SliTaz Repositories

     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/glibc/stuff/glibc-2.28-CVE-2024-2961.patch	Thu Apr 18 21:07:29 2024 +0000
     1.3 @@ -0,0 +1,186 @@
     1.4 +--- a/iconvdata/Makefile
     1.5 ++++ b/iconvdata/Makefile
     1.6 +@@ -73,7 +73,7 @@
     1.7 + ifeq (yes,$(build-shared))
     1.8 + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
     1.9 + 	tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
    1.10 +-	bug-iconv10 bug-iconv11 bug-iconv12
    1.11 ++	bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-iso-2022-cn-ext
    1.12 + ifeq ($(have-thread-library),yes)
    1.13 + tests += bug-iconv3
    1.14 + endif
    1.15 +@@ -316,6 +316,8 @@
    1.16 + 			  $(addprefix $(objpfx),$(modules.so))
    1.17 + $(objpfx)bug-iconv12.out: $(objpfx)gconv-modules \
    1.18 + 			  $(addprefix $(objpfx),$(modules.so))
    1.19 ++$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \
    1.20 ++					$(addprefix $(objpfx),$(modules.so))
    1.21 +
    1.22 + $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \
    1.23 + 			 $(addprefix $(objpfx),$(modules.so)) \
    1.24 +diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c
    1.25 +index 947b807421..34e1010bed 100644
    1.26 +--- a/iconvdata/iso-2022-cn-ext.c
    1.27 ++++ b/iconvdata/iso-2022-cn-ext.c
    1.28 +@@ -575,6 +575,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
    1.29 + 	      {								      \
    1.30 + 		const char *escseq;					      \
    1.31 + 									      \
    1.32 ++		if (outptr + 4 > outend)				      \
    1.33 ++		  {							      \
    1.34 ++		    result = __GCONV_FULL_OUTPUT;			      \
    1.35 ++		    break;						      \
    1.36 ++		  }							      \
    1.37 ++									      \
    1.38 + 		assert (used == CNS11643_2_set); /* XXX */		      \
    1.39 + 		escseq = "*H";						      \
    1.40 + 		*outptr++ = ESC;					      \
    1.41 +@@ -588,6 +594,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
    1.42 + 	      {								      \
    1.43 + 		const char *escseq;					      \
    1.44 + 									      \
    1.45 ++		if (outptr + 4 > outend)				      \
    1.46 ++		  {							      \
    1.47 ++		    result = __GCONV_FULL_OUTPUT;			      \
    1.48 ++		    break;						      \
    1.49 ++		  }							      \
    1.50 ++									      \
    1.51 + 		assert ((used >> 5) >= 3 && (used >> 5) <= 7);		      \
    1.52 + 		escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2;		      \
    1.53 + 		*outptr++ = ESC;					      \
    1.54 +diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c
    1.55 +new file mode 100644
    1.56 +index 0000000000..96a8765fd5
    1.57 +--- /dev/null
    1.58 ++++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c
    1.59 +@@ -0,0 +1,128 @@
    1.60 ++/* Verify ISO-2022-CN-EXT does not write out of the bounds.
    1.61 ++   Copyright (C) 2024 Free Software Foundation, Inc.
    1.62 ++   This file is part of the GNU C Library.
    1.63 ++
    1.64 ++   The GNU C Library is free software; you can redistribute it and/or
    1.65 ++   modify it under the terms of the GNU Lesser General Public
    1.66 ++   License as published by the Free Software Foundation; either
    1.67 ++   version 2.1 of the License, or (at your option) any later version.
    1.68 ++
    1.69 ++   The GNU C Library is distributed in the hope that it will be useful,
    1.70 ++   but WITHOUT ANY WARRANTY; without even the implied warranty of
    1.71 ++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    1.72 ++   Lesser General Public License for more details.
    1.73 ++
    1.74 ++   You should have received a copy of the GNU Lesser General Public
    1.75 ++   License along with the GNU C Library; if not, see
    1.76 ++   <https://www.gnu.org/licenses/>.  */
    1.77 ++
    1.78 ++#include <stdio.h>
    1.79 ++#include <string.h>
    1.80 ++
    1.81 ++#include <errno.h>
    1.82 ++#include <iconv.h>
    1.83 ++#include <sys/mman.h>
    1.84 ++
    1.85 ++#include <support/xunistd.h>
    1.86 ++#include <support/check.h>
    1.87 ++#include <support/support.h>
    1.88 ++
    1.89 ++/* The test sets up a two memory page buffer with the second page marked
    1.90 ++   PROT_NONE to trigger a fault if the conversion writes beyond the exact
    1.91 ++   expected amount.  Then we carry out various conversions and precisely
    1.92 ++   place the start of the output buffer in order to trigger a SIGSEGV if the
    1.93 ++   process writes anywhere between 1 and page sized bytes more (only one
    1.94 ++   PROT_NONE page is setup as a canary) than expected.  These tests exercise
    1.95 ++   all three of the cases in ISO-2022-CN-EXT where the converter must switch
    1.96 ++   character sets and may run out of buffer space while doing the
    1.97 ++   operation.  */
    1.98 ++
    1.99 ++static int
   1.100 ++do_test (void)
   1.101 ++{
   1.102 ++  iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8");
   1.103 ++  TEST_VERIFY_EXIT (cd != (iconv_t) -1);
   1.104 ++
   1.105 ++  char *ntf;
   1.106 ++  size_t ntfsize;
   1.107 ++  char *outbufbase;
   1.108 ++  {
   1.109 ++    int pgz = getpagesize ();
   1.110 ++    TEST_VERIFY_EXIT (pgz > 0);
   1.111 ++    ntfsize = 2 * pgz;
   1.112 ++
   1.113 ++    ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE
   1.114 ++		 | MAP_ANONYMOUS, -1);
   1.115 ++    xmprotect (ntf + pgz, pgz, PROT_NONE);
   1.116 ++
   1.117 ++    outbufbase = ntf + pgz;
   1.118 ++  }
   1.119 ++
   1.120 ++  /* Check if SOdesignation escape sequence does not trigger an OOB write.  */
   1.121 ++  {
   1.122 ++    char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2";
   1.123 ++
   1.124 ++    for (int i = 0; i < 9; i++)
   1.125 ++      {
   1.126 ++	char *inp = inbuf;
   1.127 ++	size_t inleft = sizeof (inbuf) - 1;
   1.128 ++
   1.129 ++	char *outp = outbufbase - i;
   1.130 ++	size_t outleft = i;
   1.131 ++
   1.132 ++	TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
   1.133 ++			  == (size_t) -1);
   1.134 ++	TEST_COMPARE (errno, E2BIG);
   1.135 ++
   1.136 ++	TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
   1.137 ++      }
   1.138 ++  }
   1.139 ++
   1.140 ++  /* Same as before for SS2designation.  */
   1.141 ++  {
   1.142 ++    char inbuf[] = "ã´½ \xe3\xb4\xbd";
   1.143 ++
   1.144 ++    for (int i = 0; i < 14; i++)
   1.145 ++      {
   1.146 ++	char *inp = inbuf;
   1.147 ++	size_t inleft = sizeof (inbuf) - 1;
   1.148 ++
   1.149 ++	char *outp = outbufbase - i;
   1.150 ++	size_t outleft = i;
   1.151 ++
   1.152 ++	TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
   1.153 ++			  == (size_t) -1);
   1.154 ++	TEST_COMPARE (errno, E2BIG);
   1.155 ++
   1.156 ++	TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
   1.157 ++      }
   1.158 ++  }
   1.159 ++
   1.160 ++  /* Same as before for SS3designation.  */
   1.161 ++  {
   1.162 ++    char inbuf[] = "å \xe5\x8a\x84";
   1.163 ++
   1.164 ++    for (int i = 0; i < 14; i++)
   1.165 ++      {
   1.166 ++	char *inp = inbuf;
   1.167 ++	size_t inleft = sizeof (inbuf) - 1;
   1.168 ++
   1.169 ++	char *outp = outbufbase - i;
   1.170 ++	size_t outleft = i;
   1.171 ++
   1.172 ++	TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
   1.173 ++			  == (size_t) -1);
   1.174 ++	TEST_COMPARE (errno, E2BIG);
   1.175 ++
   1.176 ++	TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
   1.177 ++      }
   1.178 ++  }
   1.179 ++
   1.180 ++  TEST_VERIFY_EXIT (iconv_close (cd) != -1);
   1.181 ++
   1.182 ++  xmunmap (ntf, ntfsize);
   1.183 ++
   1.184 ++  return 0;
   1.185 ++}
   1.186 ++
   1.187 ++#include <support/test-driver.c>
   1.188 +--
   1.189 +2.39.3