diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2024-04-18 19:17:30 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2024-04-19 13:30:41 +0200 |
commit | d3c452d720018233486e993d409d08d30948111a (patch) | |
tree | 5d7237f45c053f5269ea21132445e78b6d06bbc0 /patches/source/glibc/patches/CVE-2021-33574_2.patch | |
parent | 2a933a7e4fa4c4b799f410f676b997047b4c68a5 (diff) | |
download | current-d3c452d720018233486e993d409d08d30948111a.tar.gz current-d3c452d720018233486e993d409d08d30948111a.tar.xz |
Thu Apr 18 19:17:30 UTC 202420240418191730_15.0
patches/packages/bind-9.16.50-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
patches/packages/aaa_glibc-solibs-2.33-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/glibc-2.33-x86_64-6_slack15.0.txz: Rebuilt.
This update fixes a security issue:
The iconv() function in the GNU C Library versions 2.39 and older may
overflow the output buffer passed to it by up to 4 bytes when converting
strings to the ISO-2022-CN-EXT character set, which may be used to crash
an application or overwrite a neighbouring variable.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-2961
(* Security fix *)
patches/packages/glibc-i18n-2.33-x86_64-6_slack15.0.txz: Rebuilt.
patches/packages/glibc-profile-2.33-x86_64-6_slack15.0.txz: Rebuilt.
testing/packages/bind-9.18.26-x86_64-1_slack15.0.txz: Upgraded.
This is a bugfix release.
Diffstat (limited to 'patches/source/glibc/patches/CVE-2021-33574_2.patch')
-rw-r--r-- | patches/source/glibc/patches/CVE-2021-33574_2.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/patches/source/glibc/patches/CVE-2021-33574_2.patch b/patches/source/glibc/patches/CVE-2021-33574_2.patch new file mode 100644 index 000000000..608dbfdc5 --- /dev/null +++ b/patches/source/glibc/patches/CVE-2021-33574_2.patch @@ -0,0 +1,53 @@ +From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Tue, 1 Jun 2021 17:51:41 +0200 +Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) + +__pthread_attr_copy can fail and does not initialize the attribute +structure in that case. + +If __pthread_attr_copy is never called and there is no allocated +attribute, pthread_attr_destroy should not be called, otherwise +there is a null pointer dereference in rt/tst-mqueue6. + +Fixes commit 42d359350510506b87101cf77202fefcbfc790cb +("Use __pthread_attr_copy in mq_notify (bug 27896)"). + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +--- + sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index f7ddfe5a6c..6f46d29d1d 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + if (data.attr == NULL) + return -1; + +- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); ++ int ret = __pthread_attr_copy (data.attr, ++ notification->sigev_notify_attributes); ++ if (ret != 0) ++ { ++ free (data.attr); ++ __set_errno (ret); ++ return -1; ++ } + } + + /* Construct the new request. */ +@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); + + /* If it failed, free the allocated memory. */ +- if (__glibc_unlikely (retval != 0)) ++ if (retval != 0 && data.attr != NULL) + { + pthread_attr_destroy (data.attr); + free (data.attr); +-- +2.27.0 + + |