summaryrefslogtreecommitdiffstats
path: root/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/glibc/glibc-2.17_CVE-2014-4043.diff')
-rw-r--r--patches/source/glibc/glibc-2.17_CVE-2014-4043.diff142
1 files changed, 142 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff b/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff
new file mode 100644
index 000000000..399f22eed
--- /dev/null
+++ b/patches/source/glibc/glibc-2.17_CVE-2014-4043.diff
@@ -0,0 +1,142 @@
+From 9ec14ba8436e795b5573fee6685240721d7ca727 Mon Sep 17 00:00:00 2001
+From: mancha <mancha1@zoho.com>
+Date: Fri, 13 Jun 2014
+Subject: CVE-2014-4043
+
+POSIX requires that we make a copy, so we allocate a new string
+and free it in posix_spawn_file_actions_destroy.
+
+Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
+may have security implications.
+
+This backported fix for use on glibc 2.17 is based on the following
+upstream commits:
+
+https://sourceware.org/git/?p=glibc.git;h=89e435f3559c
+https://sourceware.org/git/?p=glibc.git;h=35a5e3e338ae
+
+---
+ posix/spawn_faction_addopen.c | 14 +++++++++++---
+ posix/spawn_faction_destroy.c | 22 ++++++++++++++++++++--
+ posix/spawn_int.h | 2 +-
+ posix/tst-spawn.c | 10 +++++++++-
+ 4 files changed, 41 insertions(+), 7 deletions(-)
+
+--- a/posix/spawn_faction_addopen.c
++++ b/posix/spawn_faction_addopen.c
+@@ -18,6 +18,7 @@
+ #include <errno.h>
+ #include <spawn.h>
+ #include <unistd.h>
++#include <string.h>
+
+ #include "spawn_int.h"
+
+@@ -35,17 +35,24 @@ posix_spawn_file_actions_addopen (posix_spawn_file_actions_t *file_actions,
+ if (fd < 0 || fd >= maxfd)
+ return EBADF;
+
++ char *path_copy = strdup (path);
++ if (path_copy == NULL)
++ return ENOMEM;
++
+ /* Allocate more memory if needed. */
+ if (file_actions->__used == file_actions->__allocated
+ && __posix_spawn_file_actions_realloc (file_actions) != 0)
+- /* This can only mean we ran out of memory. */
+- return ENOMEM;
++ {
++ /* This can only mean we ran out of memory. */
++ free (path_copy);
++ return ENOMEM;
++ }
+
+ /* Add the new value. */
+ rec = &file_actions->__actions[file_actions->__used];
+ rec->tag = spawn_do_open;
+ rec->action.open_action.fd = fd;
+- rec->action.open_action.path = path;
++ rec->action.open_action.path = path_copy;
+ rec->action.open_action.oflag = oflag;
+ rec->action.open_action.mode = mode;
+
+--- a/posix/spawn_faction_destroy.c
++++ b/posix/spawn_faction_destroy.c
+@@ -18,11 +18,29 @@
+ #include <spawn.h>
+ #include <stdlib.h>
+
+-/* Initialize data structure for file attribute for `spawn' call. */
++#include "spawn_int.h"
++
++/* Deallocate the file actions. */
+ int
+ posix_spawn_file_actions_destroy (posix_spawn_file_actions_t *file_actions)
+ {
+- /* Free the memory allocated. */
++ /* Free the paths in the open actions. */
++ for (int i = 0; i < file_actions->__used; ++i)
++ {
++ struct __spawn_action *sa = &file_actions->__actions[i];
++ switch (sa->tag)
++ {
++ case spawn_do_open:
++ free (sa->action.open_action.path);
++ break;
++ case spawn_do_close:
++ case spawn_do_dup2:
++ /* No cleanup required. */
++ break;
++ }
++ }
++
++ /* Free the array of actions. */
+ free (file_actions->__actions);
+ return 0;
+ }
+--- a/posix/spawn_int.h
++++ b/posix/spawn_int.h
+@@ -22,7 +22,7 @@ struct __spawn_action
+ struct
+ {
+ int fd;
+- const char *path;
++ char *path;
+ int oflag;
+ mode_t mode;
+ } open_action;
+--- a/posix/tst-spawn.c
++++ b/posix/tst-spawn.c
+@@ -168,6 +168,7 @@ do_test (int argc, char *argv[])
+ char fd2name[18];
+ char fd3name[18];
+ char fd4name[18];
++ char *name3_copy;
+ char *spargv[12];
+
+ /* We must have
+@@ -221,9 +222,15 @@ do_test (int argc, char *argv[])
+ if (posix_spawn_file_actions_addclose (&actions, fd1) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addclose");
+ /* We want to open the third file. */
+- if (posix_spawn_file_actions_addopen (&actions, fd3, name3,
++ name3_copy = strdup (name3);
++ if (name3_copy == NULL)
++ error (EXIT_FAILURE, errno, "strdup");
++ if (posix_spawn_file_actions_addopen (&actions, fd3, name3_copy,
+ O_RDONLY, 0666) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_addopen");
++ /* Overwrite the name to check that a copy has been made. */
++ memset (name3_copy, 'X', strlen (name3_copy));
++
+ /* We dup the second descriptor. */
+ fd4 = MAX (2, MAX (fd1, MAX (fd2, fd3))) + 1;
+ if (posix_spawn_file_actions_adddup2 (&actions, fd2, fd4) != 0)
+@@ -254,6 +261,7 @@ do_test (int argc, char *argv[])
+ /* Cleanup. */
+ if (posix_spawn_file_actions_destroy (&actions) != 0)
+ error (EXIT_FAILURE, errno, "posix_spawn_file_actions_destroy");
++ free (name3_copy);
+
+ /* Wait for the child. */
+ if (waitpid (pid, &status, 0) != pid)