wok-current rev 25699
Patch glibc CVE-2024-2961
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Apr 18 21:07:29 2024 +0000 (2 weeks ago) |
| parents | dd0dcb23f265 |
| children | 48865289e466 |
| files | glibc-base/stuff/wanted-files.list glibc/receipt glibc/stuff/glibc-2.28-CVE-2024-2961.patch |
line diff
1.1 --- a/glibc-base/stuff/wanted-files.list Tue Apr 16 19:01:01 2024 +0000 1.2 +++ b/glibc-base/stuff/wanted-files.list Thu Apr 18 21:07:29 2024 +0000 1.3 @@ -73,7 +73,6 @@ 1.4 /usr/lib/libm.so 1.5 /usr/lib/librt.so 1.6 /usr/lib/libresolv.so 1.7 -/usr/lib/libnsl.so 1.8 /usr/lib/libutil.so 1.9 /usr/lib/libanl.so 1.10 /usr/lib/libthread_db.so
2.1 --- a/glibc/receipt Tue Apr 16 19:01:01 2024 +0000 2.2 +++ b/glibc/receipt Thu Apr 18 21:07:29 2024 +0000 2.3 @@ -129,6 +129,11 @@ 2.4 # Patch for reenable C.UTF8 2.5 patch -p1 -i $stuff/glibc-c-utf8-locale.patch 2.6 2.7 + # Patch for CVE-2024-2961 2.8 + # see https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004;h=23a8115d;hb=HEAD 2.9 + # https://sourceware.org/git/?p=glibc.git;a=patch;h=682ad4c8 (adjust little for 2.28) 2.10 + patch -p1 < $stuff/glibc-2.28-CVE-2024-2961.patch 2.11 + 2.12 # Update for binutils 2.29, see https://sourceware.org/bugzilla/show_bug.cgi?id=21661 2.13 sed -i 's|obstack_compat;|obstack_compat __attribute__ ((nocommon));|' malloc/obstack.c 2.14
3.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 3.2 +++ b/glibc/stuff/glibc-2.28-CVE-2024-2961.patch Thu Apr 18 21:07:29 2024 +0000 3.3 @@ -0,0 +1,186 @@ 3.4 +--- a/iconvdata/Makefile 3.5 ++++ b/iconvdata/Makefile 3.6 +@@ -73,7 +73,7 @@ 3.7 + ifeq (yes,$(build-shared)) 3.8 + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ 3.9 + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ 3.10 +- bug-iconv10 bug-iconv11 bug-iconv12 3.11 ++ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-iso-2022-cn-ext 3.12 + ifeq ($(have-thread-library),yes) 3.13 + tests += bug-iconv3 3.14 + endif 3.15 +@@ -316,6 +316,8 @@ 3.16 + $(addprefix $(objpfx),$(modules.so)) 3.17 + $(objpfx)bug-iconv12.out: $(objpfx)gconv-modules \ 3.18 + $(addprefix $(objpfx),$(modules.so)) 3.19 ++$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ 3.20 ++ $(addprefix $(objpfx),$(modules.so)) 3.21 + 3.22 + $(objpfx)iconv-test.out: run-iconv-test.sh $(objpfx)gconv-modules \ 3.23 + $(addprefix $(objpfx),$(modules.so)) \ 3.24 +diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c 3.25 +index 947b807421..34e1010bed 100644 3.26 +--- a/iconvdata/iso-2022-cn-ext.c 3.27 ++++ b/iconvdata/iso-2022-cn-ext.c 3.28 +@@ -575,6 +575,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); 3.29 + { \ 3.30 + const char *escseq; \ 3.31 + \ 3.32 ++ if (outptr + 4 > outend) \ 3.33 ++ { \ 3.34 ++ result = __GCONV_FULL_OUTPUT; \ 3.35 ++ break; \ 3.36 ++ } \ 3.37 ++ \ 3.38 + assert (used == CNS11643_2_set); /* XXX */ \ 3.39 + escseq = "*H"; \ 3.40 + *outptr++ = ESC; \ 3.41 +@@ -588,6 +594,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); 3.42 + { \ 3.43 + const char *escseq; \ 3.44 + \ 3.45 ++ if (outptr + 4 > outend) \ 3.46 ++ { \ 3.47 ++ result = __GCONV_FULL_OUTPUT; \ 3.48 ++ break; \ 3.49 ++ } \ 3.50 ++ \ 3.51 + assert ((used >> 5) >= 3 && (used >> 5) <= 7); \ 3.52 + escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \ 3.53 + *outptr++ = ESC; \ 3.54 +diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c 3.55 +new file mode 100644 3.56 +index 0000000000..96a8765fd5 3.57 +--- /dev/null 3.58 ++++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c 3.59 +@@ -0,0 +1,128 @@ 3.60 ++/* Verify ISO-2022-CN-EXT does not write out of the bounds. 3.61 ++ Copyright (C) 2024 Free Software Foundation, Inc. 3.62 ++ This file is part of the GNU C Library. 3.63 ++ 3.64 ++ The GNU C Library is free software; you can redistribute it and/or 3.65 ++ modify it under the terms of the GNU Lesser General Public 3.66 ++ License as published by the Free Software Foundation; either 3.67 ++ version 2.1 of the License, or (at your option) any later version. 3.68 ++ 3.69 ++ The GNU C Library is distributed in the hope that it will be useful, 3.70 ++ but WITHOUT ANY WARRANTY; without even the implied warranty of 3.71 ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 3.72 ++ Lesser General Public License for more details. 3.73 ++ 3.74 ++ You should have received a copy of the GNU Lesser General Public 3.75 ++ License along with the GNU C Library; if not, see 3.76 ++ <https://www.gnu.org/licenses/>. */ 3.77 ++ 3.78 ++#include <stdio.h> 3.79 ++#include <string.h> 3.80 ++ 3.81 ++#include <errno.h> 3.82 ++#include <iconv.h> 3.83 ++#include <sys/mman.h> 3.84 ++ 3.85 ++#include <support/xunistd.h> 3.86 ++#include <support/check.h> 3.87 ++#include <support/support.h> 3.88 ++ 3.89 ++/* The test sets up a two memory page buffer with the second page marked 3.90 ++ PROT_NONE to trigger a fault if the conversion writes beyond the exact 3.91 ++ expected amount. Then we carry out various conversions and precisely 3.92 ++ place the start of the output buffer in order to trigger a SIGSEGV if the 3.93 ++ process writes anywhere between 1 and page sized bytes more (only one 3.94 ++ PROT_NONE page is setup as a canary) than expected. These tests exercise 3.95 ++ all three of the cases in ISO-2022-CN-EXT where the converter must switch 3.96 ++ character sets and may run out of buffer space while doing the 3.97 ++ operation. */ 3.98 ++ 3.99 ++static int 3.100 ++do_test (void) 3.101 ++{ 3.102 ++ iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8"); 3.103 ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); 3.104 ++ 3.105 ++ char *ntf; 3.106 ++ size_t ntfsize; 3.107 ++ char *outbufbase; 3.108 ++ { 3.109 ++ int pgz = getpagesize (); 3.110 ++ TEST_VERIFY_EXIT (pgz > 0); 3.111 ++ ntfsize = 2 * pgz; 3.112 ++ 3.113 ++ ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE 3.114 ++ | MAP_ANONYMOUS, -1); 3.115 ++ xmprotect (ntf + pgz, pgz, PROT_NONE); 3.116 ++ 3.117 ++ outbufbase = ntf + pgz; 3.118 ++ } 3.119 ++ 3.120 ++ /* Check if SOdesignation escape sequence does not trigger an OOB write. */ 3.121 ++ { 3.122 ++ char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2"; 3.123 ++ 3.124 ++ for (int i = 0; i < 9; i++) 3.125 ++ { 3.126 ++ char *inp = inbuf; 3.127 ++ size_t inleft = sizeof (inbuf) - 1; 3.128 ++ 3.129 ++ char *outp = outbufbase - i; 3.130 ++ size_t outleft = i; 3.131 ++ 3.132 ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) 3.133 ++ == (size_t) -1); 3.134 ++ TEST_COMPARE (errno, E2BIG); 3.135 ++ 3.136 ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); 3.137 ++ } 3.138 ++ } 3.139 ++ 3.140 ++ /* Same as before for SS2designation. */ 3.141 ++ { 3.142 ++ char inbuf[] = "ã´½ \xe3\xb4\xbd"; 3.143 ++ 3.144 ++ for (int i = 0; i < 14; i++) 3.145 ++ { 3.146 ++ char *inp = inbuf; 3.147 ++ size_t inleft = sizeof (inbuf) - 1; 3.148 ++ 3.149 ++ char *outp = outbufbase - i; 3.150 ++ size_t outleft = i; 3.151 ++ 3.152 ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) 3.153 ++ == (size_t) -1); 3.154 ++ TEST_COMPARE (errno, E2BIG); 3.155 ++ 3.156 ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); 3.157 ++ } 3.158 ++ } 3.159 ++ 3.160 ++ /* Same as before for SS3designation. */ 3.161 ++ { 3.162 ++ char inbuf[] = "å \xe5\x8a\x84"; 3.163 ++ 3.164 ++ for (int i = 0; i < 14; i++) 3.165 ++ { 3.166 ++ char *inp = inbuf; 3.167 ++ size_t inleft = sizeof (inbuf) - 1; 3.168 ++ 3.169 ++ char *outp = outbufbase - i; 3.170 ++ size_t outleft = i; 3.171 ++ 3.172 ++ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) 3.173 ++ == (size_t) -1); 3.174 ++ TEST_COMPARE (errno, E2BIG); 3.175 ++ 3.176 ++ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); 3.177 ++ } 3.178 ++ } 3.179 ++ 3.180 ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); 3.181 ++ 3.182 ++ xmunmap (ntf, ntfsize); 3.183 ++ 3.184 ++ return 0; 3.185 ++} 3.186 ++ 3.187 ++#include <support/test-driver.c> 3.188 +-- 3.189 +2.39.3