Age | Commit message (Collapse) | Author |
|
Conflicts:
NEWS
|
|
Conflicts:
NEWS
|
|
BZ #16618
Under certain conditions wscanf can allocate too little memory for the
to-be-scanned arguments and overflow the allocated buffer. The
implementation now correctly computes the required buffer size when
using malloc.
A regression test was added to tst-sscanf.
Conflicts:
ChangeLog
NEWS
stdio-common/tst-sscanf.c
|
|
Conflicts:
ChangeLog
NEWS
|
|
Resolves BZ #14719.
Conflicts:
ChangeLog
NEWS
|
|
|
|
The IFUNC selector for gettimeofday runs before _libc_vdso_platform_setup where
__vdso_gettimeofday is set. The selector then sets __gettimeofday (the internal
version used within GLIBC) to use the system call version instead of the vDSO one.
This patch changes the check if vDSO is available to get its value directly
instead of rely on __vdso_gettimeofday.
This patch changes it by getting the vDSO value directly.
It fixes BZ#16431.
|
|
This patches fixes BZ#16430 by setting a different symbol for internal
GLIBC calls that points to ifunc resolvers. For PPC32, if the symbol
is defined as hidden (which is the case for gettimeofday and time) the
compiler will create local branches (symbol@local) and linker will not
create PLT calls (required for IFUNC). This will leads to internal symbol
calling the IFUNC resolver instead of the resolved symbol.
For PPC64 this behavior does not occur because a call to a function in
another translation unit might use a different toc pointer thus requiring
a PLT call.
|
|
This patch fixes the vDSO symbol used directed in IFUNC resolver where
they do not have an associated ODP entry leading to undefined behavior
in some cases. It adds an artificial OPD static entry to such cases
and set its TOC to non 0 to avoid triggering lazy resolutions.
|
|
The function wordexp() fails to properly handle the WRDE_NOCMD
flag when processing arithmetic inputs in the form of "$((... ``))"
where "..." can be anything valid. The backticks in the arithmetic
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
command substitution. This allows an attacker to attempt to pass
dangerous commands via constructs of the above form, and bypass
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
in exec_comm(), the only place that can execute a shell. All other
checks for WRDE_NOCMD are superfluous and removed.
We expand the testsuite and add 3 new regression tests of roughly
the same form but with a couple of nested levels.
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
testing. If any forks are detected during the execution of a wordexp()
call with WRDE_NOCMD, the test is marked as failed. This is slightly
heuristic since vfork might be used in the future, but it provides a
higher level of assurance that no shells were executed as part of
command substitution with WRDE_NOCMD in effect. In addition it doesn't
require libpthread or libdl, instead we use the public implementation
namespace function __register_atfork (already part of the public ABI
for libpthread).
Tested on x86_64 with no regressions.
|
|
|
|
|
|
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
|
|
|
|
POSIX requires that we make a copy, so we allocate a new string
and free it in posix_spawn_file_actions_destroy.
Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz. This bug
may have security implications.
|
|
Prevent directory traversal in locale-related environment variables
(CVE-2014-0475).
|
|
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
|
|
These changes are based on the fix for BZ #14134 in commit
6e230d11837f3ae7b375ea69d7905f0d18eb79e5.
|
|
|
|
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15857]
* malloc/malloc.c (__libc_memalign): Check the value of bytes
does not overflow.
|
|
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15856]
* malloc/malloc.c (__libc_valloc): Check the value of bytes
does not overflow.
|
|
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.
ChangeLog:
2013-09-11 Will Newton <will.newton@linaro.org>
[BZ #15855]
* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
does not overflow.
|
|
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
member.
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
member.
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
conditional.
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
GETDENTS_64BIT_ALIGNED.
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
* manual/filesys.texi (Reading/Closing Directory): Document
ENAMETOOLONG return value of readdir_r. Recommend readdir more
strongly.
* manual/conf.texi (Limits for Files): Add portability note to
NAME_MAX, PATH_MAX.
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
|
|
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
|
|
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again. For very large string
inputs, the cache size computation could overflow. In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.
Fixes CVE-2012-4412.
|
|
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow. This patch implements sequence traversal and
comparison without caching indices and rules.
Fixes CVE-2012-4424.
|
|
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.
|
|
Resolves #16072 (CVE-2013-4458).
This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.
|
|
|
|
The helper binary pt_chown tricked into granting access to another
user's pseudo-terminal.
Pre-conditions for the attack:
* Attacker with local user account
* Kernel with FUSE support
* "user_allow_other" in /etc/fuse.conf
* Victim with allocated slave in /dev/pts
Using the setuid installed pt_chown and a weak check on whether a file
descriptor is a tty, an attacker could fake a pty check using FUSE and
trick pt_chown to grant ownership of a pty descriptor that the current
user does not own. It cannot access /dev/pts/ptmx however.
In most modern distributions pt_chown is not needed because devpts
is enabled by default. The fix for this CVE is to disable building
and using pt_chown by default. We still provide a configure option
to enable hte use of pt_chown but distributions do so at their own
risk.
Cherry-pick of e4608715e6e1dd2adc91982fd151d5ba4f761d69.
|
|
* sunrpc/rpc/svc.h (__svc_accept_failed): New prototype.
* sunrpc/svc.c: Include time.h.
(__svc_accept_failed): New function.
* sunrpc/svc_tcp.c (rendezvous_request): If the accept fails for
any reason other than EINTR, call __svc_accept_failed.
* sunrpc/svc_udp.c (svcudp_recv): Similarly.
* sunrpc/svc_unix.c (rendezvous_request): Similarly.
Cherry-pick of 14bc93a967e62abf8cf2704725b6f76619399f83
|
|
|
|
This patch fix the 3c0265394d9ffedff2b0de508602dc52e077ce5c commits
by correctly setting minimum architecture for modf PPC optimization
to power5+ instead of power5 (since only on power5+ round/ceil will
be inline to inline assembly).
|
|
This patch implements modf/modff optimization for POWER by focus
on FP operations instead of relying in integer ones.
|
|
Backport of d5e0b9bd6e296f3ec5263fa296d39f3fed9b8fa2.
|
|
|
|
|
|
The __builtin_bswap* functions were introduced in gcc-4.3, not gcc-4.2.
Fix the __GNUC_PREREQ tests to reflect this.
Otherwise trying to compile code with gcc-4.2 falls down:
In file included from /usr/include/endian.h:60,
from /usr/include/ctype.h:40,
/usr/include/bits/byteswap.h: In function 'unsigned int __bswap_32(unsigned int)':
/usr/include/bits/byteswap.h:46: error: '__builtin_bswap32' was not declared in this scope
/usr/include/bits/byteswap.h: In function 'long long unsigned int __bswap_64(long long unsigned int)':
/usr/include/bits/byteswap.h:110: error: '__builtin_bswap64' was not declared in this scope
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
(cherry picked from commit c9d6789ebe028a260d3e5be0c26b7d02fdfe99fe)
|
|
(cherry picked from commit ecd4caf9783c99fb068a100c35899a0c3a3c6d98)
|
|
(cherry picked from commit d394eb742a3565d7fe7a4b02710a60b5f219ee64)
|
|
This reverts commit 68b6636fdc3d5b940d9be060e1f429b6eaa93709.
The issue has been fixed in the kernel.
|
|
Cherry-pick commit d072f3f7724d85ceaf230806660235f0cf2f9c3b
Conflicts:
ChangeLog
|
|
Cherry-pick commit 2e64d2659d3edaebc792ac596a9863f1626e5c25
Conflicts:
ChangeLog
NEWS
|
|
[BZ #14809]
* sysdeps/unix/sysv/linux/sys/sysctl.h (_UAPI_LINUX_KERNEL_H)
(_UAPI_LINUX_TYPES_H): Starting with Linux 3.7, the include header
guards are changed. Only define if not yet defined, #undef back
after including linux/sysctl.h if defined here.
(cherry picked from commit 01f34a3bd8c087ca4be0bd24857e454c8d29f20b)
Conflicts:
NEWS
|
|
(cherry picked from commit 261f485936b283f4327fc1f2fc8fd1705d805c12)
|
|
cherry-pick 0569936773c861c791f10bba5e2f4cac5fbb4e78
Conflicts:
ChangeLog
NEWS
|
|
(cherry picked from commit 715a900c9085907fa749589bf738b192b1a2bda5)
2012-09-28 Andreas Schwab <schwab@linux-m68k.org>
[BZ #6530]
* stdio-common/vfprintf.c (process_string_arg): Revert
2000-07-22 change.
2011-09-28 Jonathan Nieder <jrnieder@gmail.com>
* stdio-common/Makefile (tst-sprintf-ENV): Set environment
for testcase.
* stdio-common/tst-sprintf.c: Include <locale.h>
(main): Test sprintf's handling of incomplete multibyte
characters.
|
|
(cherry picked from commit b87c4b24d97321ef2f2da357f8fcf11f1f61e3dc)
Conflicts:
ChangeLog
|
|
Cherry-pick commit ced6f16ee919d12725840d43d007f1cfd67118df.
Conflicts:
ChangeLog
NEWS
|
|
cherry-pick d22e28b070d3d1572d39a463d711c6f223078552
Conflicts:
ChangeLog
NEWS
|