IO_wstr_overflow.diff       (révision 0)
+++ debian/patches/any/cvs-_IO_wstr_overflow.diff       (révision 6665)
@@ -0,0 +1,31 @@
+2015-02-22  Paul Pluzhnikov  <ppluzhni...@google.com>
+
+       [BZ #17269]
+       * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+       (enlarge_userbuf): Likewise.
+
+--- a/libio/wstrops.c
++++ b/libio/wstrops.c
+@@ -96,8 +96,11 @@ _IO_wstr_overflow (fp, c)
+         wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
+         size_t old_wblen = _IO_wblen (fp);
+         _IO_size_t new_size = 2 * old_wblen + 100;
+-        if (new_size < old_wblen)
++
++        if (__builtin_expect ((new_size < old_wblen), 0)
++            || __builtin_expect ((new_size > SIZE_MAX / sizeof (wchar_t)), 0))
+           return EOF;
++
+         new_buf
+           = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
+                                                                       * 
sizeof (wchar_t));
+@@ -187,6 +190,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int 
reading)
+     return 1;
+ 
+   _IO_size_t newsize = offset + 100;
++  if (__builtin_expect ((newsize > SIZE_MAX / sizeof (wchar_t)), 0))
++    return 1;
++
+   wchar_t *oldbuf = wd->_IO_buf_base;
+   wchar_t *newbuf
+     = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
Index: debian/patches/any/cvs-fnmatch-overflow.diff
===================================================================
--- debian/patches/any/cvs-fnmatch-overflow.diff        (révision 0)
+++ debian/patches/any/cvs-fnmatch-overflow.diff        (révision 6665)
@@ -0,0 +1,27 @@
+2015-02-26  Andreas Schwab  <sch...@suse.de>
+
+       [BZ #18032]
+       * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+       over collating symbol inside a bracket expression.  Minor cleanup.
+
+diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
+index f79d051..f11d0f1 100644
+--- a/posix/fnmatch_loop.c
++++ b/posix/fnmatch_loop.c
+@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, 
flags, ends, alloca_used)
+                 }
+               else if (c == L('[') && *p == L('.'))
+                 {
+-                  ++p;
+                   while (1)
+                     {
+                       c = *++p;
+-                      if (c == '\0')
++                      if (c == L('\0'))
+                         return FNM_NOMATCH;
+ 
+-                      if (*p == L('.') && p[1] == L(']'))
++                      if (c == L('.') && p[1] == L(']'))
+                         break;
+                     }
+                   p += 2;
Index: debian/patches/any/cvs-ld_pointer_guard.diff
===================================================================
--- debian/patches/any/cvs-ld_pointer_guard.diff        (révision 0)
+++ debian/patches/any/cvs-ld_pointer_guard.diff        (révision 6665)
@@ -0,0 +1,62 @@
+2015-10-15  Florian Weimer  <fwei...@redhat.com>
+
+       [BZ #18928]
+       * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+       _dl_pointer_guard member.
+       * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+       initializer.
+       (security_init): Always set up pointer guard.
+       (process_envvars): Do not process LD_POINTER_GUARD.
+
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -162,7 +162,6 @@
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+ 
+     /* Function pointers.  */
+     ._dl_debug_printf = _dl_debug_printf,
+@@ -857,15 +856,12 @@
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-                                                           stack_chk_guard);
++  uintptr_t pointer_chk_guard
++    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
++  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2607,9 +2603,6 @@
+             GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+             break;
+           }
+-
+-        if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-          GLRO(dl_pointer_guard) = envline[14] != '0';
+         break;
+ 
+       case 14:
+--- a/sysdeps/generic/ldsodefs.h
++++ b/sysdeps/generic/ldsodefs.h
+@@ -591,9 +591,6 @@
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # ifdef IS_IN_rtld
Index: debian/patches/series
===================================================================
--- debian/patches/series       (révision 6366)
+++ debian/patches/series       (copie de travail)
@@ -403,3 +403,8 @@
 any/cvs-posix_spawn_file_actions_addopen.diff
 any/cvs-getnetbyname.diff
 any/cvs-getaddrinfo-idn.diff
+any/cvs-CVE-2015-1781.diff
+any/cvs-CVE-2014-8121.diff
+any/cvs-fnmatch-overflow.diff
+any/cvs-_IO_wstr_overflow.diff
+any/cvs-ld_pointer_guard.diff
Index: debian/changelog
===================================================================
--- debian/changelog    (révision 6366)
+++ debian/changelog    (copie de travail)
@@ -1,3 +1,19 @@
+eglibc (2.13-38+deb7u9) wheezy; urgency=medium
+
+  * patches/any/cvs-CVE-2015-1781.diff: new patch from upstream to fix
+    a buffer overflow in getanswer_r (CVE-2015-1781). Closes: #796105.
+  * patches/any/cvs-fnmatch-overflow.diff: new patch from upstream to fix
+    a buffer overflow (read past end of buffer) in internal_fnmatch.
+  * patches/any/cvs-_IO_wstr_overflow.diff: new patch from upstream to fix
+    an integer overlow in IO_wstr_overflow.
+  * patches/any/cvs-CVE-2014-8121.diff: new patch from upstream to fix
+    an unexpected closing of nss_files databases after lookups, causing
+    denial of service (CVE-2014-8121).  Closes: #779587.
+  * patches/any/cvs-ld_pointer_guard.diff: new patch from upstream to
+    unconditionally disable LD_POINTER_GUARD.  Closes: #798316, #801691.
+
+ -- Aurelien Jarno <aure...@debian.org>  Mon, 19 Oct 2015 20:49:40 +0200
+
 eglibc (2.13-38+deb7u8) wheezy-security; urgency=medium
 
   * debian/patches/any/cvs-wscanf.diff: new patch from upstream to fix a

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Reply via email to