Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2019-12-14 12:01:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Sat Dec 14 12:01:51 2019 rev:233 rq:755339 version:2.30 Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2019-09-27 14:43:10.241588196 +0200 +++ /work/SRC/openSUSE:Factory/.glibc.new.4691/glibc.changes 2019-12-14 12:02:03.759415431 +0100 @@ -1,0 +2,25 @@ +Mon Dec 9 13:21:34 UTC 2019 - Andreas Schwab <sch...@suse.de> + +- prefer-map-32bit-exec.patch: rtld: Check __libc_enable_secure before + honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126, bsc#1157292, BZ + #25204) + +------------------------------------------------------------------- +Tue Nov 26 11:34:45 CET 2019 - ku...@suse.de + +- nsswitch.conf: add usrfiles for services, protocols, rpc, ethers + and aliases for /usr/etc move + +------------------------------------------------------------------- +Mon Oct 14 13:36:30 UTC 2019 - Andreas Schwab <sch...@suse.de> + +- euc-kr-overrun.patch: Fix buffer overrun in EUC-KR conversion module + (BZ #24973) + +------------------------------------------------------------------- +Thu Oct 10 14:39:24 UTC 2019 - Andreas Schwab <sch...@suse.de> + +- ldconfig-dynstr.patch: ldconfig: handle .dynstr located in separate + segment (bsc#1153149, BZ #25087) + +------------------------------------------------------------------- New: ---- euc-kr-overrun.patch ldconfig-dynstr.patch prefer-map-32bit-exec.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.Nl9uJN/_old 2019-12-14 12:02:16.663413505 +0100 +++ /var/tmp/diff_new_pack.Nl9uJN/_new 2019-12-14 12:02:16.687413501 +0100 @@ -1,7 +1,7 @@ # # spec file for package glibc # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -157,7 +157,7 @@ %define git_id %(echo %version | sed 's/.*\.g//') %define libversion %(echo %version | sed 's/\.[^.]*\.g.*//') %endif -Url: http://www.gnu.org/software/libc/libc.html +URL: http://www.gnu.org/software/libc/libc.html BuildRoot: %{_tmppath}/%{name}-%{version}-build %if !%{build_snapshot} Source: http://ftp.gnu.org/pub/gnu/glibc/glibc-%{version}.tar.xz @@ -248,8 +248,6 @@ # PATCH-FIX-OPENSUSE -- Disable gettext for C.UTF-8 locale Patch105: glibc-disable-gettext-for-c-utf8.patch -### Broken patches in glibc that we revert for now: - ### Network related patches # PATCH-FIX-OPENSUSE Warn about usage of mdns in resolv.conv Patch304: glibc-resolv-mdnshint.diff @@ -263,6 +261,8 @@ Patch1000: malloc-info-whitespace.patch # PATCH-FIX-UPSTREAM Fix RISC-V vfork build with Linux 5.3 kernel headers Patch1001: riscv-vfork.patch +# PATCH-FIX-UPSTREAM rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126, BZ #25204) +Patch1002: prefer-map-32bit-exec.patch ### # Patches awaiting upstream approval @@ -271,6 +271,10 @@ Patch2000: fix-locking-in-_IO_cleanup.patch # PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973) Patch2001: ldconfig-concurrency.patch +# PATCH-FIX-UPSTREAM ldconfig: handle .dynstr located in separate segment (BZ #25087) +Patch2002: ldconfig-dynstr.patch +# PATCH-FIX-UPSTREAM Fix buffer overrun in EUC-KR conversion module (BZ #24973) +Patch2003: euc-kr-overrun.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -470,9 +474,12 @@ %patch1000 -p1 %patch1001 -p1 +%patch1002 -p1 %patch2000 -p1 %patch2001 -p1 +%patch2002 -p1 +%patch2003 -p1 %patch3000 ++++++ euc-kr-overrun.patch ++++++ Fix buffer overrun in EUC-KR conversion module (bug 24973) The byte 0xfe as input to the EUC-KR conversion denotes a user-defined area and is not allowed. The from_euc_kr function used to skip two bytes when told to skip over the unknown designation, potentially running over the buffer end. [BZ #24973] * iconvdata/ksc5601.h (ksc5601_to_ucs4): Check for available bytes first. * iconvdata/euc-kr.c (BODY for FROM_LOOP): Don't check for unknown two-byte codes here. * iconvdata/Makefile (tests): Add bug-iconv13. * iconvdata/bug-iconv13.c: New file. --- iconvdata/Makefile | 2 +- iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ iconvdata/euc-kr.c | 6 +---- iconvdata/ksc5601.h | 6 ++--- 4 files changed, 58 insertions(+), 9 deletions(-) create mode 100644 iconvdata/bug-iconv13.c Index: glibc-2.30/iconvdata/Makefile =================================================================== --- glibc-2.30.orig/iconvdata/Makefile +++ glibc-2.30/iconvdata/Makefile @@ -73,7 +73,7 @@ modules.so := $(addsuffix .so, $(modules ifeq (yes,$(build-shared)) tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ - bug-iconv10 bug-iconv11 bug-iconv12 + bug-iconv10 bug-iconv11 bug-iconv12 bug-iconv13 ifeq ($(have-thread-library),yes) tests += bug-iconv3 endif Index: glibc-2.30/iconvdata/bug-iconv13.c =================================================================== --- /dev/null +++ glibc-2.30/iconvdata/bug-iconv13.c @@ -0,0 +1,53 @@ +/* bug 24973: Test EUC-KR module + Copyright (C) 2019 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <iconv.h> +#include <stdio.h> +#include <support/check.h> + +static int +do_test (void) +{ + iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR"); + TEST_VERIFY_EXIT (cd != (iconv_t) -1); + + /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined + areas, which are not allowed and should be skipped over due to + //IGNORE. The trailing 0xfe also is an incomplete sequence, which + should be checked first. */ + char input[4] = { '\xc9', '\xa1', '\0', '\xfe' }; + char *inptr = input; + size_t insize = sizeof (input); + char output[4]; + char *outptr = output; + size_t outsize = sizeof (output); + + /* This used to crash due to buffer overrun. */ + TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1); + TEST_VERIFY (errno == EINVAL); + /* The conversion should produce one character, the converted null + character. */ + TEST_VERIFY (sizeof (output) - outsize == 1); + + TEST_VERIFY_EXIT (iconv_close (cd) != -1); + + return 0; +} + +#include <support/test-driver.c> Index: glibc-2.30/iconvdata/euc-kr.c =================================================================== --- glibc-2.30.orig/iconvdata/euc-kr.c +++ glibc-2.30/iconvdata/euc-kr.c @@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned c \ if (ch <= 0x9f) \ ++inptr; \ - /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ - user-defined areas. */ \ - else if (__builtin_expect (ch == 0xa0, 0) \ - || __builtin_expect (ch > 0xfe, 0) \ - || __builtin_expect (ch == 0xc9, 0)) \ + else if (__glibc_unlikely (ch == 0xa0)) \ { \ /* This is illegal. */ \ STANDARD_FROM_LOOP_ERR_HANDLER (1); \ Index: glibc-2.30/iconvdata/ksc5601.h =================================================================== --- glibc-2.30.orig/iconvdata/ksc5601.h +++ glibc-2.30/iconvdata/ksc5601.h @@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s unsigned char ch2; int idx; + if (avail < 2) + return 0; + /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e || (ch - offset) == 0x49) return __UNKNOWN_10646_CHAR; - if (avail < 2) - return 0; - ch2 = (*s)[1]; if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f) return __UNKNOWN_10646_CHAR; ++++++ ldconfig-dynstr.patch ++++++ ldconfig: handle .dynstr located in separate segment (bug 25087) To determine the load offset of the DT_STRTAB section search for the segment containing it, instead of using the load offset of the first segment. [BZ #25087] * elf/readelflib.c (process_elf_file): Use containing segment for DT_STRTAB load offset. --- elf/readelflib.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) Index: glibc-2.30/elf/readelflib.c =================================================================== --- glibc-2.30.orig/elf/readelflib.c +++ glibc-2.30/elf/readelflib.c @@ -45,7 +45,6 @@ process_elf_file (const char *file_name, { int i; unsigned int j; - ElfW(Addr) loadaddr; unsigned int dynamic_addr; size_t dynamic_size; char *program_interpreter; @@ -87,7 +86,6 @@ process_elf_file (const char *file_name, libc5/libc6. */ *flag = FLAG_ELF; - loadaddr = -1; dynamic_addr = 0; dynamic_size = 0; program_interpreter = NULL; @@ -98,11 +96,6 @@ process_elf_file (const char *file_name, switch (segment->p_type) { - case PT_LOAD: - if (loadaddr == (ElfW(Addr)) -1) - loadaddr = segment->p_vaddr - segment->p_offset; - break; - case PT_DYNAMIC: if (dynamic_addr) error (0, 0, _("more than one dynamic segment\n")); @@ -176,11 +169,6 @@ process_elf_file (const char *file_name, } } - if (loadaddr == (ElfW(Addr)) -1) - { - /* Very strange. */ - loadaddr = 0; - } /* Now we can read the dynamic sections. */ if (dynamic_size == 0) @@ -197,7 +185,27 @@ process_elf_file (const char *file_name, check_ptr (dyn_entry); if (dyn_entry->d_tag == DT_STRTAB) { - dynamic_strings = (char *) (file_contents + dyn_entry->d_un.d_val - loadaddr); + /* Find the file offset of the segment containing the dynamic + string table. */ + ElfW(Off) loadoff = -1; + for (i = 0, segment = elf_pheader; + i < elf_header->e_phnum; i++, segment++) + { + if (segment->p_type == PT_LOAD + && dyn_entry->d_un.d_val >= segment->p_vaddr + && dyn_entry->d_un.d_val < segment->p_vaddr + segment->p_filesz) + { + loadoff = segment->p_vaddr - segment->p_offset; + break; + } + } + if (loadoff == (ElfW(Off)) -1) + { + /* Very strange. */ + loadoff = 0; + } + + dynamic_strings = (char *) (file_contents + dyn_entry->d_un.d_val - loadoff); check_ptr (dynamic_strings); break; } ++++++ nsswitch.conf ++++++ --- /var/tmp/diff_new_pack.Nl9uJN/_old 2019-12-14 12:02:17.059413445 +0100 +++ /var/tmp/diff_new_pack.Nl9uJN/_new 2019-12-14 12:02:17.063413444 +0100 @@ -29,14 +29,14 @@ hosts: files dns networks: files dns -services: files -protocols: files -rpc: files -ethers: files +services: files usrfiles +protocols: files usrfiles +rpc: files usrfiles +ethers: files usrfiles netmasks: files netgroup: files nis publickey: files bootparams: files automount: files nis -aliases: files +aliases: files usrfiles ++++++ prefer-map-32bit-exec.patch ++++++ >From d5dfad4326fc683c813df1e37bbf5cf920591c8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Ko=C5=9Bcielnicki?= <m...@0x04.net> Date: Thu, 21 Nov 2019 00:20:15 +0100 Subject: [PATCH] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). --- NEWS | 6 +++++- sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) Index: glibc-2.30/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h =================================================================== --- glibc-2.30.orig/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ glibc-2.30/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |= bit_arch_Prefer_MAP_32BIT_EXEC; \ break;
