Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2019-03-06 19:01:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Wed Mar 6 19:01:26 2019 rev:227 rq:681703 version:2.29 Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2019-02-24 16:55:44.184899034 +0100 +++ /work/SRC/openSUSE:Factory/.glibc.new.28833/glibc.changes 2019-03-06 19:01:26.765106180 +0100 @@ -1,0 +2,8 @@ +Tue Mar 5 10:38:30 UTC 2019 - Andreas Schwab <sch...@suse.de> + +- regex-read-overrun.patch: fix read overrun (CVE-2019-9169, bsc#1127308, + BZ #24114) +- ldconfig-concurrency.patch: Avoid concurrency problem in ldconfig + (bsc#1117993, BZ #23973) + +------------------------------------------------------------------- @@ -59,0 +68 @@ +- CVE-2016-10739 @@ -172,0 +182 @@ +- CVE-2009-5155, CVE-2015-8985 New: ---- ldconfig-concurrency.patch regex-read-overrun.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.SpW4C2/_old 2019-03-06 19:01:29.081105557 +0100 +++ /var/tmp/diff_new_pack.SpW4C2/_new 2019-03-06 19:01:29.085105555 +0100 @@ -71,8 +71,7 @@ BuildRequires: gcc-c++ BuildRequires: gdb BuildRequires: glibc-devel-static -# BZ #24113 -#BuildRequires: libidn2-0 +BuildRequires: libidn2-0 BuildRequires: libstdc++-devel BuildRequires: python3-pexpect %endif @@ -284,6 +283,8 @@ Patch1005: riscv-clone-unwind.patch # PATCH-FIX-UPSTREAM Add new Fortran vector math header file. Patch1006: add-new-Fortran-vector-math-header-file.patch +# PATCH-FIX-UPSTREAM regex: fix read overrun (CVE-2019-9169, BZ #24114) +Patch1007: regex-read-overrun.patch ### # Patches awaiting upstream approval @@ -296,6 +297,8 @@ Patch2005: nss-files-long-lines-2.patch # PATCH-FIX-UPSTREAM Fix iconv buffer handling with IGNORE error handler (BZ #18830) Patch2006: iconv-reset-input-buffer.patch +# PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973) +Patch2007: ldconfig-concurrency.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -500,11 +503,13 @@ %patch1004 -p1 %patch1005 -p1 %patch1006 -p1 +%patch1007 -p1 %patch2000 -p1 %patch2004 -p1 %patch2005 -p1 %patch2006 -p1 +%patch2007 -p1 %patch3000 ++++++ ldconfig-concurrency.patch ++++++ * elf/cache.c (save_cache): Use unique temporary name. (save_aux_cache): Likewise. Index: glibc-2.29/elf/cache.c =================================================================== --- glibc-2.29.orig/elf/cache.c +++ glibc-2.29/elf/cache.c @@ -427,12 +427,12 @@ save_cache (const char *cache_name) /* Write out the cache. */ /* Write cache first to a temporary file and rename it later. */ - char *temp_name = xmalloc (strlen (cache_name) + 2); - sprintf (temp_name, "%s~", cache_name); + char *temp_name; + if (asprintf (&temp_name, "%s.XXXXXX", cache_name) < 0) + error (EXIT_FAILURE, errno, _("Can't allocate temporary name for cache file")); /* Create file. */ - int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW, - S_IRUSR|S_IWUSR); + int fd = mkostemp (temp_name, 0); if (fd < 0) error (EXIT_FAILURE, errno, _("Can't create temporary cache file %s"), temp_name); @@ -481,6 +481,7 @@ save_cache (const char *cache_name) free (file_entries_new); free (file_entries); free (strings); + free (temp_name); while (entries) { @@ -804,8 +805,9 @@ save_aux_cache (const char *aux_cache_na /* Write out auxiliary cache file. */ /* Write auxiliary cache first to a temporary file and rename it later. */ - char *temp_name = xmalloc (strlen (aux_cache_name) + 2); - sprintf (temp_name, "%s~", aux_cache_name); + char *temp_name; + if (asprintf (&temp_name, "%s.XXXXXX", aux_cache_name) < 0) + goto out_fail2; /* Check that directory exists and create if needed. */ char *dir = strdupa (aux_cache_name); @@ -819,8 +821,7 @@ save_aux_cache (const char *aux_cache_na } /* Create file. */ - int fd = open (temp_name, O_CREAT|O_WRONLY|O_TRUNC|O_NOFOLLOW, - S_IRUSR|S_IWUSR); + int fd = mkostemp (temp_name, 0); if (fd < 0) goto out_fail; @@ -840,5 +841,6 @@ save_aux_cache (const char *aux_cache_na out_fail: /* Free allocated memory. */ free (temp_name); +out_fail2: free (file_entries); } ++++++ regex-read-overrun.patch ++++++ 2019-01-31 Paul Eggert <egg...@cs.ucla.edu> regex: fix read overrun [BZ #24114] Problem found by AddressSanitizer, reported by Hongxu Chen in: https://debbugs.gnu.org/34140 * posix/regexec.c (proceed_next_node): Do not read past end of input buffer. Index: glibc-2.29/posix/regexec.c =================================================================== --- glibc-2.29.orig/posix/regexec.c +++ glibc-2.29/posix/regexec.c @@ -1293,8 +1293,10 @@ proceed_next_node (const re_match_contex else if (naccepted) { char *buf = (char *) re_string_get_buffer (&mctx->input); - if (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, - naccepted) != 0) + if (mctx->input.valid_len - *pidx < naccepted + || (memcmp (buf + regs[subexp_idx].rm_so, buf + *pidx, + naccepted) + != 0)) return -1; } }