diff options
Diffstat (limited to '')
-rw-r--r-- | patches/source/glibc/glibc-2.17_CVE-2014-4043.diff | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff b/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff new file mode 100644 index 000000000..399f22eed --- /dev/null +++ b/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff @@ -0,0 +1,142 @@ +From 9ec14ba8436e795b5573fee6685240721d7ca727 Mon Sep 17 00:00:00 2001 +From: mancha <mancha1@zoho.com> +Date: Fri, 13 Jun 2014 +Subject: CVE-2014-4043 + +POSIX requires that we make a copy, so we allocate a new string +and free it in posix_spawn_file_actions_destroy. + +Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug +may have security implications. + +This backported fix for use on glibc 2.17 is based on the following +upstream commits: + +https://sourceware.org/git/?p=glibc.git;h=89e435f3559c +https://sourceware.org/git/?p=glibc.git;h=35a5e3e338ae + +--- + posix/spawn_faction_addopen.c | 14 +++++++++++--- + posix/spawn_faction_destroy.c | 22 ++++++++++++++++++++-- + posix/spawn_int.h | 2 +- + posix/tst-spawn.c | 10 +++++++++- + 4 files changed, 41 insertions(+), 7 deletions(-) + +--- a/posix/spawn_faction_addopen.c ++++ b/posix/spawn_faction_addopen.c +@@ -18,6 +18,7 @@ + #include <errno.h> + #include <spawn.h> + #include <unistd.h> ++#include <string.h> + + #include "spawn_int.h" + +@@ -35,17 +35,24 @@ posix_spawn_file_actions_addopen (posix_spawn_file_actions_t *file_actions, + if (fd < 0 || fd >= maxfd) + return EBADF; + ++ char *path_copy = strdup (path); ++ if (path_copy == NULL) ++ return ENOMEM; ++ + /* Allocate more memory if needed. */ + if (file_actions->__used == file_actions->__allocated + && __posix_spawn_file_actions_realloc (file_actions) != 0) +- /* This can only mean we ran out of memory. */ +- return ENOMEM; ++ { ++ /* This can only mean we ran out of memory. */ ++ free (path_copy); ++ return ENOMEM; ++ } + + /* Add the new value. */ + rec = &file_actions->__actions[file_actions->__used]; + rec->tag = spawn_do_open; + rec->action.open_action.fd = fd; +- rec->action.open_action.path = path; ++ rec->action.open_action.path = path_copy; + rec->action.open_action.oflag = oflag; + rec->action.open_action.mode = mode; + +--- a/posix/spawn_faction_destroy.c ++++ b/posix/spawn_faction_destroy.c +@@ -18,11 +18,29 @@ + #include <spawn.h> + #include <stdlib.h> + +-/* Initialize data structure for file attribute for `spawn' call. */ ++#include "spawn_int.h" ++ ++/* Deallocate the file actions. */ + int + posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions) + { +- /* Free the memory allocated. */ ++ /* Free the paths in the open actions. */ ++ for (int i = 0; i < file_actions->__used; ++i) ++ { ++ struct __spawn_action *sa = &file_actions->__actions[i]; ++ switch (sa->tag) ++ { ++ case spawn_do_open: ++ free (sa->action.open_action.path); ++ break; ++ case spawn_do_close: ++ case spawn_do_dup2: ++ /* No cleanup required. */ ++ break; ++ } ++ } ++ ++ /* Free the array of actions. */ + free (file_actions->__actions); + return 0; + } +--- a/posix/spawn_int.h ++++ b/posix/spawn_int.h +@@ -22,7 +22,7 @@ struct __spawn_action + struct + { + int fd; +- const char *path; ++ char *path; + int oflag; + mode_t mode; + } open_action; +--- a/posix/tst-spawn.c ++++ b/posix/tst-spawn.c +@@ -168,6 +168,7 @@ do_test (int argc, char *argv[]) + char fd2name[18]; + char fd3name[18]; + char fd4name[18]; ++ char *name3_copy; + char *spargv[12]; + + /* We must have +@@ -221,9 +222,15 @@ do_test (int argc, char *argv[]) + if (posix_spawn_file_actions_addclose (&actions, fd1) != 0) + error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose"); + /* We want to open the third file. */ +- if (posix_spawn_file_actions_addopen (&actions, fd3, name3, ++ name3_copy = strdup (name3); ++ if (name3_copy == NULL) ++ error (EXIT_FAILURE, errno, "strdup"); ++ if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy, + O_RDONLY, 0666) != 0) + error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen"); ++ /* Overwrite the name to check that a copy has been made. */ ++ memset (name3_copy, 'X', strlen (name3_copy)); ++ + /* We dup the second descriptor. */ + fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1; + if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0) +@@ -254,6 +261,7 @@ do_test (int argc, char *argv[]) + /* Cleanup. */ + if (posix_spawn_file_actions_destroy (&actions) != 0) + error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy"); ++ free (name3_copy); + + /* Wait for the child. */ + if (waitpid (pid, &status, 0) != pid) |