Date: Friday, February 3, 2023 @ 18:45:56 Author: freswa Revision: 468161
incorrect printf output for integers with thousands separator and width field (CVE-2023-25139) Fix for a regression where after the refactor the implementation does not account for grouping characters during padding of the width. Added: glibc/trunk/cve-2023-25139.patch Modified: glibc/trunk/PKGBUILD ----------------------+ PKGBUILD | 13 ++++++- cve-2023-25139.patch | 81 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2023-02-03 18:38:57 UTC (rev 468160) +++ PKGBUILD 2023-02-03 18:45:56 UTC (rev 468161) @@ -10,7 +10,7 @@ pkgname=(glibc lib32-glibc) pkgver=2.37 _commit=a704fd9a133bfb10510e18702f48a6a9c88dbbd5 -pkgrel=1 +pkgrel=2 arch=(x86_64) url='https://www.gnu.org/software/libc' license=(GPL LGPL) @@ -22,6 +22,7 @@ lib32-glibc.conf sdt.h sdt-config.h reenable_DT_HASH.patch + cve-2023-25139.patch ) validpgpkeys=(7273542B39962DF7B299931416792B4EA25340F8 # Carlos O'Donell BC7C7372637EC10C57D7AA6579C43DFBF1CF2187) # Siddhesh Poyarekar @@ -31,7 +32,8 @@ '7c265e6d36a5c0dff127093580827d15519b6c7205c2e1300e82f0fb5b9dd00b6accb40c56581f18179c4fbbc95bd2bf1b900ace867a83accde0969f7b609f8a' 'a6a5e2f2a627cc0d13d11a82458cfd0aa75ec1c5a3c7647e5d5a3bb1d4c0770887a3909bfda1236803d5bc9801bfd6251e13483e9adf797e4725332cd0d91a0e' '214e995e84b342fe7b2a7704ce011b7c7fc74c2971f98eeb3b4e677b99c860addc0a7d91b8dc0f0b8be7537782ee331999e02ba48f4ccc1c331b60f27d715678' - '5fdd133c367af2f5454ea1eea7907de12166fb95eb59dbe33eae16aa9e26209b6585972bc1c80e36a0af4bfb04296acaf940ee78cd624cdcbab9669dff46c051') + '5fdd133c367af2f5454ea1eea7907de12166fb95eb59dbe33eae16aa9e26209b6585972bc1c80e36a0af4bfb04296acaf940ee78cd624cdcbab9669dff46c051' + '917b876dbc2bc23d15ffedb56bfb51611f8c7a5b8321281a2cf488d442a45c38fc754e857573843042bf7cc3df87d4271bc723acd52aab4c8fc3c8f07d41456e') prepare() { mkdir -p glibc-build lib32-glibc-build @@ -39,10 +41,15 @@ [[ -d glibc-$pkgver ]] && ln -s glibc-$pkgver glibc cd glibc - # re-enable `--hash-style=both` for building shared objects due to issues with EPIC's EAC + # Re-enable `--hash-style=both` for building shared objects due to issues with EPIC's EAC # which relies on DT_HASH to be present in these libs. # reconsider 2023-01 patch -Np1 -i "${srcdir}"/reenable_DT_HASH.patch + + # Add a temporary patch for cve 2023-25139 until a fix has been backported. + # Technical the fix itself is complete but the test cases aren't. + # See https://sourceware.org/bugzilla/show_bug.cgi?id=30068 + patch -Np1 -i "${srcdir}"/cve-2023-25139.patch } build() { Added: cve-2023-25139.patch =================================================================== --- cve-2023-25139.patch (rev 0) +++ cve-2023-25139.patch 2023-02-03 18:45:56 UTC (rev 468161) @@ -0,0 +1,81 @@ +This is a partial fix for mishandling of grouping when formatting +integers. It properly computes the width in presence of grouping +characteres when the precision is larger than the number of significant +digits. +--- + stdio-common/Makefile | 1 + + stdio-common/tst-grouping3.c | 37 +++++++++++++++++++++++++++++ + stdio-common/vfprintf-process-arg.c | 2 +- + 3 files changed, 39 insertions(+), 1 deletion(-) + create mode 100644 stdio-common/tst-grouping3.c + +diff --git a/stdio-common/Makefile b/stdio-common/Makefile +index 6e9d104524..b46d932a20 100644 +--- a/stdio-common/Makefile ++++ b/stdio-common/Makefile +@@ -195,6 +195,7 @@ tests := \ + tst-gets \ + tst-grouping \ + tst-grouping2 \ ++ tst-grouping3 \ + tst-long-dbl-fphex \ + tst-memstream-string \ + tst-obprintf \ +diff --git a/stdio-common/tst-grouping3.c b/stdio-common/tst-grouping3.c +new file mode 100644 +index 0000000000..0031ad4010 +--- /dev/null ++++ b/stdio-common/tst-grouping3.c +@@ -0,0 +1,37 @@ ++/* Test printf with grouping and padding (bug 23432) ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <locale.h> ++#include <stdio.h> ++#include <support/check.h> ++#include <support/support.h> ++ ++static int ++do_test (void) ++{ ++ char buf[80]; ++ ++ xsetlocale (LC_NUMERIC, "de_DE.UTF-8"); ++ ++ sprintf (buf, "%+-'13.9d", 1234567); ++ TEST_COMPARE_STRING (buf, "+001.234.567 "); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +diff --git a/stdio-common/vfprintf-process-arg.c b/stdio-common/vfprintf-process-arg.c +index 2c651946df..cd3eaf5c0c 100644 +--- a/stdio-common/vfprintf-process-arg.c ++++ b/stdio-common/vfprintf-process-arg.c +@@ -257,7 +257,7 @@ LABEL (unsigned_number): /* Unsigned number of base BASE. */ + width -= 2; + } + +- width -= workend - string + prec; ++ width -= number_length + prec; + + Xprintf_buffer_pad (buf, L_('0'), prec); + +-- +2.39.1
