Change-Id: Ib82258a2cf51b46000c3ad38eaeb0fe08b7b1be8
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/4140
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
Tested-by: Anish Swaminathan <anishs@vmware.com>
1 | 1 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,23 @@ |
0 |
+From c369d66e5426a30e4725b100d5cd28e372754f90 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Paul Eggert <eggert@cs.ucla.edu> |
|
2 |
+Date: Fri, 20 Oct 2017 18:41:14 +0200 |
|
3 |
+Subject: [PATCH] CVE-2017-15670: glob: Fix one-byte overflow [BZ #22320] |
|
4 |
+ |
|
5 |
+--- |
|
6 |
+ ChangeLog | 6 ++++++ |
|
7 |
+ NEWS | 4 ++++ |
|
8 |
+ posix/glob.c | 2 +- |
|
9 |
+ 3 files changed, 11 insertions(+), 1 deletion(-) |
|
10 |
+ |
|
11 |
+index 076ab2b..15a6c0c 100644 (file) |
|
12 |
+--- a/posix/glob.c |
|
13 |
+@@ -859,7 +859,7 @@ glob (pattern, flags, errfunc, pglob) |
|
14 |
+ *p = '\0'; |
|
15 |
+ } |
|
16 |
+ else |
|
17 |
+- *((char *) mempcpy (newp, dirname + 1, end_name - dirname)) |
|
18 |
++ *((char *) mempcpy (newp, dirname + 1, end_name - dirname -1)) |
|
19 |
+ = '\0'; |
|
20 |
+ user_name = newp; |
|
21 |
+ } |
0 | 22 |
new file mode 100644 |
... | ... |
@@ -0,0 +1,31 @@ |
0 |
+From a159b53fa059947cc2548e3b0d5bdcf7b9630ba8 Mon Sep 17 00:00:00 2001 |
|
1 |
+From: Paul Eggert <eggert@cs.ucla.edu> |
|
2 |
+Date: Sun, 22 Oct 2017 10:00:57 +0200 |
|
3 |
+Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ |
|
4 |
+ #22332] |
|
5 |
+ |
|
6 |
+--- |
|
7 |
+ ChangeLog | 6 ++++++ |
|
8 |
+ NEWS | 4 ++++ |
|
9 |
+ posix/glob.c | 4 ++-- |
|
10 |
+ 3 files changed, 12 insertions(+), 2 deletions(-) |
|
11 |
+ |
|
12 |
+--- a/posix/glob.c |
|
13 |
+@@ -770,11 +770,11 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), |
|
14 |
+ char *p = mempcpy (newp, dirname + 1, |
|
15 |
+ unescape - dirname - 1); |
|
16 |
+ char *q = unescape; |
|
17 |
+- while (*q != '\0') |
|
18 |
++ while (q != end_name) |
|
19 |
+ { |
|
20 |
+ if (*q == '\\') |
|
21 |
+ { |
|
22 |
+- if (q[1] == '\0') |
|
23 |
++ if (q + 1 == end_name) |
|
24 |
+ { |
|
25 |
+ /* "~fo\\o\\" unescape to user_name "foo\\", |
|
26 |
+ but "~fo\\o\\/" unescape to user_name |
|
27 |
+-- |
|
28 |
+2.9.3 |
|
29 |
+ |
... | ... |
@@ -4,7 +4,7 @@ |
4 | 4 |
Summary: Main C library |
5 | 5 |
Name: glibc |
6 | 6 |
Version: 2.26 |
7 |
-Release: 5%{?dist} |
|
7 |
+Release: 6%{?dist} |
|
8 | 8 |
License: LGPLv2+ |
9 | 9 |
URL: http://www.gnu.org/software/libc |
10 | 10 |
Group: Applications/System |
... | ... |
@@ -18,6 +18,8 @@ Patch0: http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.25-fh |
18 | 18 |
Patch1: glibc-2.24-bindrsvport-blacklist.patch |
19 | 19 |
Patch2: 0001-Fix-range-check-in-do_tunable_update_val.patch |
20 | 20 |
Patch3: 0002-malloc-arena-fix.patch |
21 |
+Patch4: glibc-fix-CVE-2017-15670.patch |
|
22 |
+Patch5: glibc-fix-CVE-2017-15804.patch |
|
21 | 23 |
Provides: rtld(GNU_HASH) |
22 | 24 |
Requires: filesystem |
23 | 25 |
%description |
... | ... |
@@ -75,6 +77,8 @@ sed -i 's/\\$$(pwd)/`pwd`/' timezone/Makefile |
75 | 75 |
%patch1 -p1 |
76 | 76 |
%patch2 -p1 |
77 | 77 |
%patch3 -p1 |
78 |
+%patch4 -p1 |
|
79 |
+%patch5 -p1 |
|
78 | 80 |
install -vdm 755 %{_builddir}/%{name}-build |
79 | 81 |
# do not try to explicitly provide GLIBC_PRIVATE versioned libraries |
80 | 82 |
%define __find_provides %{_builddir}/%{name}-%{version}/find_provides.sh |
... | ... |
@@ -278,6 +282,8 @@ grep "^FAIL: nptl/tst-eintr1" tests.sum >/dev/null && n=$((n+1)) ||: |
278 | 278 |
|
279 | 279 |
|
280 | 280 |
%changelog |
281 |
+* Wed Oct 25 2017 Xiaolin Li <xiaolinl@vmware.com> 2.26-6 |
|
282 |
+- Fix CVE-2017-15670 and CVE-2017-15804 |
|
281 | 283 |
* Tue Oct 10 2017 Alexey Makhalov <amakhalov@vmware.com> 2.26-5 |
282 | 284 |
- Compile out tcache. |
283 | 285 |
* Fri Sep 15 2017 Bo Gan <ganb@vmware.com> 2.26-4 |