Hello community,
here is the log from the commit of package glibc for openSUSE:Leap:15.2 checked
in at 2020-04-08 12:47:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2/glibc (Old)
and /work/SRC/openSUSE:Leap:15.2/.glibc.new.3248 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc"
Wed Apr 8 12:47:43 2020 rev:73 rq:790171 version:2.26
Changes:
--------
--- /work/SRC/openSUSE:Leap:15.2/glibc/glibc.changes 2020-03-24
19:05:13.413438067 +0100
+++ /work/SRC/openSUSE:Leap:15.2/.glibc.new.3248/glibc.changes 2020-04-08
12:47:44.422323005 +0200
@@ -1,0 +2,6 @@
+Wed Mar 25 11:47:44 UTC 2020 - Andreas Schwab <sch...@suse.de>
+
+- glob-use-after-free.patch: Fix use-after-free in glob when expanding
+ ~user (CVE-2020-1752, bsc#1167631, BZ #25414)
+
+-------------------------------------------------------------------
@@ -25 +31 @@
- (bsc#1158996, BZ #25423)
+ (CVE-2020-1751, bsc#1158996, BZ #25423)
New:
----
glob-use-after-free.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ glibc.spec ++++++
--- /var/tmp/diff_new_pack.P951wV/_old 2020-04-08 12:47:46.470324038 +0200
+++ /var/tmp/diff_new_pack.P951wV/_new 2020-04-08 12:47:46.474324039 +0200
@@ -417,7 +417,7 @@
# PATCH-FIX-UPSTREAM Use posix_spawn on popen (BZ #22834)
Patch1073: posix-Add-internal-symbols-for-posix_spawn-interface.patch
Patch1074: glibc-2.29-posix-Use-posix_spawn-on-popen.patch
-# PATCH-FIX-UPSTREAM Fix array overflow in backtrace on PowerPC (BZ #25423)
+# PATCH-FIX-UPSTREAM Fix array overflow in backtrace on PowerPC
(CVE-2020-1751, BZ #25423)
Patch1075: backtrace-powerpc.patch
# PATCH-FIX-UPSTREAM Fix rwlock stall with PREFER_WRITER_NONRECURSIVE_NP (BZ
#23861)
Patch1076: pthread-rwlock-pwn.patch
@@ -428,6 +428,8 @@
# PATCH-FIX-UPSTREAM elf: Allow dlopen of filter object to work (BZ #16272)
Patch1079: dl-sort-maps.patch
Patch1080: dlopen-filter-object.patch
+# PATCH-FIX-UPSTREAM Fix use-after-free in glob when expanding ~user
(CVE-2020-1752, BZ #25414)
+Patch1081: glob-use-after-free.patch
###
# Patches awaiting upstream approval
@@ -743,6 +745,7 @@
%patch1078 -p1
%patch1079 -p1
%patch1080 -p1
+%patch1081 -p1
%patch2000 -p1
%patch2001 -p1
++++++ glob-use-after-free.patch ++++++
>From ddc650e9b3dc916eab417ce9f79e67337b05035c Mon Sep 17 00:00:00 2001
From: Andreas Schwab <sch...@suse.de>
Date: Wed, 19 Feb 2020 17:21:46 +0100
Subject: [PATCH] Fix use-after-free in glob when expanding ~user (bug 25414)
The value of `end_name' points into the value of `dirname', thus don't
deallocate the latter before the last use of the former.
---
posix/glob.c | 25 +++++++++++++------------
1 file changed, 13 insertions(+), 12 deletions(-)
Index: glibc-2.26/posix/glob.c
===================================================================
--- glibc-2.26.orig/posix/glob.c
+++ glibc-2.26/posix/glob.c
@@ -946,28 +946,30 @@ glob (const char *pattern, int flags, in
{
size_t home_len = strlen (p->pw_dir);
size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+ char *newp;
+ bool use_alloca = glob_use_alloca (alloca_used,
+ home_len + rest_len + 1);
- if (__glibc_unlikely (malloc_dirname))
- free (dirname);
- malloc_dirname = 0;
-
- if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
- dirname = alloca_account (home_len + rest_len + 1,
- alloca_used);
+ if (use_alloca)
+ newp = alloca_account (home_len + rest_len + 1, alloca_used);
else
{
- dirname = malloc (home_len + rest_len + 1);
- if (dirname == NULL)
+ newp = malloc (home_len + rest_len + 1);
+ if (newp == NULL)
{
free (malloc_pwtmpbuf);
retval = GLOB_NOSPACE;
goto out;
}
- malloc_dirname = 1;
}
- *((char *) mempcpy (mempcpy (dirname, p->pw_dir, home_len),
+ *((char *) mempcpy (mempcpy (newp, p->pw_dir, home_len),
end_name, rest_len)) = '\0';
+ if (__glibc_unlikely (malloc_dirname))
+ free (dirname);
+ dirname = newp;
+ malloc_dirname = !use_alloca;
+
dirlen = home_len + rest_len;
dirname_modified = 1;
