This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch jessie in repository glibc.
commit aee812ba99f1f0d49c93e6f4a1b08b0d95147080 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Sat Jan 30 12:43:26 2016 +0100 Update from upstream stable branch - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). Closes: #812441. --- debian/changelog | 2 + debian/patches/git-updates.diff | 177 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 175 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 0931f1b..07a33a8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,8 @@ glibc (2.19-18+deb8u3) UNRELEASED; urgency=medium * Update from upstream stable branch: - Fix segmentation fault caused by passing out-of-range data to strftime() (CVE-2015-8776). Closes: #812445. + - Fix an integer overflow in hcreate() and hcreate_r() (CVE-2015-8778). + Closes: #812441. - Fix multiple unbounded stack allocations in catopen() (CVE-2015-8779). Closes: #812455. diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index ceefe46..ca3bd98 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,27 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19 diff --git a/ChangeLog b/ChangeLog -index 81c393a..871c722 100644 +index 81c393a..e17bd64 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,422 @@ +@@ -1,3 +1,439 @@ ++2016-01-27 Paul Eggert <egg...@cs.ucla.edu> ++ ++ [BZ #18240] ++ * misc/hsearch_r.c (isprime, __hcreate_r): Protect against ++ unsigned int wraparound. ++ ++2016-01-27 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #18240] ++ * misc/bug18240.c: New test. ++ * misc/Makefile (tests): Add it. ++ ++2015-08-25 Ondřej Bílka <nel...@seznam.cz> ++ ++ [BZ #18240] ++ * misc/hsearch_r.c (__hcreate_r): Handle overflow. ++ +2015-09-26 Paul Pluzhnikov <ppluzhni...@google.com> + + [BZ #18985] @@ -428,7 +445,7 @@ index 81c393a..871c722 100644 [BZ #16529] diff --git a/NEWS b/NEWS -index 98b479e..44fe916 100644 +index 98b479e..0d1952c 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,65 @@ See the end for copying conditions. @@ -442,7 +459,7 @@ index 98b479e..44fe916 100644 + 15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760, + 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069, + 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007, -+ 18032, 18287, 18905. ++ 18032, 18240, 18287, 18905. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a @@ -1618,6 +1635,158 @@ index 0000000..e3b21a9 + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" +diff --git a/misc/Makefile b/misc/Makefile +index b039182..ad9e921 100644 +--- a/misc/Makefile ++++ b/misc/Makefile +@@ -76,7 +76,8 @@ install-lib := libg.a + gpl2lgpl := error.c error.h + + tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ +- tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 ++ tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \ ++ bug18240 + ifeq ($(run-built-tests),yes) + tests: $(objpfx)tst-error1-mem + endif +diff --git a/misc/bug18240.c b/misc/bug18240.c +new file mode 100644 +index 0000000..4b26865 +--- /dev/null ++++ b/misc/bug18240.c +@@ -0,0 +1,75 @@ ++/* Test integer wraparound in hcreate. ++ Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <limits.h> ++#include <search.h> ++#include <stdbool.h> ++#include <stdio.h> ++#include <stdlib.h> ++ ++static void ++test_size (size_t size) ++{ ++ int res = hcreate (size); ++ if (res == 0) ++ { ++ if (errno == ENOMEM) ++ return; ++ printf ("error: hcreate (%zu): %m\n", size); ++ exit (1); ++ } ++ char *keys[100]; ++ for (int i = 0; i < 100; ++i) ++ { ++ if (asprintf (keys + i, "%d", i) < 0) ++ { ++ printf ("error: asprintf: %m\n"); ++ exit (1); ++ } ++ ENTRY e = { keys[i], (char *) "value" }; ++ if (hsearch (e, ENTER) == NULL) ++ { ++ printf ("error: hsearch (\"%s\"): %m\n", keys[i]); ++ exit (1); ++ } ++ } ++ hdestroy (); ++ ++ for (int i = 0; i < 100; ++i) ++ free (keys[i]); ++} ++ ++static int ++do_test (void) ++{ ++ test_size (500); ++ test_size (-1); ++ test_size (-3); ++ test_size (INT_MAX - 2); ++ test_size (INT_MAX - 1); ++ test_size (INT_MAX); ++ test_size (((unsigned) INT_MAX) + 1); ++ test_size (UINT_MAX - 2); ++ test_size (UINT_MAX - 1); ++ test_size (UINT_MAX); ++ return 0; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c +index 81c27d8..af55212 100644 +--- a/misc/hsearch_r.c ++++ b/misc/hsearch_r.c +@@ -19,7 +19,7 @@ + #include <errno.h> + #include <malloc.h> + #include <string.h> +- ++#include <stdint.h> + #include <search.h> + + /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986 +@@ -46,15 +46,12 @@ static int + isprime (unsigned int number) + { + /* no even number will be passed */ +- unsigned int div = 3; +- +- while (div * div < number && number % div != 0) +- div += 2; +- +- return number % div != 0; ++ for (unsigned int div = 3; div <= number / div; div += 2) ++ if (number % div == 0) ++ return 0; ++ return 1; + } + +- + /* Before using the hash table we must allocate memory for it. + Test for an existing table are done. We allocate one element + more as the found prime number says. This is done for more effective +@@ -81,10 +78,19 @@ hcreate_r (nel, htab) + use will not work. */ + if (nel < 3) + nel = 3; +- /* Change nel to the first prime number not smaller as nel. */ +- nel |= 1; /* make odd */ +- while (!isprime (nel)) +- nel += 2; ++ ++ /* Change nel to the first prime number in the range [nel, UINT_MAX - 2], ++ The '- 2' means 'nel += 2' cannot overflow. */ ++ for (nel |= 1; ; nel += 2) ++ { ++ if (UINT_MAX - 2 < nel) ++ { ++ __set_errno (ENOMEM); ++ return 0; ++ } ++ if (isprime (nel)) ++ break; ++ } + + htab->size = nel; + htab->filled = 0; diff --git a/misc/sys/xattr.h b/misc/sys/xattr.h index 929cd87..796df90 100644 --- a/misc/sys/xattr.h -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git