summaryrefslogtreecommitdiffstats
path: root/source/l/glibc
diff options
context:
space:
mode:
Diffstat (limited to 'source/l/glibc')
-rwxr-xr-xsource/l/glibc/glibc.SlackBuild2
-rw-r--r--source/l/glibc/patches/CVE-2021-27645.patch20
-rw-r--r--source/l/glibc/patches/CVE-2021-33574_1.patch71
-rw-r--r--source/l/glibc/patches/CVE-2021-33574_2.patch53
-rw-r--r--source/l/glibc/patches/CVE-2021-35942.patch41
5 files changed, 186 insertions, 1 deletions
diff --git a/source/l/glibc/glibc.SlackBuild b/source/l/glibc/glibc.SlackBuild
index 80e2f7e73..2efeaa18b 100755
--- a/source/l/glibc/glibc.SlackBuild
+++ b/source/l/glibc/glibc.SlackBuild
@@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=glibc
VERSION=${VERSION:-$(echo glibc-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
CHECKOUT=${CHECKOUT:-""}
-BUILD=${BUILD:-2}
+BUILD=${BUILD:-3}
# I was considering disabling NSCD, but MoZes talked me out of it. :)
#DISABLE_NSCD=" --disable-nscd "
diff --git a/source/l/glibc/patches/CVE-2021-27645.patch b/source/l/glibc/patches/CVE-2021-27645.patch
new file mode 100644
index 000000000..c568dd16b
--- /dev/null
+++ b/source/l/glibc/patches/CVE-2021-27645.patch
@@ -0,0 +1,20 @@
+--- ./nscd/netgroupcache.c.orig 2021-08-07 13:20:02.459057859 -0500
++++ ./nscd/netgroupcache.c 2021-08-07 13:22:08.983060689 -0500
+@@ -248,7 +248,7 @@
+ : NULL);
+ ndomain = (ndomain ? newbuf + ndomaindiff
+ : NULL);
+- buffer = newbuf;
++ *tofreep = buffer = newbuf;
+ }
+
+ nhost = memcpy (buffer + bufused,
+@@ -319,7 +319,7 @@
+ else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
+ {
+ buflen *= 2;
+- buffer = xrealloc (buffer, buflen);
++ *tofreep = buffer = xrealloc (buffer, buflen);
+ }
+ else if (status == NSS_STATUS_RETURN
+ || status == NSS_STATUS_NOTFOUND
diff --git a/source/l/glibc/patches/CVE-2021-33574_1.patch b/source/l/glibc/patches/CVE-2021-33574_1.patch
new file mode 100644
index 000000000..20f1889ce
--- /dev/null
+++ b/source/l/glibc/patches/CVE-2021-33574_1.patch
@@ -0,0 +1,71 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+---
+ NEWS | 4 ++++
+ sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 6f4d325d55..1bf3daa502 100644
+--- a/NEWS
++++ b/NEWS
+@@ -62,6 +62,10 @@ Security related changes:
+ potentially resulting in degraded service or Denial of Service on the
+ local system. Reported by Chris Schanzle.
+
++ CVE-2021-33574: The mq_notify function has a potential use-after-free
++ issue when using a notification type of SIGEV_THREAD and a thread
++ attribute with a non-default affinity mask.
++
+ The following bugs are resolved with this release:
+
+ [The release manager will add the list generated by
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index cc575a0cdd..f7ddfe5a6c 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -133,8 +133,11 @@ helper_thread (void *arg)
+ (void) __pthread_barrier_wait (&notify_barrier);
+ }
+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+- /* The only state we keep is the copy of the thread attributes. */
+- free (data.attr);
++ {
++ /* The only state we keep is the copy of the thread attributes. */
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+ }
+ return NULL;
+ }
+@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ if (data.attr == NULL)
+ return -1;
+
+- memcpy (data.attr, notification->sigev_notify_attributes,
+- sizeof (pthread_attr_t));
++ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+ }
+
+ /* Construct the new request. */
+@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+
+ /* If it failed, free the allocated memory. */
+ if (__glibc_unlikely (retval != 0))
+- free (data.attr);
++ {
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+
+ return retval;
+ }
+--
+2.27.0
+
+
diff --git a/source/l/glibc/patches/CVE-2021-33574_2.patch b/source/l/glibc/patches/CVE-2021-33574_2.patch
new file mode 100644
index 000000000..608dbfdc5
--- /dev/null
+++ b/source/l/glibc/patches/CVE-2021-33574_2.patch
@@ -0,0 +1,53 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index f7ddfe5a6c..6f46d29d1d 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ if (data.attr == NULL)
+ return -1;
+
+- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
++ int ret = __pthread_attr_copy (data.attr,
++ notification->sigev_notify_attributes);
++ if (ret != 0)
++ {
++ free (data.attr);
++ __set_errno (ret);
++ return -1;
++ }
+ }
+
+ /* Construct the new request. */
+@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+
+ /* If it failed, free the allocated memory. */
+- if (__glibc_unlikely (retval != 0))
++ if (retval != 0 && data.attr != NULL)
+ {
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
+--
+2.27.0
+
+
diff --git a/source/l/glibc/patches/CVE-2021-35942.patch b/source/l/glibc/patches/CVE-2021-35942.patch
new file mode 100644
index 000000000..fde0fbdb3
--- /dev/null
+++ b/source/l/glibc/patches/CVE-2021-35942.patch
@@ -0,0 +1,41 @@
+From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Fri, 25 Jun 2021 15:02:47 +0200
+Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug
+ 28011)
+
+Use strtoul instead of atoi so that overflow can be detected.
+---
+ posix/wordexp-test.c | 1 +
+ posix/wordexp.c | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index f93a546d7e..9df02dbbb3 100644
+--- a/posix/wordexp-test.c
++++ b/posix/wordexp-test.c
+@@ -183,6 +183,7 @@ struct test_case_struct
+ { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
+ { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
+ { 0, NULL, "", 0, 0, { NULL, }, IFS },
++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
+
+ /* Flags not already covered (testit() has special handling for these) */
+ { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index bcbe96e48d..1f3b09f721 100644
+--- a/posix/wordexp.c
++++ b/posix/wordexp.c
+@@ -1399,7 +1399,7 @@ envsubst:
+ /* Is it a numeric parameter? */
+ else if (isdigit (env[0]))
+ {
+- int n = atoi (env);
++ unsigned long n = strtoul (env, NULL, 10);
+
+ if (n >= __libc_argc)
+ /* Substitute NULL. */
+--
+2.27.0
+
+