Hello community,
here is the log from the commit of package glibc for openSUSE:Factory checked in at 2011-12-21 14:56:41
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/glibc (Old)
and /work/SRC/openSUSE:Factory/.glibc.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc", Maintainer is "matz@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2011-12-02 09:26:52.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.glibc.new/glibc.changes 2011-12-21 14:56:43.000000000 +0100
@@ -1,0 +2,6 @@
+Mon Dec 19 10:01:56 UTC 2011 - aj@suse.de
+
+- Fix timezone loader overflow (bnc#735850,CVE-2009-5029) (patch
+ tzfile-corruption-fix.patch)
+
+-------------------------------------------------------------------
New:
----
tzfile-corruption-fix.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ glibc.spec ++++++
--- /var/tmp/diff_new_pack.gZ8OA4/_old 2011-12-21 14:56:46.000000000 +0100
+++ /var/tmp/diff_new_pack.gZ8OA4/_new 2011-12-21 14:56:46.000000000 +0100
@@ -225,6 +225,8 @@
Patch84: nscd-avoid-gcc-warning.diff
# PATCH-FIX-OPENSUSE fix printf with > 32 args and printf specifiers bnc#733140, bso#13446
Patch85: glibc-2.14-32args-printf.patch
+# PATCH-FIX-UPSTREAM fix tzfile heap overrun bnc#735850 - aj@suse.de
+Patch86: tzfile-corruption-fix.patch
%description
The GNU C Library provides the most important standard libraries used
@@ -466,6 +468,7 @@
%patch75 -p1
%patch84
%patch85
+%patch86 -p1
#
# Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed!
++++++ tzfile-corruption-fix.patch ++++++
2011-12-17 Ulrich Drepper
[BZ #13506]
* time/tzfile.c (__tzfile_read): Check values from file header.
diff --git a/time/tzfile.c b/time/tzfile.c
index 144e20b..402389c 100644
--- a/time/tzfile.c
+++ b/time/tzfile.c
@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
goto read_again;
}
+ if (__builtin_expect (num_transitions
+ > ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
+ / (sizeof (time_t) + 1)), 0))
+ goto lose;
total_size = num_transitions * (sizeof (time_t) + 1);
total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
& ~(__alignof__ (struct ttinfo) - 1));
types_idx = total_size;
- total_size += num_types * sizeof (struct ttinfo) + chars;
+ if (__builtin_expect (num_types
+ > (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
+ goto lose;
+ total_size += num_types * sizeof (struct ttinfo);
+ if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
+ goto lose;
+ total_size += chars;
+ if (__builtin_expect (__alignof__ (struct leap) - 1
+ > SIZE_MAX - total_size, 0))
+ goto lose;
total_size = ((total_size + __alignof__ (struct leap) - 1)
& ~(__alignof__ (struct leap) - 1));
leaps_idx = total_size;
+ if (__builtin_expect (num_leaps
+ > (SIZE_MAX - total_size) / sizeof (struct leap), 0))
+ goto lose;
total_size += num_leaps * sizeof (struct leap);
- tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
- ? st.st_size - (ftello (f)
- + num_transitions * (8 + 1)
- + num_types * 6
- + chars
- + num_leaps * 12
- + num_isstd
- + num_isgmt) - 1 : 0);
+ tzspec_len = 0;
+ if (sizeof (time_t) == 8 && trans_width == 8)
+ {
+ off_t rem = st.st_size - ftello (f);
+ if (__builtin_expect (rem < 0
+ || (size_t) rem < (num_transitions * (8 + 1)
+ + num_types * 6
+ + chars), 0))
+ goto lose;
+ tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
+ + num_types * 6
+ + chars);
+ if (__builtin_expect (num_leaps > SIZE_MAX / 12
+ || tzspec_len < num_leaps * 12, 0))
+ goto lose;
+ tzspec_len -= num_leaps * 12;
+ if (__builtin_expect (tzspec_len < num_isstd, 0))
+ goto lose;
+ tzspec_len -= num_isstd;
+ if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
+ goto lose;
+ tzspec_len -= num_isgmt + 1;
+ if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
+ goto lose;
+ }
+ if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
+ goto lose;
/* Allocate enough memory including the extra block requested by the
caller. */
And fix the previous patch ...
--- a/time/tzfile.c.orig 2011-12-19 10:58:26.000000000 +0100
+++ b/time/tzfile.c 2011-12-19 10:59:35.000000000 +0100
@@ -19,6 +19,7 @@
#include
#include
+#include
#include
#include
#include
@@ -278,7 +279,7 @@
if (__builtin_expect (tzspec_len < num_isstd, 0))
goto lose;
tzspec_len -= num_isstd;
- if (__builtin_expect (tzspec == 0 || tzspec_len - 1 < num_isgmt, 0))
+ if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
goto lose;
tzspec_len -= num_isgmt + 1;
if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org