commit a283bec71cec60c2b9c84ea9af320fc8df0dfd5f · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

glibc: fix CVE-2014-5119 by Debian patch

Vladimír Čunát 11 years ago a283bec7 60902b97

+207

2 changed files

expand all

unified split

pkgs

development

libraries

glibc

2.19

common.nix

cve-2014-5119.patch

pkgs/development/libraries/glibc/2.19/common.nix

··· 60 60 ./fix-math.patch 61 61 62 62 ./cve-2014-0475.patch 63 + ./cve-2014-5119.patch 63 64 ]; 64 65 65 66 postPatch = ''

+206

pkgs/development/libraries/glibc/2.19/cve-2014-5119.patch

··· 1 + http://anonscm.debian.org/viewvc/pkg-glibc/glibc-package/trunk/debian/patches/any/cvs-CVE-2014-5119.diff?revision=6248&view=co 2 + 3 + commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 4 + Author: Florian Weimer <fweimer@redhat.com> 5 + Date: Tue Aug 26 19:38:59 2014 +0200 6 + 7 + __gconv_translit_find: Disable function [BZ #17187] 8 + 9 + This functionality has never worked correctly, and the implementation 10 + contained a security vulnerability (CVE-2014-5119). 11 + 12 + 2014-08-26 Florian Weimer <fweimer@redhat.com> 13 + 14 + [BZ #17187] 15 + * iconv/gconv_trans.c (struct known_trans, search_tree, lock, 16 + trans_compare, open_translit, __gconv_translit_find): 17 + Remove module loading code. 18 + 19 + --- a/iconv/gconv_trans.c 20 + +++ b/iconv/gconv_trans.c 21 + @@ -238,181 +238,12 @@ __gconv_transliterate (struct __gconv_step *step, 22 + return __GCONV_ILLEGAL_INPUT; 23 + } 24 + 25 + - 26 + -/* Structure to represent results of found (or not) transliteration 27 + - modules. */ 28 + -struct known_trans 29 + -{ 30 + - /* This structure must remain the first member. */ 31 + - struct trans_struct info; 32 + - 33 + - char *fname; 34 + - void *handle; 35 + - int open_count; 36 + -}; 37 + - 38 + - 39 + -/* Tree with results of previous calls to __gconv_translit_find. */ 40 + -static void *search_tree; 41 + - 42 + -/* We modify global data. */ 43 + -__libc_lock_define_initialized (static, lock); 44 + - 45 + - 46 + -/* Compare two transliteration entries. */ 47 + -static int 48 + -trans_compare (const void *p1, const void *p2) 49 + -{ 50 + - const struct known_trans *s1 = (const struct known_trans *) p1; 51 + - const struct known_trans *s2 = (const struct known_trans *) p2; 52 + - 53 + - return strcmp (s1->info.name, s2->info.name); 54 + -} 55 + - 56 + - 57 + -/* Open (maybe reopen) the module named in the struct. Get the function 58 + - and data structure pointers we need. */ 59 + -static int 60 + -open_translit (struct known_trans *trans) 61 + -{ 62 + - __gconv_trans_query_fct queryfct; 63 + - 64 + - trans->handle = __libc_dlopen (trans->fname); 65 + - if (trans->handle == NULL) 66 + - /* Not available. */ 67 + - return 1; 68 + - 69 + - /* Find the required symbol. */ 70 + - queryfct = __libc_dlsym (trans->handle, "gconv_trans_context"); 71 + - if (queryfct == NULL) 72 + - { 73 + - /* We cannot live with that. */ 74 + - close_and_out: 75 + - __libc_dlclose (trans->handle); 76 + - trans->handle = NULL; 77 + - return 1; 78 + - } 79 + - 80 + - /* Get the context. */ 81 + - if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames) 82 + - != 0) 83 + - goto close_and_out; 84 + - 85 + - /* Of course we also have to have the actual function. */ 86 + - trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans"); 87 + - if (trans->info.trans_fct == NULL) 88 + - goto close_and_out; 89 + - 90 + - /* Now the optional functions. */ 91 + - trans->info.trans_init_fct = 92 + - __libc_dlsym (trans->handle, "gconv_trans_init"); 93 + - trans->info.trans_context_fct = 94 + - __libc_dlsym (trans->handle, "gconv_trans_context"); 95 + - trans->info.trans_end_fct = 96 + - __libc_dlsym (trans->handle, "gconv_trans_end"); 97 + - 98 + - trans->open_count = 1; 99 + - 100 + - return 0; 101 + -} 102 + - 103 + - 104 + int 105 + internal_function 106 + __gconv_translit_find (struct trans_struct *trans) 107 + { 108 + - struct known_trans **found; 109 + - const struct path_elem *runp; 110 + - int res = 1; 111 + - 112 + - /* We have to have a name. */ 113 + - assert (trans->name != NULL); 114 + - 115 + - /* Acquire the lock. */ 116 + - __libc_lock_lock (lock); 117 + - 118 + - /* See whether we know this module already. */ 119 + - found = __tfind (trans, &search_tree, trans_compare); 120 + - if (found != NULL) 121 + - { 122 + - /* Is this module available? */ 123 + - if ((*found)->handle != NULL) 124 + - { 125 + - /* Maybe we have to reopen the file. */ 126 + - if ((*found)->handle != (void *) -1) 127 + - /* The object is not unloaded. */ 128 + - res = 0; 129 + - else if (open_translit (*found) == 0) 130 + - { 131 + - /* Copy the data. */ 132 + - *trans = (*found)->info; 133 + - (*found)->open_count++; 134 + - res = 0; 135 + - } 136 + - } 137 + - } 138 + - else 139 + - { 140 + - size_t name_len = strlen (trans->name) + 1; 141 + - int need_so = 0; 142 + - struct known_trans *newp; 143 + - 144 + - /* We have to continue looking for the module. */ 145 + - if (__gconv_path_elem == NULL) 146 + - __gconv_get_path (); 147 + - 148 + - /* See whether we have to append .so. */ 149 + - if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0) 150 + - need_so = 1; 151 + - 152 + - /* Create a new entry. */ 153 + - newp = (struct known_trans *) malloc (sizeof (struct known_trans) 154 + - + (__gconv_max_path_elem_len 155 + - + name_len + 3) 156 + - + name_len); 157 + - if (newp != NULL) 158 + - { 159 + - char *cp; 160 + - 161 + - /* Clear the struct. */ 162 + - memset (newp, '\0', sizeof (struct known_trans)); 163 + - 164 + - /* Store a copy of the module name. */ 165 + - newp->info.name = cp = (char *) (newp + 1); 166 + - cp = __mempcpy (cp, trans->name, name_len); 167 + - 168 + - newp->fname = cp; 169 + - 170 + - /* Search in all the directories. */ 171 + - for (runp = __gconv_path_elem; runp->name != NULL; ++runp) 172 + - { 173 + - cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name), 174 + - trans->name, name_len); 175 + - if (need_so) 176 + - memcpy (cp, ".so", sizeof (".so")); 177 + - 178 + - if (open_translit (newp) == 0) 179 + - { 180 + - /* We found a module. */ 181 + - res = 0; 182 + - break; 183 + - } 184 + - } 185 + - 186 + - if (res) 187 + - newp->fname = NULL; 188 + - 189 + - /* In any case we'll add the entry to our search tree. */ 190 + - if (__tsearch (newp, &search_tree, trans_compare) == NULL) 191 + - { 192 + - /* Yickes, this should not happen. Unload the object. */ 193 + - res = 1; 194 + - /* XXX unload here. */ 195 + - } 196 + - } 197 + - } 198 + - 199 + - __libc_lock_unlock (lock); 200 + - 201 + - return res; 202 + + /* Transliteration module loading has been removed because it never 203 + + worked as intended and suffered from a security vulnerability. 204 + + Consequently, this function always fails. */ 205 + + return 1; 206 + }