summaryrefslogtreecommitdiffstats
path: root/patches/source/glibc/glibc-2.17_CVE-2014-0475.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/glibc/glibc-2.17_CVE-2014-0475.diff')
-rw-r--r--patches/source/glibc/glibc-2.17_CVE-2014-0475.diff404
1 files changed, 404 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_CVE-2014-0475.diff b/patches/source/glibc/glibc-2.17_CVE-2014-0475.diff
new file mode 100644
index 000000000..b28b8c5a3
--- /dev/null
+++ b/patches/source/glibc/glibc-2.17_CVE-2014-0475.diff
@@ -0,0 +1,404 @@
+From a1a7089da053642f09f84715dfe06cd3938de8da Mon Sep 17 00:00:00 2001
+From: mancha <mancha1 AT zoho DOT com>
+Date: Fri, 5 Sep 2014
+Subject: CVE-2014-0475
+
+This fixes a potential for directory traversal via crafted
+locale-related environment variables. This is particularly
+worrisome in the case suid/sgid programs inherit these
+variables potentially resulting in arbitrary code execution
+with elevated privileges.
+
+This fix for use with glibc 2.17 is based on the following
+upstream commits:
+
+https://sourceware.org/git/?p=glibc.git;h=4e8f95a0df7c
+https://sourceware.org/git/?p=glibc.git;h=d183645616b0
+
+---
+ locale/findlocale.c | 74 +++++++++++--
+ locale/setlocale.c | 14 ++
+ localedata/Makefile | 3 +
+ localedata/tst-setlocale3.c | 203 ++++++++++++++++++++++++++++++++++++
+ 4 files changed, 278 insertions(+), 16 deletions(-)
+
+--- a/locale/findlocale.c
++++ b/locale/findlocale.c
+@@ -17,6 +17,7 @@
+ <http://www.gnu.org/licenses/>. */
+
+ #include <assert.h>
++#include <errno.h>
+ #include <locale.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -57,6 +58,45 @@ struct loaded_l10nfile *_nl_locale_file_list[__LC_LAST];
+
+ const char _nl_default_locale_path[] attribute_hidden = LOCALEDIR;
+
++/* Checks if the name is actually present, that is, not NULL and not
++ empty. */
++static inline int
++name_present (const char *name)
++{
++ return name != NULL && name[0] != '\0';
++}
++
++/* Checks that the locale name neither extremely long, nor contains a
++ ".." path component (to prevent directory traversal). */
++static inline int
++valid_locale_name (const char *name)
++{
++ /* Not set. */
++ size_t namelen = strlen (name);
++ /* Name too long. The limit is arbitrary and prevents stack overflow
++ issues later. */
++ if (__glibc_unlikely (namelen > 255))
++ return 0;
++ /* Directory traversal attempt. */
++ static const char slashdot[4] = {'/', '.', '.', '/'};
++ if (__glibc_unlikely (memmem (name, namelen,
++ slashdot, sizeof (slashdot)) != NULL))
++ return 0;
++ if (namelen == 2 && __glibc_unlikely (name[0] == '.' && name [1] == '.'))
++ return 0;
++ if (namelen >= 3
++ && __glibc_unlikely (((name[0] == '.'
++ && name[1] == '.'
++ && name[2] == '/')
++ || (name[namelen - 3] == '/'
++ && name[namelen - 2] == '.'
++ && name[namelen - 1] == '.'))))
++ return 0;
++ /* If there is a slash in the name, it must start with one. */
++ if (__glibc_unlikely (memchr (name, '/', namelen) != NULL) && name[0] != '/')
++ return 0;
++ return 1;
++}
+
+ struct __locale_data *
+ internal_function
+@@ -65,7 +105,7 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
+ {
+ int mask;
+ /* Name of the locale for this category. */
+- char *loc_name;
++ char *loc_name = (char *) *name;
+ const char *language;
+ const char *modifier;
+ const char *territory;
+@@ -73,31 +113,39 @@ _nl_find_locale (const char *locale_path, size_t locale_path_len,
+ const char *normalized_codeset;
+ struct loaded_l10nfile *locale_file;
+
+- if ((*name)[0] == '\0')
++ if (loc_name[0] == '\0')
+ {
+ /* The user decides which locale to use by setting environment
+ variables. */
+- *name = getenv ("LC_ALL");
+- if (*name == NULL || (*name)[0] == '\0')
+- *name = getenv (_nl_category_names.str
++ loc_name = getenv ("LC_ALL");
++ if (!name_present (loc_name))
++ loc_name = getenv (_nl_category_names.str
+ + _nl_category_name_idxs[category]);
+- if (*name == NULL || (*name)[0] == '\0')
+- *name = getenv ("LANG");
++ if (!name_present (loc_name))
++ loc_name = getenv ("LANG");
++ if (!name_present (loc_name))
++ loc_name = (char *) _nl_C_name;
+ }
+
+- if (*name == NULL || (*name)[0] == '\0'
+- || (__builtin_expect (__libc_enable_secure, 0)
+- && strchr (*name, '/') != NULL))
+- *name = (char *) _nl_C_name;
++ /* We used to fall back to the C locale if the name contains a slash
++ character '/', but we now check for directory traversal in
++ valid_locale_name, so this is no longer necessary. */
+
+- if (__builtin_expect (strcmp (*name, _nl_C_name), 1) == 0
+- || __builtin_expect (strcmp (*name, _nl_POSIX_name), 1) == 0)
++ if (__builtin_expect (strcmp (loc_name, _nl_C_name), 1) == 0
++ || __builtin_expect (strcmp (loc_name, _nl_POSIX_name), 1) == 0)
+ {
+ /* We need not load anything. The needed data is contained in
+ the library itself. */
+ *name = (char *) _nl_C_name;
+ return _nl_C[category];
+ }
++ else if (!valid_locale_name (loc_name))
++ {
++ __set_errno (EINVAL);
++ return NULL;
++ }
++
++ *name = loc_name;
+
+ /* We really have to load some data. First we try the archive,
+ but only if there was no LOCPATH environment variable specified. */
+--- a/localedata/Makefile
++++ b/localedata/Makefile
+@@ -77,7 +77,8 @@ locale_test_suite := tst_iswalnum tst_is
+
+ tests = $(locale_test_suite) tst-digits tst-setlocale bug-iconv-trans \
+ tst-leaks tst-mbswcs6 tst-xlocale1 tst-xlocale2 bug-usesetlocale \
+- tst-strfmon1 tst-sscanf bug-setlocale1 tst-setlocale2
++ tst-strfmon1 tst-sscanf bug-setlocale1 tst-setlocale2 \
++ tst-setlocale3
+ ifeq (yes,$(build-shared))
+ ifneq (no,$(PERL))
+ tests: $(objpfx)mtrace-tst-leaks
+--- /dev/null
++++ b/localedata/tst-setlocale3.c
+@@ -0,0 +1,203 @@
++/* Regression test for setlocale invalid environment variable handling.
++ Copyright (C) 2014 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <locale.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++/* The result of setlocale may be overwritten by subsequent calls, so
++ this wrapper makes a copy. */
++static char *
++setlocale_copy (int category, const char *locale)
++{
++ const char *result = setlocale (category, locale);
++ if (result == NULL)
++ return NULL;
++ return strdup (result);
++}
++
++static char *de_locale;
++
++static void
++setlocale_fail (const char *envstring)
++{
++ setenv ("LC_CTYPE", envstring, 1);
++ if (setlocale (LC_CTYPE, "") != NULL)
++ {
++ printf ("unexpected setlocale success for \"%s\" locale\n", envstring);
++ exit (1);
++ }
++ const char *newloc = setlocale (LC_CTYPE, NULL);
++ if (strcmp (newloc, de_locale) != 0)
++ {
++ printf ("failed setlocale call \"%s\" changed locale to \"%s\"\n",
++ envstring, newloc);
++ exit (1);
++ }
++}
++
++static void
++setlocale_success (const char *envstring)
++{
++ setenv ("LC_CTYPE", envstring, 1);
++ char *newloc = setlocale_copy (LC_CTYPE, "");
++ if (newloc == NULL)
++ {
++ printf ("setlocale for \"%s\": %m\n", envstring);
++ exit (1);
++ }
++ if (strcmp (newloc, de_locale) == 0)
++ {
++ printf ("setlocale with LC_CTYPE=\"%s\" left locale at \"%s\"\n",
++ envstring, de_locale);
++ exit (1);
++ }
++ if (setlocale (LC_CTYPE, de_locale) == NULL)
++ {
++ printf ("restoring locale \"%s\" with LC_CTYPE=\"%s\": %m\n",
++ de_locale, envstring);
++ exit (1);
++ }
++ char *newloc2 = setlocale_copy (LC_CTYPE, newloc);
++ if (newloc2 == NULL)
++ {
++ printf ("restoring locale \"%s\" following \"%s\": %m\n",
++ newloc, envstring);
++ exit (1);
++ }
++ if (strcmp (newloc, newloc2) != 0)
++ {
++ printf ("representation of locale \"%s\" changed from \"%s\" to \"%s\"",
++ envstring, newloc, newloc2);
++ exit (1);
++ }
++ free (newloc);
++ free (newloc2);
++
++ if (setlocale (LC_CTYPE, de_locale) == NULL)
++ {
++ printf ("restoring locale \"%s\" with LC_CTYPE=\"%s\": %m\n",
++ de_locale, envstring);
++ exit (1);
++ }
++}
++
++/* Checks that a known-good locale still works if LC_ALL contains a
++ value which should be ignored. */
++static void
++setlocale_ignore (const char *to_ignore)
++{
++ const char *fr_locale = "fr_FR.UTF-8";
++ setenv ("LC_CTYPE", fr_locale, 1);
++ char *expected_locale = setlocale_copy (LC_CTYPE, "");
++ if (expected_locale == NULL)
++ {
++ printf ("setlocale with LC_CTYPE=\"%s\" failed: %m\n", fr_locale);
++ exit (1);
++ }
++ if (setlocale (LC_CTYPE, de_locale) == NULL)
++ {
++ printf ("failed to restore locale: %m\n");
++ exit (1);
++ }
++ unsetenv ("LC_CTYPE");
++
++ setenv ("LC_ALL", to_ignore, 1);
++ setenv ("LC_CTYPE", fr_locale, 1);
++ const char *actual_locale = setlocale (LC_CTYPE, "");
++ if (actual_locale == NULL)
++ {
++ printf ("setlocale with LC_ALL, LC_CTYPE=\"%s\" failed: %m\n",
++ fr_locale);
++ exit (1);
++ }
++ if (strcmp (actual_locale, expected_locale) != 0)
++ {
++ printf ("setlocale under LC_ALL failed: got \"%s\", expected \"%s\"\n",
++ actual_locale, expected_locale);
++ exit (1);
++ }
++ unsetenv ("LC_CTYPE");
++ setlocale_success (fr_locale);
++ unsetenv ("LC_ALL");
++ free (expected_locale);
++}
++
++static int
++do_test (void)
++{
++ /* The glibc test harness sets this environment variable
++ uncondionally. */
++ unsetenv ("LC_ALL");
++
++ de_locale = setlocale_copy (LC_CTYPE, "de_DE.UTF-8");
++ if (de_locale == NULL)
++ {
++ printf ("setlocale (LC_CTYPE, \"de_DE.UTF-8\"): %m\n");
++ return 1;
++ }
++ setlocale_success ("C");
++ setlocale_success ("en_US.UTF-8");
++ setlocale_success ("/en_US.UTF-8");
++ setlocale_success ("//en_US.UTF-8");
++ setlocale_ignore ("");
++
++ setlocale_fail ("does-not-exist");
++ setlocale_fail ("/");
++ setlocale_fail ("/../localedata/en_US.UTF-8");
++ setlocale_fail ("en_US.UTF-8/");
++ setlocale_fail ("en_US.UTF-8/..");
++ setlocale_fail ("en_US.UTF-8/../en_US.UTF-8");
++ setlocale_fail ("../localedata/en_US.UTF-8");
++ {
++ size_t large_length = 1024;
++ char *large_name = malloc (large_length + 1);
++ if (large_name == NULL)
++ {
++ puts ("malloc failure");
++ return 1;
++ }
++ memset (large_name, '/', large_length);
++ const char *suffix = "en_US.UTF-8";
++ strcpy (large_name + large_length - strlen (suffix), suffix);
++ setlocale_fail (large_name);
++ free (large_name);
++ }
++ {
++ size_t huge_length = 64 * 1024 * 1024;
++ char *huge_name = malloc (huge_length + 1);
++ if (huge_name == NULL)
++ {
++ puts ("malloc failure");
++ return 1;
++ }
++ memset (huge_name, 'X', huge_length);
++ huge_name[huge_length] = '\0';
++ /* Construct a composite locale specification. */
++ const char *prefix = "LC_CTYPE=de_DE.UTF-8;LC_TIME=";
++ memcpy (huge_name, prefix, strlen (prefix));
++ setlocale_fail (huge_name);
++ free (huge_name);
++ }
++
++ return 0;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+--- a/locale/setlocale.c
++++ b/locale/setlocale.c
+@@ -273,6 +273,8 @@ setlocale (int category, const char *locale)
+ of entries of the form `CATEGORY=VALUE'. */
+ const char *newnames[__LC_LAST];
+ struct __locale_data *newdata[__LC_LAST];
++ /* Copy of the locale argument, for in-place splitting. */
++ char *locale_copy = NULL;
+
+ /* Set all name pointers to the argument name. */
+ for (category = 0; category < __LC_LAST; ++category)
+@@ -282,7 +284,13 @@ setlocale (int category, const char *locale)
+ if (__builtin_expect (strchr (locale, ';') != NULL, 0))
+ {
+ /* This is a composite name. Make a copy and split it up. */
+- char *np = strdupa (locale);
++ locale_copy = strdup (locale);
++ if (__glibc_unlikely (locale_copy == NULL))
++ {
++ __libc_rwlock_unlock (__libc_setlocale_lock);
++ return NULL;
++ }
++ char *np = locale_copy;
+ char *cp;
+ int cnt;
+
+@@ -300,6 +308,7 @@ setlocale (int category, const char *locale)
+ {
+ error_return:
+ __libc_rwlock_unlock (__libc_setlocale_lock);
++ free (locale_copy);
+
+ /* Bogus category name. */
+ ERROR_RETURN;
+@@ -392,8 +401,9 @@ setlocale (int category, const char *locale)
+ /* Critical section left. */
+ __libc_rwlock_unlock (__libc_setlocale_lock);
+
+- /* Free the resources (the locale path variable). */
++ /* Free the resources. */
+ free (locale_path);
++ free (locale_copy);
+
+ return composite;
+ }