diff --git a/SOURCES/glibc-rh1032435.patch b/SOURCES/glibc-rh1032435.patch index 694bec2..ed5cc92 100644 --- a/SOURCES/glibc-rh1032435.patch +++ b/SOURCES/glibc-rh1032435.patch @@ -17,30 +17,11 @@ Date: Wed Oct 30 16:13:37 2013 +0530 wrap around fgets that calls it multiple times with int sizes if necessary. -(The previous commit fixes upstream bug 16071.) - -commit ac60763eac3d43b7234dd21286ad3ec3f17957fc -Author: Andreas Schwab -Date: Mon Jun 23 10:24:45 2014 +0200 - - Don't ignore too long lines in nss_files (BZ #17079) - -commit e07aabba73ea62e7dfa0512507c92efb851fbdbe -Author: Florian Weimer -Date: Tue Sep 22 13:20:18 2015 +0200 - - Add test case for bug 18287 - -commit 90fa42a1d7b78de0d75f7e3af362275b2abe807f -Author: Florian Weimer -Date: Tue Sep 22 13:40:17 2015 +0200 - - Test in commit e07aabba73ea62e7dfa0512507c92efb851fbdbe is for bug 17079 - -diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c ---- b/nss/nss_files/files-XXX.c -+++ b/nss/nss_files/files-XXX.c -@@ -179,8 +179,53 @@ +diff --git glibc-2.17-c758a686/nss/nss_files/files-XXX.c glibc-2.17-c758a686/nss/nss_files/files-XXX.c +index 082d1ea..b62208c 100644 +--- glibc-2.17-c758a686/nss/nss_files/files-XXX.c ++++ glibc-2.17-c758a686/nss/nss_files/files-XXX.c +@@ -179,8 +179,51 @@ CONCAT(_nss_files_end,ENTNAME) (void) return NSS_STATUS_SUCCESS; } @@ -64,12 +45,10 @@ diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c + { + int curlen = ((remaining_len > (size_t) INT_MAX) ? INT_MAX + : remaining_len); ++ char *p = fgets_unlocked (curbuf, curlen, stream); + -+ /* Terminate the line so that we can test for overflow. */ + ((unsigned char *) curbuf)[curlen - 1] = 0xff; + -+ char *p = fgets_unlocked (curbuf, curlen, stream); -+ + /* EOF or read error. */ + if (p == NULL) + return gcr_error; @@ -95,7 +74,7 @@ diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c static enum nss_status internal_getent (struct STRUCTURE *result, char *buffer, size_t buflen, int *errnop H_ERRNO_PROTO -@@ -188,7 +233,7 @@ +@@ -188,7 +231,7 @@ internal_getent (struct STRUCTURE *result, { char *p; struct parser_data *data = (void *) buffer; @@ -104,7 +83,7 @@ diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c int parse_result; if (buflen < sizeof *data + 2) -@@ -200,17 +245,16 @@ +@@ -200,17 +243,16 @@ internal_getent (struct STRUCTURE *result, do { @@ -126,7 +105,7 @@ diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c { /* The line is too long. Give the user the opportunity to enlarge the buffer. */ -@@ -219,7 +263,8 @@ +@@ -219,7 +261,8 @@ internal_getent (struct STRUCTURE *result, return NSS_STATUS_TRYAGAIN; } @@ -136,255 +115,3 @@ diff -u b/nss/nss_files/files-XXX.c b/nss/nss_files/files-XXX.c while (isspace (*p)) ++p; } - -diff a/nss/bug17079.c b/nss/bug17079.c ---- /dev/null -+++ b/nss/bug17079.c -@@ -0,0 +1,236 @@ -+/* Test for bug 17079: heap overflow in NSS with small buffers. -+ Copyright (C) 2015 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* Check if two passwd structs contain the same data. */ -+static bool -+equal (const struct passwd *a, const struct passwd *b) -+{ -+ return strcmp (a->pw_name, b->pw_name) == 0 -+ && strcmp (a->pw_passwd, b->pw_passwd) == 0 -+ && a->pw_uid == b->pw_uid -+ && a->pw_gid == b->pw_gid -+ && strcmp (a->pw_gecos, b->pw_gecos) == 0 -+ && strcmp (a->pw_dir, b->pw_dir) == 0 -+ && strcmp (a->pw_shell, b->pw_shell) == 0; -+} -+ -+enum { MAX_TEST_ITEMS = 10 }; -+static struct passwd test_items[MAX_TEST_ITEMS]; -+static int test_count; -+ -+/* Initialize test_items and test_count above, with data from the -+ passwd database. */ -+static bool -+init_test_items (void) -+{ -+ setpwent (); -+ do -+ { -+ struct passwd *pwd = getpwent (); -+ if (pwd == NULL) -+ break; -+ struct passwd *target = test_items + test_count; -+ target->pw_name = strdup (pwd->pw_name); -+ target->pw_passwd = strdup (pwd->pw_passwd); -+ target->pw_uid = pwd->pw_uid; -+ target->pw_gid = pwd->pw_gid; -+ target->pw_gecos = strdup (pwd->pw_gecos); -+ target->pw_dir = strdup (pwd->pw_dir); -+ target->pw_shell = strdup (pwd->pw_shell); -+ } -+ while (++test_count < MAX_TEST_ITEMS); -+ endpwent (); -+ -+ /* Filter out those test items which cannot be looked up by name or -+ UID. */ -+ bool found = false; -+ for (int i = 0; i < test_count; ++i) -+ { -+ struct passwd *pwd1 = getpwnam (test_items[i].pw_name); -+ struct passwd *pwd2 = getpwuid (test_items[i].pw_uid); -+ if (pwd1 == NULL || !equal (pwd1, test_items + i) -+ || pwd2 == NULL || !equal (pwd2, test_items + i)) -+ test_items[i].pw_name = NULL; -+ else -+ found = true; -+ } -+ -+ if (!found) -+ puts ("error: no accounts found which can be looked up by name and UID."); -+ return found; -+} -+ -+/* Set to true if an error is encountered. */ -+static bool errors; -+ -+/* Return true if the padding has not been tampered with. */ -+static bool -+check_padding (char *buffer, size_t size, char pad) -+{ -+ char *end = buffer + size; -+ while (buffer < end) -+ { -+ if (*buffer != pad) -+ return false; -+ ++buffer; -+ } -+ return true; -+} -+ -+/* Test one buffer size and padding combination. */ -+static void -+test_one (const struct passwd *item, size_t buffer_size, -+ char pad, size_t padding_size) -+{ -+ char *buffer = malloc (buffer_size + padding_size); -+ if (buffer == NULL) -+ { -+ puts ("error: malloc failure"); -+ errors = true; -+ return; -+ } -+ -+ struct passwd pwd; -+ struct passwd *result; -+ int ret; -+ -+ /* Test getpwname_r. */ -+ memset (buffer, pad, buffer_size + padding_size); -+ pwd = (struct passwd) {}; -+ ret = getpwnam_r (item->pw_name, &pwd, buffer, buffer_size, &result); -+ if (!check_padding (buffer + buffer_size, padding_size, pad)) -+ { -+ printf ("error: padding change: " -+ "name \"%s\", buffer size %zu, padding size %zu, pad 0x%02x\n", -+ item->pw_name, buffer_size, padding_size, (unsigned char) pad); -+ errors = true; -+ } -+ if (ret == 0) -+ { -+ if (result == NULL) -+ { -+ printf ("error: no data: name \"%s\", buffer size %zu\n", -+ item->pw_name, buffer_size); -+ errors = true; -+ } -+ else if (!equal (item, result)) -+ { -+ printf ("error: lookup mismatch: name \"%s\", buffer size %zu\n", -+ item->pw_name, buffer_size); -+ errors = true; -+ } -+ } -+ else if (ret != ERANGE) -+ { -+ errno = ret; -+ printf ("error: lookup failure for name \"%s\": %m (%d)\n", -+ item->pw_name, ret); -+ errors = true; -+ } -+ -+ /* Test getpwuid_r. */ -+ memset (buffer, pad, buffer_size + padding_size); -+ pwd = (struct passwd) {}; -+ ret = getpwuid_r (item->pw_uid, &pwd, buffer, buffer_size, &result); -+ if (!check_padding (buffer + buffer_size, padding_size, pad)) -+ { -+ printf ("error: padding change: " -+ "UID %ld, buffer size %zu, padding size %zu, pad 0x%02x\n", -+ (long) item->pw_uid, buffer_size, padding_size, -+ (unsigned char) pad); -+ errors = true; -+ } -+ if (ret == 0) -+ { -+ if (result == NULL) -+ { -+ printf ("error: no data: UID %ld, buffer size %zu\n", -+ (long) item->pw_uid, buffer_size); -+ errors = true; -+ } -+ else if (!equal (item, result)) -+ { -+ printf ("error: lookup mismatch: UID %ld, buffer size %zu\n", -+ (long) item->pw_uid, buffer_size); -+ errors = true; -+ } -+ } -+ else if (ret != ERANGE) -+ { -+ errno = ret; -+ printf ("error: lookup failure for UID \"%ld\": %m (%d)\n", -+ (long) item->pw_uid, ret); -+ errors = true; -+ } -+ -+ free (buffer); -+} -+ -+/* Test one buffer size with different paddings. */ -+static void -+test_buffer_size (size_t buffer_size) -+{ -+ for (int i = 0; i < test_count; ++i) -+ for (size_t padding_size = 0; padding_size < 3; ++padding_size) -+ { -+ test_one (test_items + i, buffer_size, '\0', padding_size); -+ if (padding_size > 0) -+ { -+ test_one (test_items + i, buffer_size, ':', padding_size); -+ test_one (test_items + i, buffer_size, '\n', padding_size); -+ test_one (test_items + i, buffer_size, '\xff', padding_size); -+ test_one (test_items + i, buffer_size, '@', padding_size); -+ } -+ } -+} -+ -+int -+do_test (void) -+{ -+ if (!init_test_items ()) -+ return 1; -+ printf ("info: %d test items\n", test_count); -+ -+ for (size_t buffer_size = 0; buffer_size <= 65; ++buffer_size) -+ test_buffer_size (buffer_size); -+ for (size_t buffer_size = 64 + 4; buffer_size < 256; buffer_size += 4) -+ test_buffer_size (buffer_size); -+ test_buffer_size (255); -+ test_buffer_size (257); -+ for (size_t buffer_size = 256; buffer_size < 512; buffer_size += 8) -+ test_buffer_size (buffer_size); -+ test_buffer_size (511); -+ test_buffer_size (513); -+ test_buffer_size (1024); -+ test_buffer_size (2048); -+ -+ if (errors) -+ return 1; -+ else -+ return 0; -+} -+ -+#define TEST_FUNCTION do_test () -+#include "../test-skeleton.c" -diff a/nss/Makefile b/nss/Makefile ---- a/nss/Makefile -+++ b/nss/Makefile -@@ -39,6 +39,6 @@ - extra-objs += $(makedb-modules:=.o) - --tests = test-netdb tst-nss-test1 -+tests = test-netdb tst-nss-test1 bug17079 - xtests = bug-erange - - include ../Makeconfig diff --git a/SOURCES/glibc-rh1165192.patch b/SOURCES/glibc-rh1165192.patch index 488ac49..41e2591 100644 --- a/SOURCES/glibc-rh1165192.patch +++ b/SOURCES/glibc-rh1165192.patch @@ -16,8 +16,8 @@ diff -up glibc-2.17-c758a686/nss/Makefile.rh1165192 glibc-2.17-c758a686/nss/Make makedb-modules = xmalloc hash-string extra-objs += $(makedb-modules:=.o) --tests = test-netdb tst-nss-test1 bug17079 -+tests = test-netdb tst-nss-test1 bug17079 tst-nss-getpwent +-tests = test-netdb tst-nss-test1 ++tests = test-netdb tst-nss-test1 tst-nss-getpwent xtests = bug-erange include ../Makeconfig diff --git a/SOURCES/glibc-rh1183545.patch b/SOURCES/glibc-rh1183545.patch index a9ec106..dbd87ab 100644 --- a/SOURCES/glibc-rh1183545.patch +++ b/SOURCES/glibc-rh1183545.patch @@ -12,8 +12,8 @@ index 449a258..553eafa 100644 makedb-modules = xmalloc hash-string extra-objs += $(makedb-modules:=.o) --tests = test-netdb tst-nss-test1 bug17079 tst-nss-getpwent -+tests = test-netdb tst-nss-test1 bug17079 tst-nss-getpwent \ +-tests = test-netdb tst-nss-test1 tst-nss-getpwent ++tests = test-netdb tst-nss-test1 tst-nss-getpwent \ + test-digits-dots xtests = bug-erange diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index 4aed418..1aa0682 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -1,6 +1,6 @@ %define glibcsrcdir glibc-2.17-c758a686 %define glibcversion 2.17 -%define glibcrelease 106%{?dist}.1 +%define glibcrelease 105%{?dist} ############################################################################## # If run_glibc_tests is zero then tests are not run for the build. # You must always set run_glibc_tests to one for production builds. @@ -2360,12 +2360,6 @@ rm -f *.filelist* %endif %changelog -* Wed Oct 28 2015 Florian Weimer - 2.17-106.1 -- Rebuild with corrected release. - -* Wed Oct 28 2015 Florian Weimer - 2.17-106 -- Add fix for CVE-2015-5277 (#1275920). - * Fri Aug 14 2015 Siddhesh Poyarekar - 2.17-105 - Fix up test case for initial-exec fix (#1248208).