Tue Aug 17 20:08:40 UTC 202120210817200840

a/aaa_glibc-solibs-2.33-x86_64-4.txz:  Rebuilt.
a/util-linux-2.37.2-x86_64-1.txz:  Upgraded.
d/git-2.33.0-x86_64-1.txz:  Upgraded.
d/vala-0.52.5-x86_64-1.txz:  Upgraded.
l/gexiv2-0.12.3-x86_64-1.txz:  Upgraded.
l/glibc-2.33-x86_64-4.txz:  Rebuilt.
  In librt, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain
  NOTIFY_REMOVED data, leading to a NULL pointer dereference.
  NOTE: this vulnerability was introduced as a side effect of the
  CVE-2021-33574 fix.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38604
  (* Security fix *)
l/glibc-i18n-2.33-x86_64-4.txz:  Rebuilt.
l/glibc-profile-2.33-x86_64-4.txz:  Rebuilt.
l/libcap-2.53-x86_64-1.txz:  Upgraded.
l/python2-module-collection-2.7.18-x86_64-5.txz:  Rebuilt.
  Added dbus-python-1.2.16.
n/ModemManager-1.16.10-x86_64-1.txz:  Upgraded.
n/NetworkManager-1.32.8-x86_64-1.txz:  Upgraded.
n/stunnel-5.60-x86_64-1.txz:  Upgraded.
xap/mozilla-firefox-91.0.1-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/firefox/91.0.1/releasenotes/
    https://www.mozilla.org/security/advisories/mfsa2021-37/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29991
  (* Security fix *)
xap/mozilla-thunderbird-91.0.1-x86_64-1.txz:  Upgraded.
  This release contains security fixes and improvements.
  For more information, see:
    https://www.mozilla.org/en-US/thunderbird/91.0.1/releasenotes/
    https://www.mozilla.org/en-US/security/advisories/mfsa2021-37/
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29991
  (* Security fix *)

1 files changed, 40 insertions, 0 deletions

diff --git a/source/l/glibc/patches/CVE-2021-38604.patch b/source/l/glibc/patches/CVE-2021-38604.patch
new file mode 100644
index 000000000..ad0a81588
--- /dev/null
+++ b/source/l/glibc/patches/CVE-2021-38604.patch
@@ -0,0 +1,40 @@
+From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Mon, 9 Aug 2021 20:17:34 +0530
+Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
+
+Helper thread frees copied attribute on NOTIFY_REMOVED message
+received from the OS kernel.  Unfortunately, it fails to check whether
+copied attribute actually exists (data.attr != NULL).  This worked
+earlier because free() checks passed pointer before actually
+attempting to release corresponding memory.  But
+__pthread_attr_destroy assumes pointer is not NULL.
+
+So passing NULL pointer to __pthread_attr_destroy will result in
+segmentation fault.  This scenario is possible if
+notification->sigev_notify_attributes == NULL (which means default
+thread attributes should be used).
+
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index 9799dcdaa4..eccae2e4c6 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -131,7 +131,7 @@ helper_thread (void *arg)
+ 	       to wait until it is done with it.  */
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
++      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+ 	{
+ 	  /* The only state we keep is the copy of the thread attributes.  */
+ 	  __pthread_attr_destroy (data.attr);
+-- 
+2.27.0
+
+