From mboxrd@z Thu Jan 1 00:00:00 1970 From: mhw@netris.org Subject: [PATCH] gnu: glibc: Fix CVE-2014-5519 Date: Tue, 26 Aug 2014 15:16:18 -0400 Message-ID: <874mwz2ha5.fsf@netris.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59227) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XMMkD-00069a-Uq for guix-devel@gnu.org; Tue, 26 Aug 2014 15:49:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1XMMk9-000233-17 for guix-devel@gnu.org; Tue, 26 Aug 2014 15:49:29 -0400 Received: from world.peace.net ([96.39.62.75]:36740) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1XMMk8-00022r-NN for guix-devel@gnu.org; Tue, 26 Aug 2014 15:49:24 -0400 List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: guix-devel@gnu.org --=-=-= Content-Type: text/plain I'll push this patch to core-updates as soon as I've tested it. https://sourceware.org/bugzilla/show_bug.cgi?id=17187 https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 http://googleprojectzero.blogspot.co.nz/2014/08/the-poisoned-nul-byte-2014-edition.html I'm not sure what we should do on 'master'. Thoughts? Mark --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-glibc-Fix-CVE-2014-5519.patch Content-Description: [PATCH] gnu: glibc: Fix CVE-2014-5519 >From 4b5770796955011e2a7b2166b38f8f6b3a6d6757 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Tue, 26 Aug 2014 14:44:14 -0400 Subject: [PATCH] gnu: glibc: Fix CVE-2014-5519. * gnu/packages/patches/glibc-CVE-2014-5519.patch: New file. * gnu-system.am (dist_patch_DATA): Add it. * gnu/packages/base.scm (glibc): Add the patch. --- gnu-system.am | 1 + gnu/packages/base.scm | 3 +- gnu/packages/patches/glibc-CVE-2014-5519.patch | 211 +++++++++++++++++++++++++ 3 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/glibc-CVE-2014-5519.patch diff --git a/gnu-system.am b/gnu-system.am index f24da85..a14781b 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -311,6 +311,7 @@ dist_patch_DATA = \ gnu/packages/patches/glib-tests-prlimit.patch \ gnu/packages/patches/glib-tests-timer.patch \ gnu/packages/patches/glibc-bootstrap-system.patch \ + gnu/packages/patches/glibc-CVE-2014-5519.patch \ gnu/packages/patches/glibc-ldd-x86_64.patch \ gnu/packages/patches/gnunet-fix-scheduler.patch \ gnu/packages/patches/gnunet-fix-tests.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 30176cf..8c4f0eb 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -384,7 +384,8 @@ library for working with executable and object formats is also included.") (("use_ldconfig=yes") "use_ldconfig=no"))) (modules '((guix build utils))) - (patches (list (search-patch "glibc-ldd-x86_64.patch"))))) + (patches (list (search-patch "glibc-CVE-2014-5519.patch") + (search-patch "glibc-ldd-x86_64.patch"))))) (build-system gnu-build-system) ;; Glibc's refers to , for instance, so glibc diff --git a/gnu/packages/patches/glibc-CVE-2014-5519.patch b/gnu/packages/patches/glibc-CVE-2014-5519.patch new file mode 100644 index 0000000..fc9acd4 --- /dev/null +++ b/gnu/packages/patches/glibc-CVE-2014-5519.patch @@ -0,0 +1,211 @@ +Remove support for loadable gconv transliteration modules. +The support for transliteration modules has been non-functional for +over a decade, and the removal is prompted by security defects. The +normal gconv conversion modules are still supported. Transliteration +with //TRANSLIT is still possible, and the //IGNORE specifier +continues to be supported. (CVE-2014-5519) + +Based on upstream commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 by +Florian Weimer . + +--- glibc-2.19/ChangeLog.orig 2014-02-07 04:04:38.000000000 -0500 ++++ glibc-2.19/ChangeLog 2014-08-26 14:35:12.368861387 -0400 +@@ -1,3 +1,10 @@ ++2014-08-26 Florian Weimer ++ ++ [BZ #17187] ++ * iconv/gconv_trans.c (struct known_trans, search_tree, lock, ++ trans_compare, open_translit, __gconv_translit_find): ++ Remove module loading code. ++ + 2014-02-06 Carlos O'Donell + + [BZ #16529] +--- glibc-2.19/iconv/gconv_trans.c.orig 2014-02-07 04:04:38.000000000 -0500 ++++ glibc-2.19/iconv/gconv_trans.c 2014-08-26 14:37:26.269525364 -0400 +@@ -238,181 +238,12 @@ + return __GCONV_ILLEGAL_INPUT; + } + +- +-/* Structure to represent results of found (or not) transliteration +- modules. */ +-struct known_trans +-{ +- /* This structure must remain the first member. */ +- struct trans_struct info; +- +- char *fname; +- void *handle; +- int open_count; +-}; +- +- +-/* Tree with results of previous calls to __gconv_translit_find. */ +-static void *search_tree; +- +-/* We modify global data. */ +-__libc_lock_define_initialized (static, lock); +- +- +-/* Compare two transliteration entries. */ +-static int +-trans_compare (const void *p1, const void *p2) +-{ +- const struct known_trans *s1 = (const struct known_trans *) p1; +- const struct known_trans *s2 = (const struct known_trans *) p2; +- +- return strcmp (s1->info.name, s2->info.name); +-} +- +- +-/* Open (maybe reopen) the module named in the struct. Get the function +- and data structure pointers we need. */ +-static int +-open_translit (struct known_trans *trans) +-{ +- __gconv_trans_query_fct queryfct; +- +- trans->handle = __libc_dlopen (trans->fname); +- if (trans->handle == NULL) +- /* Not available. */ +- return 1; +- +- /* Find the required symbol. */ +- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context"); +- if (queryfct == NULL) +- { +- /* We cannot live with that. */ +- close_and_out: +- __libc_dlclose (trans->handle); +- trans->handle = NULL; +- return 1; +- } +- +- /* Get the context. */ +- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames) +- != 0) +- goto close_and_out; +- +- /* Of course we also have to have the actual function. */ +- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans"); +- if (trans->info.trans_fct == NULL) +- goto close_and_out; +- +- /* Now the optional functions. */ +- trans->info.trans_init_fct = +- __libc_dlsym (trans->handle, "gconv_trans_init"); +- trans->info.trans_context_fct = +- __libc_dlsym (trans->handle, "gconv_trans_context"); +- trans->info.trans_end_fct = +- __libc_dlsym (trans->handle, "gconv_trans_end"); +- +- trans->open_count = 1; +- +- return 0; +-} +- +- + int + internal_function + __gconv_translit_find (struct trans_struct *trans) + { +- struct known_trans **found; +- const struct path_elem *runp; +- int res = 1; +- +- /* We have to have a name. */ +- assert (trans->name != NULL); +- +- /* Acquire the lock. */ +- __libc_lock_lock (lock); +- +- /* See whether we know this module already. */ +- found = __tfind (trans, &search_tree, trans_compare); +- if (found != NULL) +- { +- /* Is this module available? */ +- if ((*found)->handle != NULL) +- { +- /* Maybe we have to reopen the file. */ +- if ((*found)->handle != (void *) -1) +- /* The object is not unloaded. */ +- res = 0; +- else if (open_translit (*found) == 0) +- { +- /* Copy the data. */ +- *trans = (*found)->info; +- (*found)->open_count++; +- res = 0; +- } +- } +- } +- else +- { +- size_t name_len = strlen (trans->name) + 1; +- int need_so = 0; +- struct known_trans *newp; +- +- /* We have to continue looking for the module. */ +- if (__gconv_path_elem == NULL) +- __gconv_get_path (); +- +- /* See whether we have to append .so. */ +- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0) +- need_so = 1; +- +- /* Create a new entry. */ +- newp = (struct known_trans *) malloc (sizeof (struct known_trans) +- + (__gconv_max_path_elem_len +- + name_len + 3) +- + name_len); +- if (newp != NULL) +- { +- char *cp; +- +- /* Clear the struct. */ +- memset (newp, '\0', sizeof (struct known_trans)); +- +- /* Store a copy of the module name. */ +- newp->info.name = cp = (char *) (newp + 1); +- cp = __mempcpy (cp, trans->name, name_len); +- +- newp->fname = cp; +- +- /* Search in all the directories. */ +- for (runp = __gconv_path_elem; runp->name != NULL; ++runp) +- { +- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name), +- trans->name, name_len); +- if (need_so) +- memcpy (cp, ".so", sizeof (".so")); +- +- if (open_translit (newp) == 0) +- { +- /* We found a module. */ +- res = 0; +- break; +- } +- } +- +- if (res) +- newp->fname = NULL; +- +- /* In any case we'll add the entry to our search tree. */ +- if (__tsearch (newp, &search_tree, trans_compare) == NULL) +- { +- /* Yickes, this should not happen. Unload the object. */ +- res = 1; +- /* XXX unload here. */ +- } +- } +- } +- +- __libc_lock_unlock (lock); +- +- return res; ++ /* Transliteration module loading has been removed because it never ++ worked as intended and suffered from a security vulnerability. ++ Consequently, this function always fails. */ ++ return 1; + } -- 1.8.4 --=-=-=--