This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch sid in repository glibc.
commit 6a0c9c0a8e4c94e7028cf908482e0224664db510 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Sat Jan 30 12:32:19 2016 +0100 Update from upstream stable branch - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. --- debian/changelog | 4 +- debian/patches/git-updates.diff | 169 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 165 insertions(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index 22de19a..5ca2880 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ glibc (2.21-8) UNRELEASED; urgency=medium - * + * Update from upstream stable branch: + - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). + Closes: #812441. -- Aurelien Jarno <aure...@debian.org> Sun, 24 Jan 2016 00:32:22 +0100 diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index f01bba3..72b1427 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,27 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.21/master from glibc-2.21 diff --git a/ChangeLog b/ChangeLog -index dc1ed1b..a3182f0 100644 +index dc1ed1b..a38da43 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,87 @@ +@@ -1,3 +1,104 @@ ++2016-01-27 Paul Eggert <egg...@cs.ucla.edu> ++ ++ [BZ #18240] ++ * misc/hsearch_r.c (isprime, __hcreate_r): Protect against ++ unsigned int wraparound. ++ ++2016-01-27 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #18240] ++ * misc/bug18240.c: New test. ++ * misc/Makefile (tests): Add it. ++ ++2015-08-25 Ondřej Bílka <nel...@seznam.cz> ++ ++ [BZ #18240] ++ * misc/hsearch_r.c (__hcreate_r): Handle overflow. ++ +2015-09-26 Paul Pluzhnikov <ppluzhni...@google.com> + + [BZ #18985] @@ -92,7 +109,7 @@ index dc1ed1b..a3182f0 100644 2015-02-06 Carlos O'Donell <car...@systemhalted.org> * version.h (RELEASE): Set to "stable". -@@ -7,6 +91,7 @@ +@@ -7,6 +108,7 @@ * sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h. 2015-02-05 Paul Pluzhnikov <ppluzhni...@google.com> @@ -101,7 +118,7 @@ index dc1ed1b..a3182f0 100644 [BZ #16618] * stdio-common/tst-sscanf.c (main): Test for buffer overflow. diff --git a/NEWS b/NEWS -index 617cdbb..e659b75 100644 +index 617cdbb..40f8c90 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,28 @@ See the end for copying conditions. @@ -112,7 +129,7 @@ index 617cdbb..e659b75 100644 + +* The following bugs are resolved with this release: + -+ 17269, 17905, 17949, 18007, 18032, 18287, 18694, 18887, 18985. ++ 17269, 17905, 17949, 18007, 18032, 18240, 18287, 18694, 18887, 18985. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a @@ -415,7 +432,7 @@ index 43d847d..3993579 100644 wchar_t *newbuf = (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize diff --git a/misc/Makefile b/misc/Makefile -index aecb0da..2f5edf6 100644 +index aecb0da..12055ce 100644 --- a/misc/Makefile +++ b/misc/Makefile @@ -76,7 +76,8 @@ install-lib := libg.a @@ -424,10 +441,148 @@ index aecb0da..2f5edf6 100644 tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ - tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 + tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \ -+ tst-mntent-blank-corrupt tst-mntent-blank-passno ++ tst-mntent-blank-corrupt tst-mntent-blank-passno bug18240 ifeq ($(run-built-tests),yes) tests-special += $(objpfx)tst-error1-mem.out endif +diff --git a/misc/bug18240.c b/misc/bug18240.c +new file mode 100644 +index 0000000..4b26865 +--- /dev/null ++++ b/misc/bug18240.c +@@ -0,0 +1,75 @@ ++/* Test integer wraparound in hcreate. ++ Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <limits.h> ++#include <search.h> ++#include <stdbool.h> ++#include <stdio.h> ++#include <stdlib.h> ++ ++static void ++test_size (size_t size) ++{ ++ int res = hcreate (size); ++ if (res == 0) ++ { ++ if (errno == ENOMEM) ++ return; ++ printf ("error: hcreate (%zu): %m\n", size); ++ exit (1); ++ } ++ char *keys[100]; ++ for (int i = 0; i < 100; ++i) ++ { ++ if (asprintf (keys + i, "%d", i) < 0) ++ { ++ printf ("error: asprintf: %m\n"); ++ exit (1); ++ } ++ ENTRY e = { keys[i], (char *) "value" }; ++ if (hsearch (e, ENTER) == NULL) ++ { ++ printf ("error: hsearch (\"%s\"): %m\n", keys[i]); ++ exit (1); ++ } ++ } ++ hdestroy (); ++ ++ for (int i = 0; i < 100; ++i) ++ free (keys[i]); ++} ++ ++static int ++do_test (void) ++{ ++ test_size (500); ++ test_size (-1); ++ test_size (-3); ++ test_size (INT_MAX - 2); ++ test_size (INT_MAX - 1); ++ test_size (INT_MAX); ++ test_size (((unsigned) INT_MAX) + 1); ++ test_size (UINT_MAX - 2); ++ test_size (UINT_MAX - 1); ++ test_size (UINT_MAX); ++ return 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c +index 3a7c526..91fa63f 100644 +--- a/misc/hsearch_r.c ++++ b/misc/hsearch_r.c +@@ -19,7 +19,7 @@ + #include <errno.h> + #include <malloc.h> + #include <string.h> +- ++#include <stdint.h> + #include <search.h> + + /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986 +@@ -46,15 +46,12 @@ static int + isprime (unsigned int number) + { + /* no even number will be passed */ +- unsigned int div = 3; +- +- while (div * div < number && number % div != 0) +- div += 2; +- +- return number % div != 0; ++ for (unsigned int div = 3; div <= number / div; div += 2) ++ if (number % div == 0) ++ return 0; ++ return 1; + } + +- + /* Before using the hash table we must allocate memory for it. + Test for an existing table are done. We allocate one element + more as the found prime number says. This is done for more effective +@@ -81,10 +78,19 @@ hcreate_r (nel, htab) + use will not work. */ + if (nel < 3) + nel = 3; +- /* Change nel to the first prime number not smaller as nel. */ +- nel |= 1; /* make odd */ +- while (!isprime (nel)) +- nel += 2; ++ ++ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2], ++ The '- 2' means 'nel += 2' cannot overflow. */ ++ for (nel |= 1; ; nel += 2) ++ { ++ if (UINT_MAX - 2 < nel) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ if (isprime (nel)) ++ break; ++ } + + htab->size = nel; + htab->filled = 0; diff --git a/misc/mntent_r.c b/misc/mntent_r.c index 6159873..4f26998 100644 --- a/misc/mntent_r.c -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git