This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch sid in repository glibc.
commit f2a51d8c5a2e4a05320cf99e9ed7a8e58c23c412 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Sun Dec 31 13:01:32 2017 +0100 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Fixes incorrect RPATH/RUNPATH handling for SUID binaries (CVE-2017-16997). Closes: #884615. --- debian/changelog | 3 + debian/patches/git-updates.diff | 131 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 123 insertions(+), 11 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2b53951..b63b805 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ glibc (2.25-6) UNRELEASED; urgency=medium [ Aurelien Jarno ] * debian/control.in/main: add mips r6 architectures to Build-Depends: g++-6-multilib. Closes: #884774. + * debian/patches/git-updates.diff: update from upstream stable branch: + - Fixes incorrect RPATH/RUNPATH handling for SUID binaries + (CVE-2017-16997). Closes: #884615. -- Aurelien Jarno <aure...@debian.org> Wed, 20 Dec 2017 22:29:01 +0100 diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index 793c02f..eaba5e3 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,26 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.25/master from glibc-2.25 diff --git a/ChangeLog b/ChangeLog -index f140ee67de..1868c7a7be 100644 +index f140ee67de..a3db9c09f2 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,734 @@ +@@ -1,3 +1,750 @@ ++2017-12-30 Aurelien Jarno <aurel...@aurel32.net> ++ Dmitry V. Levin <l...@altlinux.org> ++ ++ [BZ #22625] ++ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic ++ string token expansion. Check for NULL pointer or empty string possibly ++ returned by expand_dynamic_string_token. ++ (decompose_rpath): Check for empty path after dynamic string ++ token expansion. ++ ++2017-12-18 Dmitry V. Levin <l...@altlinux.org> ++ ++ [BZ #22627] ++ * elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory ++ code and invocation. ++ +2017-12-14 Florian Weimer <fwei...@redhat.com> + + [BZ #22607] @@ -843,10 +859,10 @@ index e9194e54cf..43343f03ee 100644 | sed -n -f $< > $@.new test -s $@.new diff --git a/NEWS b/NEWS -index ec15dde761..2c4c9d63aa 100644 +index ec15dde761..7c44ba2a8a 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,55 @@ See the end for copying conditions. +@@ -5,6 +5,60 @@ See the end for copying conditions. Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> using `glibc' in the "product" field. @@ -881,6 +897,10 @@ index ec15dde761..2c4c9d63aa 100644 + CVE-2017-1000366 has been applied, but it is mentioned here only because + of the CVE assignment.) Reported by Qualys. + ++ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN ++ for AT_SECURE or SUID binaries could be used to load libraries from the ++ current directory. ++ +The following bugs are resolved with this release: + + [20257] sunrpc: clntudp_call does not enforce timeout when receiving data @@ -898,6 +918,7 @@ index ec15dde761..2c4c9d63aa 100644 + [21778] Robust mutex may deadlock + [21972] assert macro requires operator== (int) for its argument type + [22322] libc: [mips64] wrong bits/long-double.h installed ++ [22627] $ORIGIN in $LD_LIBRARY_PATH is substituted twice + Version 2.25 @@ -1157,7 +1178,7 @@ index 61abeb59ee..cc4aeb25b6 100644 tst-env-setuid-tunables-ENV = \ GLIBC_TUNABLES=glibc.malloc.check=2:glibc.malloc.mmap_threshold=4096 diff --git a/elf/dl-load.c b/elf/dl-load.c -index a5318f9c8d..92303b08e6 100644 +index a5318f9c8d..58e7220050 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -37,6 +37,7 @@ @@ -1190,7 +1211,79 @@ index a5318f9c8d..92303b08e6 100644 static bool is_trusted_path (const char *path, size_t len) -@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp) +@@ -433,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, + { + char *cp; + size_t nelems = 0; +- char *to_free; + + while ((cp = __strsep (&rpath, sep)) != NULL) + { + struct r_search_path_elem *dirp; ++ char *to_free = NULL; ++ size_t len = 0; + +- to_free = cp = expand_dynamic_string_token (l, cp, 1); ++ /* `strsep' can pass an empty string. */ ++ if (*cp != '\0') ++ { ++ to_free = cp = expand_dynamic_string_token (l, cp, 1); + +- size_t len = strlen (cp); ++ /* expand_dynamic_string_token can return NULL in case of empty ++ path or memory allocation failure. */ ++ if (cp == NULL) ++ continue; + +- /* `strsep' can pass an empty string. This has to be +- interpreted as `use the current directory'. */ +- if (len == 0) +- { +- static const char curwd[] = "./"; +- cp = (char *) curwd; +- } ++ /* Compute the length after dynamic string token expansion and ++ ignore empty paths. */ ++ len = strlen (cp); ++ if (len == 0) ++ { ++ free (to_free); ++ continue; ++ } + +- /* Remove trailing slashes (except for "/"). */ +- while (len > 1 && cp[len - 1] == '/') +- --len; ++ /* Remove trailing slashes (except for "/"). */ ++ while (len > 1 && cp[len - 1] == '/') ++ --len; + +- /* Now add one if there is none so far. */ +- if (len > 0 && cp[len - 1] != '/') +- cp[len++] = '/'; ++ /* Now add one if there is none so far. */ ++ if (len > 0 && cp[len - 1] != '/') ++ cp[len++] = '/'; ++ } + + /* Make sure we don't use untrusted directories if we run SUID. */ + if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) +@@ -621,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps, + necessary. */ + free (copy); + ++ /* There is no path after expansion. */ ++ if (result[0] == NULL) ++ { ++ free (result); ++ sps->dirs = (struct r_search_path_elem **) -1; ++ return false; ++ } ++ + sps->dirs = result; + /* The caller will change this value if we haven't used a real malloc. */ + sps->malloced = 1; +@@ -688,9 +706,8 @@ _dl_init_paths (const char *llp) + ncapstr * sizeof (enum r_dir_status)) / sizeof (struct r_search_path_elem)); @@ -1202,16 +1295,32 @@ index a5318f9c8d..92303b08e6 100644 if (rtld_search_dirs.dirs[0] == NULL) { errstring = N_("cannot create cache for search path"); -@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp) +@@ -776,37 +793,14 @@ _dl_init_paths (const char *llp) if (llp != NULL && *llp != '\0') { - size_t nllp; - const char *cp = llp; - char *llp_tmp; - - #ifdef SHARED -@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp) +- char *llp_tmp; +- +-#ifdef SHARED +- /* Expand DSTs. */ +- size_t cnt = DL_DST_COUNT (llp, 1); +- if (__glibc_likely (cnt == 0)) +- llp_tmp = strdupa (llp); +- else +- { +- /* Determine the length of the substituted string. */ +- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt); +- +- /* Allocate the necessary memory. */ +- llp_tmp = (char *) alloca (total + 1); +- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1); +- } +-#else +- llp_tmp = strdupa (llp); +-#endif ++ char *llp_tmp = strdupa (llp); /* Decompose the LD_LIBRARY_PATH contents. First determine how many elements it has. */ -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git