Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2013-07-23 20:30:54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "glibc" Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc-testsuite.changes 2013-07-11 13:28:21.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.glibc.new/glibc-testsuite.changes 2013-07-23 20:30:55.000000000 +0200 @@ -1,0 +2,8 @@ +Mon Jul 22 12:32:34 UTC 2013 - schwab@suse.de + +- disable-pt-chown.patch: disable use of pt_chown (CVE-2013-2207, + bnc#830257) +- nonascii-case.patch: fix strcasecmp in tr_TR.ISO-8859-9 locale +- glibc-2.14-crypt.diff: fix incomplete dependencies for libowcrypt + +------------------------------------------------------------------- glibc-utils.changes: same change glibc.changes: same change New: ---- disable-pt-chown.patch nonascii-case.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.brZ5QJ/_old 2013-07-23 20:30:56.000000000 +0200 +++ /var/tmp/diff_new_pack.brZ5QJ/_new 2013-07-23 20:30:56.000000000 +0200 @@ -253,6 +253,8 @@ Patch1005: getaddrinfo-overflow.patch # PATCH-FIX-UPSTREAM Fix handling of netgroup cache in nscd Patch1006: nscd-netgroup.patch +# PATCH-FIX-UPSTREAM Disable use of pt_chown (CVE-2013-2207) +Patch1007: disable-pt-chown.patch ### # Patches awaiting upstream approval @@ -273,6 +275,8 @@ Patch2015: printf-overrun.patch # PATCH-FIX-UPSTREAM AArch64: Don't clobber argument for tail call to __sigjmp_save in sigsetjmp Patch2016: aarch64-sigsetjmp.patch +# PATCH-FIX-UPSTREAM Fix strcasecmp for tr_TR.ISO-8859-9 +Patch2017: nonascii-case.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -480,6 +484,7 @@ %patch1004 -p1 %patch1005 -p1 %patch1006 -p1 +%patch1007 -p1 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 # %patch2008 -p1 @@ -490,6 +495,7 @@ %patch2014 -p1 %patch2015 -p1 %patch2016 -p1 +%patch2017 -p1 %patch3000 @@ -979,23 +985,8 @@ ####################################################################### %if %{normal_build} -# Note: glibc_post_upgrade does: -# %%set_permissions %%{_libexecdir}/pt_chown -# since we cannot do it in our own post section - %post -p %{_sbindir}/glibc_post_upgrade -%if 0 -# Enabling the following lines will generate a -# requires on /bin/sh but glibc should not require any other binary -# packages. Therefore we do the change with the built-in lua: -# %%verifyscript -# %%verify_permissions -e %%{_libexecdir}/pt_chown -%endif - -%verifyscript -p <lua> -os.execute("/usr/bin/chkstat -n --warn --system -e %{_libexecdir}/pt_chown") - %postun -p /sbin/ldconfig %endif # %{normal_build} @@ -1177,7 +1168,6 @@ %endif %{_bindir}/locale %{_bindir}/localedef -%verify(not mode caps) %attr(4755,root,root) %{_libexecdir}/pt_chown %dir %attr(0755,root,root) %{_libexecdir}/getconf %{_libexecdir}/getconf/* %{_sbindir}/glibc_post_upgrade glibc-utils.spec: same change ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.brZ5QJ/_old 2013-07-23 20:30:56.000000000 +0200 +++ /var/tmp/diff_new_pack.brZ5QJ/_new 2013-07-23 20:30:56.000000000 +0200 @@ -253,6 +253,8 @@ Patch1005: getaddrinfo-overflow.patch # PATCH-FIX-UPSTREAM Fix handling of netgroup cache in nscd Patch1006: nscd-netgroup.patch +# PATCH-FIX-UPSTREAM Disable use of pt_chown (CVE-2013-2207) +Patch1007: disable-pt-chown.patch ### # Patches awaiting upstream approval @@ -273,6 +275,8 @@ Patch2015: printf-overrun.patch # PATCH-FIX-UPSTREAM AArch64: Don't clobber argument for tail call to __sigjmp_save in sigsetjmp Patch2016: aarch64-sigsetjmp.patch +# PATCH-FIX-UPSTREAM Fix strcasecmp for tr_TR.ISO-8859-9 +Patch2017: nonascii-case.patch # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -480,6 +484,7 @@ %patch1004 -p1 %patch1005 -p1 %patch1006 -p1 +%patch1007 -p1 # XXX Disable, it breaks the testsuite, test elf/tst-audit2 # %patch2008 -p1 @@ -490,6 +495,7 @@ %patch2014 -p1 %patch2015 -p1 %patch2016 -p1 +%patch2017 -p1 %patch3000 @@ -979,23 +985,8 @@ ####################################################################### %if %{normal_build} -# Note: glibc_post_upgrade does: -# %%set_permissions %%{_libexecdir}/pt_chown -# since we cannot do it in our own post section - %post -p %{_sbindir}/glibc_post_upgrade -%if 0 -# Enabling the following lines will generate a -# requires on /bin/sh but glibc should not require any other binary -# packages. Therefore we do the change with the built-in lua: -# %%verifyscript -# %%verify_permissions -e %%{_libexecdir}/pt_chown -%endif - -%verifyscript -p <lua> -os.execute("/usr/bin/chkstat -n --warn --system -e %{_libexecdir}/pt_chown") - %postun -p /sbin/ldconfig %endif # %{normal_build} @@ -1177,7 +1168,6 @@ %endif %{_bindir}/locale %{_bindir}/localedef -%verify(not mode caps) %attr(4755,root,root) %{_libexecdir}/pt_chown %dir %attr(0755,root,root) %{_libexecdir}/getconf %{_libexecdir}/getconf/* %{_sbindir}/glibc_post_upgrade ++++++ disable-pt-chown.patch ++++++ 2013-07-21 Siddhesh Poyarekar <siddhesh@redhat.com> Andreas Schwab <schwab@suse.de> Roland McGrath <roland@hack.frob.com> Joseph Myers <joseph@codesourcery.com> Carlos O'Donell <carlos@redhat.com> [BZ #15755] * config.h.in: Define HAVE_PT_CHOWN. * config.make.in (build-pt-chown): New variable. * configure.in (--enable-pt_chown): New configure option. * configure: Regenerate. * login/Makefile: Include Makeconfig. Build pt_chown only if build-pt-chown is enabled. * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn pt_chown to fix pty ownership. * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define CLOSE_ALL_FDS. * manual/install.texi (Configuring and compiling): Mention --enable-pt_chown. Add @findex for grantpt. * INSTALL: Regenerate. Index: glibc-2.17/INSTALL =================================================================== --- glibc-2.17.orig/INSTALL +++ glibc-2.17/INSTALL @@ -128,6 +128,18 @@ will be used, and CFLAGS sets optimizati this can be prevented though there generally is no reason since it creates compatibility problems. +`--enable-pt_chown' + The file `pt_chown' is a helper binary for `grantpt' (*note + Pseudo-Terminals: Allocation.) that is installed setuid root to + fix up pseudo-terminal ownership. It is not built by default + because systems using the Linux kernel are commonly built with the + `devpts' filesystem enabled and mounted at `/dev/pts', which + manages pseudo-terminal ownership automatically. By using + `--enable-pt_chown', you may build `pt_chown' and install it + setuid and owned by `root'. The use of `pt_chown' introduces + additional security risks to the system and you should enable it + only if you understand and accept those risks. + `--build=BUILD-SYSTEM' `--host=HOST-SYSTEM' These options are for cross-compiling. If you specify both Index: glibc-2.17/config.h.in =================================================================== --- glibc-2.17.orig/config.h.in +++ glibc-2.17/config.h.in @@ -232,4 +232,7 @@ /* The ARM hard-float ABI is being used. */ #undef HAVE_ARM_PCS_VFP +/* The pt_chown binary is being built and used by grantpt. */ +#undef HAVE_PT_CHOWN + #endif Index: glibc-2.17/config.make.in =================================================================== --- glibc-2.17.orig/config.make.in +++ glibc-2.17/config.make.in @@ -102,6 +102,7 @@ force-install = @force_install@ link-obsolete-rpc = @link_obsolete_rpc@ build-nscd = @build_nscd@ use-nscd = @use_nscd@ +build-pt-chown = @build_pt_chown@ # Build tools. CC = @CC@ Index: glibc-2.17/configure =================================================================== --- glibc-2.17.orig/configure +++ glibc-2.17/configure @@ -654,6 +654,7 @@ multi_arch base_machine add_on_subdirs add_ons +build_pt_chown build_nscd link_obsolete_rpc libc_cv_nss_crypt @@ -760,6 +761,7 @@ enable_obsolete_rpc enable_systemtap enable_build_nscd enable_nscd +enable_pt_chown with_cpu ' ac_precious_vars='build_alias @@ -1420,6 +1422,7 @@ Optional Features: --enable-systemtap enable systemtap static probe points [default=no] --disable-build-nscd disable building and installing the nscd daemon --disable-nscd library functions will not contact the nscd daemon + --enable-pt_chown Enable building and installing pt_chown Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -3935,6 +3938,19 @@ else fi +# Check whether --enable-pt_chown was given. +if test "${enable_pt_chown+set}" = set; then : + enableval=$enable_pt_chown; build_pt_chown=$enableval +else + build_pt_chown=no +fi + + +if test $build_pt_chown = yes; then + $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h + +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os Index: glibc-2.17/configure.in =================================================================== --- glibc-2.17.orig/configure.in +++ glibc-2.17/configure.in @@ -315,6 +315,16 @@ AC_ARG_ENABLE([nscd], [use_nscd=$enableval], [use_nscd=yes]) +AC_ARG_ENABLE([pt_chown], + [AS_HELP_STRING([--enable-pt_chown], + [Enable building and installing pt_chown])], + [build_pt_chown=$enableval], + [build_pt_chown=no]) +AC_SUBST(build_pt_chown) +if test $build_pt_chown = yes; then + AC_DEFINE(HAVE_PT_CHOWN) +fi + # The way shlib-versions is used to generate soversions.mk uses a # fairly simplistic model for name recognition that can't distinguish # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os Index: glibc-2.17/login/Makefile =================================================================== --- glibc-2.17.orig/login/Makefile +++ glibc-2.17/login/Makefile @@ -29,9 +29,15 @@ routines := getutent getutent_r getutid CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' -others = utmpdump pt_chown +others = utmpdump + +include ../Makeconfig + +ifeq (yes,$(build-pt-chown)) +others += pt_chown others-pie = pt_chown install-others-programs = $(inst_libexecdir)/pt_chown +endif subdir-dirs = programs vpath %.c programs Index: glibc-2.17/manual/install.texi =================================================================== --- glibc-2.17.orig/manual/install.texi +++ glibc-2.17/manual/install.texi @@ -155,6 +155,20 @@ if the used tools support it. By using prevented though there generally is no reason since it creates compatibility problems. +@pindex pt_chown +@findex grantpt +@item --enable-pt_chown +The file @file{pt_chown} is a helper binary for @code{grantpt} +(@pxref{Allocation, Pseudo-Terminals}) that is installed setuid root to +fix up pseudo-terminal ownership. It is not built by default because +systems using the Linux kernel are commonly built with the @code{devpts} +filesystem enabled and mounted at @file{/dev/pts}, which manages +pseudo-terminal ownership automatically. By using +@samp{--enable-pt_chown}, you may build @file{pt_chown} and install it +setuid and owned by @code{root}. The use of @file{pt_chown} introduces +additional security risks to the system and you should enable it only if +you understand and accept those risks. + @item --build=@var{build-system} @itemx --host=@var{host-system} These options are for cross-compiling. If you specify both options and Index: glibc-2.17/sysdeps/unix/grantpt.c =================================================================== --- glibc-2.17.orig/sysdeps/unix/grantpt.c +++ glibc-2.17/sysdeps/unix/grantpt.c @@ -173,9 +173,10 @@ grantpt (int fd) retval = 0; goto cleanup; - /* We have to use the helper program. */ + /* We have to use the helper program if it is available. */ helper:; +#ifdef HAVE_PT_CHOWN pid_t pid = __fork (); if (pid == -1) goto cleanup; @@ -190,9 +191,9 @@ grantpt (int fd) if (__dup2 (fd, PTY_FILENO) < 0) _exit (FAIL_EBADF); -#ifdef CLOSE_ALL_FDS +# ifdef CLOSE_ALL_FDS CLOSE_ALL_FDS (); -#endif +# endif execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); _exit (FAIL_EXEC); @@ -231,6 +232,7 @@ grantpt (int fd) assert(! "getpt: internal error: invalid exit code from pt_chown"); } } +#endif cleanup: if (buf != _buf) Index: glibc-2.17/sysdeps/unix/sysv/linux/grantpt.c =================================================================== --- glibc-2.17.orig/sysdeps/unix/sysv/linux/grantpt.c +++ glibc-2.17/sysdeps/unix/sysv/linux/grantpt.c @@ -11,7 +11,7 @@ #include "pty-private.h" - +#if HAVE_PT_CHOWN /* Close all file descriptors except the one specified. */ static void close_all_fds (void) @@ -38,6 +38,7 @@ close_all_fds (void) __dup2 (STDOUT_FILENO, STDERR_FILENO); } } -#define CLOSE_ALL_FDS() close_all_fds() +# define CLOSE_ALL_FDS() close_all_fds() +#endif #include <sysdeps/unix/grantpt.c> ++++++ glibc-2.14-crypt.diff ++++++ --- /var/tmp/diff_new_pack.brZ5QJ/_old 2013-07-23 20:30:56.000000000 +0200 +++ /var/tmp/diff_new_pack.brZ5QJ/_new 2013-07-23 20:30:56.000000000 +0200 @@ -39,6 +39,11 @@ include ../Makeconfig +@@ -77,3 +82,4 @@ endif + # This ensures they will load libc.so for needed symbols if loaded by + # a statically-linked program that hasn't already loaded it. + $(objpfx)libcrypt.so: $(common-objpfx)libc.so $(common-objpfx)libc_nonshared.a ++$(objpfx)libowcrypt.so: $(common-objpfx)libc.so $(common-objpfx)libc_nonshared.a Index: glibc-2.17/crypt/Versions =================================================================== --- glibc-2.17.orig/crypt/Versions ++++++ nonascii-case.patch ++++++ [BZ #15736] * locale/categories.def (LC_CTYPE): Add "nonascii-case" element. * string/Makefile (test-strcasecmp-ENV) (test-strcasecmp-ifunc-ENV): Define. * string/test-strcasecmp.c (test_main): Run tests in several locales. Index: glibc-2.17/locale/categories.def =================================================================== --- glibc-2.17.orig/locale/categories.def +++ glibc-2.17/locale/categories.def @@ -133,6 +133,7 @@ DEFINE_CATEGORY DEFINE_ELEMENT (_NL_CTYPE_TRANSLIT_IGNORE_LEN, "ctype-translit-ignore-len", std, word) DEFINE_ELEMENT (_NL_CTYPE_TRANSLIT_IGNORE, "ctype-translit-ignore", std, string) DEFINE_ELEMENT (_NL_CTYPE_MAP_TO_NONASCII, "map-to-nonascii", std, word) + DEFINE_ELEMENT (_NL_CTYPE_NONASCII_CASE, "nonascii-case", std, word) ), _nl_postload_ctype) Index: glibc-2.17/string/Makefile =================================================================== --- glibc-2.17.orig/string/Makefile +++ glibc-2.17/string/Makefile @@ -69,6 +69,8 @@ noinl-tester-ENV = LANGUAGE=C tst-strxfrm-ENV = LOCPATH=$(common-objpfx)localedata tst-strxfrm2-ENV = LOCPATH=$(common-objpfx)localedata bug-strcoll1-ENV = LOCPATH=$(common-objpfx)localedata +test-strcasecmp-ENV = LOCPATH=$(common-objpfx)localedata +test-strcasecmp-ifunc-ENV = LOCPATH=$(common-objpfx)localedata CFLAGS-inl-tester.c = -fno-builtin CFLAGS-noinl-tester.c = -fno-builtin CFLAGS-tst-strlen.c = -fno-builtin Index: glibc-2.17/string/test-strcasecmp.c =================================================================== --- glibc-2.17.orig/string/test-strcasecmp.c +++ glibc-2.17/string/test-strcasecmp.c @@ -17,6 +17,7 @@ License along with the GNU C Library; if not, see http://www.gnu.org/licenses/. */ +#include <locale.h> #include <ctype.h> #define TEST_MAIN #define TEST_NAME "strcasecmp" @@ -230,14 +231,18 @@ do_random_tests (void) } } -int -test_main (void) +static void +test_locale (const char *locale) { size_t i; - test_init (); + if (setlocale (LC_CTYPE, locale) == NULL) + { + error (0, 0, "cannot set locale "%s"", locale); + ret = 1; + } - printf ("%23s", ""); + printf ("%-23s", locale); FOR_EACH_IMPL (impl, 0) printf ("\t%s", impl->name); putchar ('\n'); @@ -270,6 +275,19 @@ test_main (void) } do_random_tests (); +} + +int +test_main (void) +{ + test_init (); + + test_locale ("C"); + test_locale ("en_US.ISO-8859-1"); + test_locale ("en_US.UTF-8"); + test_locale ("tr_TR.ISO-8859-9"); + test_locale ("tr_TR.UTF-8"); + return ret; } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org