summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJuergen Daubert <jue@jue.li>2013-02-13 10:01:13 +0100
committerJuergen Daubert <jue@jue.li>2013-02-13 10:01:13 +0100
commit389154c5a832666c2593cd099e63156311174241 (patch)
tree7fb541ea2175840b6a8999eeb1554ede674f6b40
parent5442ef2b2e64fdf56b65b66c9214b684ff2468e2 (diff)
downloadcore-389154c5a832666c2593cd099e63156311174241.tar.gz
core-389154c5a832666c2593cd099e63156311174241.tar.xz
[notify] glibc: security fix for CVE-2013-0242
See - http://sourceware.org/bugzilla/show_bug.cgi?id=15078 - http://www.security-database.com/detail.php?alert=CVE-2013-0242 Note: To avoid an unclean unmount of "/" on next shutdown, reload the init process after the glibc update. Either run the included post-install script or use the following command: /sbin/telinit U
Diffstat
-rw-r--r--glibc/.md5sum1
-rw-r--r--glibc/Pkgfile6
-rw-r--r--glibc/glibc-regexp_buffer_overrun.patch72
3 files changed, 77 insertions, 2 deletions
diff --git a/glibc/.md5sum b/glibc/.md5sum
index aab47603..6621b5b0 100644
--- a/glibc/.md5sum
+++ b/glibc/.md5sum
@@ -1,4 +1,5 @@
80b181b02ab249524ec92822c0174cf7 glibc-2.16.0.tar.xz
+d4a2a19efe1e9b59b86fd15a968f7e10 glibc-regexp_buffer_overrun.patch
7e6a5a13c37f93213db9803d9790b7de glibc-resolv_assert.patch
99ed7b88221475d51a073f00d7ee9c42 glibc-segfault_in_strncasecmp.patch
8be5a4516a896a4cd589134ccf113575 glibc-strtod_integer_overflow.patch
diff --git a/glibc/Pkgfile b/glibc/Pkgfile
index 6510c0a6..d6c9493c 100644
--- a/glibc/Pkgfile
+++ b/glibc/Pkgfile
@@ -4,13 +4,14 @@
name=glibc
version=2.16.0
-release=2
+release=3
source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \
http://crux.nu/files/distfiles/kernel-headers-3.4.11.tar.xz \
hosts resolv.conf nsswitch.conf host.conf ld.so.conf \
$name-resolv_assert.patch \
$name-segfault_in_strncasecmp.patch \
- $name-strtod_integer_overflow.patch)
+ $name-strtod_integer_overflow.patch \
+ $name-regexp_buffer_overrun.patch)
build() {
# install kernel headers
@@ -21,6 +22,7 @@ build() {
patch -p1 -d $name-$version -i $SRC/$name-resolv_assert.patch
patch -p1 -d $name-$version -i $SRC/$name-segfault_in_strncasecmp.patch
patch -p1 -d $name-$version -i $SRC/$name-strtod_integer_overflow.patch
+ patch -p1 -d $name-$version -i $SRC/$name-regexp_buffer_overrun.patch
mkdir build
cd build
diff --git a/glibc/glibc-regexp_buffer_overrun.patch b/glibc/glibc-regexp_buffer_overrun.patch
new file mode 100644
index 00000000..a7869613
--- /dev/null
+++ b/glibc/glibc-regexp_buffer_overrun.patch
@@ -0,0 +1,72 @@
+# http://sourceware.org/bugzilla/show_bug.cgi?id=15078
+# CVE-2013-0242
+# ChangeLog, NEWS and new test removed to apply clean
+
+commit a445af0bc722d620afed7683cd320c0e4c7c6059
+Author: Andreas Schwab <schwab@suse.de>
+Date: Tue Jan 29 14:45:15 2013 +0100
+
+ Fix buffer overrun in regexp matcher
+
+diff --git a/posix/regexec.c b/posix/regexec.c
+index 7f2de85..5ca2bf6 100644
+--- a/posix/regexec.c
++++ b/posix/regexec.c
+@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
+ static int check_node_accept (const re_match_context_t *mctx,
+ const re_token_t *node, int idx)
+ internal_function;
+-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
++static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
+ internal_function;
+
+ /* Entry point for POSIX code. */
+@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
+ || (BE (next_char_idx >= mctx->input.valid_len, 0)
+ && mctx->input.valid_len < mctx->input.len))
+ {
+- err = extend_buffers (mctx);
++ err = extend_buffers (mctx, next_char_idx + 1);
+ if (BE (err != REG_NOERROR, 0))
+ {
+ assert (err == REG_ESPACE);
+@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
+ && mctx->input.valid_len < mctx->input.len))
+ {
+ reg_errcode_t err;
+- err = extend_buffers (mctx);
++ err = extend_buffers (mctx, next_state_log_idx + 1);
+ if (BE (err != REG_NOERROR, 0))
+ return err;
+ }
+@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
+ if (bkref_str_off >= mctx->input.len)
+ break;
+
+- err = extend_buffers (mctx);
++ err = extend_buffers (mctx, bkref_str_off + 1);
+ if (BE (err != REG_NOERROR, 0))
+ return err;
+
+@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
+
+ static reg_errcode_t
+ internal_function __attribute_warn_unused_result__
+-extend_buffers (re_match_context_t *mctx)
++extend_buffers (re_match_context_t *mctx, int min_len)
+ {
+ reg_errcode_t ret;
+ re_string_t *pstr = &mctx->input;
+@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
+ if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
+ return REG_ESPACE;
+
+- /* Double the lengthes of the buffers. */
+- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
++ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
++ ret = re_string_realloc_buffers (pstr,
++ MAX (min_len,
++ MIN (pstr->len, pstr->bufs_len * 2)));
+ if (BE (ret != REG_NOERROR, 0))
+ return ret;
+

Generated by cgit