Debian Bug report logs - #675886
pu: package eglibc/2.11.3-4

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Aurelien Jarno <aurel32@debian.org>

Date: Sun, 3 Jun 2012 22:30:01 UTC

Severity: normal

Tags: confirmed, pending, squeeze

Fixed in version 6.0.6

Done: Adam D. Barratt <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, debian-glibc@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675886; Package release.debian.org. (Sun, 03 Jun 2012 22:30:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aurelien Jarno <aurel32@debian.org>:
New Bug report received and forwarded. Copy sent to debian-glibc@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>. (Sun, 03 Jun 2012 22:30:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Aurelien Jarno <aurel32@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package eglibc/2.11.3-4
Date: Mon, 04 Jun 2012 00:26:54 +0200
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,

We would like to fix some bugs in the stable eglibc version. 

One bug was supposed to be fixed in the previous upload, but it was 
not due to the patch not being added to patches/series. It seems this 
bug is quite important to be fixed given the number of bug report or
mails we get about it.

The remaining two other bugs are security issues that the security team
asked to be fixed in stable.

Please see the corresponding debdiff below.

Aurelien


diff -u eglibc-2.11.3/debian/changelog eglibc-2.11.3/debian/changelog
--- eglibc-2.11.3/debian/changelog
+++ eglibc-2.11.3/debian/changelog
@@ -1,3 +1,15 @@
+eglibc (2.11.3-4) stable; urgency=low
+
+  * Enable patches/any/cvs-dlopen-tls.diff, not enabled by mistake.  Closes:
+    #637239.
+  * patches/any/cvs-FORTIFY_SOURCE-format-strings.diff: new patch from
+    upstream to fix FORTIFY_SOURCE format string protection bypass.  Closes:
+    #660611.
+  * patches/any/local-sunrpc-dos.diff: fix a DoS in RPC implementation
+    (CVE-2011-4609).  Closes: #671478.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Sun, 03 Jun 2012 22:42:42 +0200
+
 eglibc (2.11.3-3) stable; urgency=low
 
   * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
diff -u eglibc-2.11.3/debian/patches/series eglibc-2.11.3/debian/patches/series
--- eglibc-2.11.3/debian/patches/series
+++ eglibc-2.11.3/debian/patches/series
@@ -274,0 +275,3 @@
+any/cvs-dlopen-tls.diff
+any/cvs-FORTIFY_SOURCE-format-strings.diff
+any/local-sunrpc-dos.diff
only in patch2:
unchanged:
--- eglibc-2.11.3.orig/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff
+++ eglibc-2.11.3/debian/patches/any/cvs-FORTIFY_SOURCE-format-strings.diff
@@ -0,0 +1,86 @@
+2012-03-02  Kees Cook  <keescook@chromium.org>
+
+        [BZ #13656]
+        * stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
+        possibly allocate from heap instead of stack.
+
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+      0 if unknown.  */
+   int readonly_format = 0;
+ 
++  /* For the argument descriptions, which may be allocated on the heap.  */
++  void *args_malloced = NULL;
++
+   /* This table maps a character into a number representing a
+      class.  In each step there is a destination label for each
+      class.  */
+@@ -1647,9 +1650,10 @@ do_positional:
+        determine the size of the array needed to store the argument
+        attributes.  */
+     size_t nargs = 0;
+-    int *args_type;
+-    union printf_arg *args_value = NULL;
++    size_t bytes_per_arg;
++    union printf_arg *args_value;
+     int *args_size;
++    int *args_type;
+ 
+     /* Positional parameters refer to arguments directly.  This could
+        also determine the maximum number of arguments.  Track the
+@@ -1698,13 +1702,38 @@ do_positional:
+ 
+     /* Determine the number of arguments the format string consumes.  */
+     nargs = MAX (nargs, max_ref_arg);
++    /* Calculate total size needed to represent a single argument across
++       all three argument-related arrays.  */
++    bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
++                    + sizeof (*args_type);
++
++    /* Check for potential integer overflow.  */
++    if (__builtin_expect (nargs > SIZE_MAX / bytes_per_arg, 0))
++      {
++         __set_errno (ERANGE);
++         done = -1;
++         goto all_done;
++      }
+ 
+-    /* Allocate memory for the argument descriptions.  */
+-    args_type = alloca (nargs * sizeof (int));
++    /* Allocate memory for all three argument arrays.  */
++    if (__libc_use_alloca (nargs * bytes_per_arg))
++        args_value = alloca (nargs * bytes_per_arg);
++    else
++      {
++        args_value = args_malloced = malloc (nargs * bytes_per_arg);
++        if (args_value == NULL)
++          {
++            done = -1;
++            goto all_done;
++          }
++      }
++
++    /* Set up the remaining two arrays to each point past the end of the
++       prior array, since space for all three has been allocated now.  */
++    args_size = &args_value[nargs].pa_int;
++    args_type = &args_size[nargs];
+     memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+-	    nargs * sizeof (int));
+-    args_value = alloca (nargs * sizeof (union printf_arg));
+-    args_size = alloca (nargs * sizeof (int));
++	    nargs * sizeof (*args_type));
+ 
+     /* XXX Could do sanity check here: If any element in ARGS_TYPE is
+        still zero after this loop, format is invalid.  For now we
+@@ -1973,8 +2002,8 @@ do_positional:
+   }
+ 
+ all_done:
+-  if (__builtin_expect (workstart != NULL, 0))
+-    free (workstart);
++  free (args_malloced);
++  free (workstart);
+   /* Unlock the stream.  */
+   _IO_funlockfile (s);
+   _IO_cleanup_region_end (0);
only in patch2:
unchanged:
--- eglibc-2.11.3.orig/debian/patches/any/local-sunrpc-dos.diff
+++ eglibc-2.11.3/debian/patches/any/local-sunrpc-dos.diff
@@ -0,0 +1,92 @@
+Origin: Red Hat, glibc-2.12-1.47.el6_2.5.src.rpm:glibc-rh767692-2.patch
+Bug: https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/901716
+Subject: DoS in RPC implementation
+
+CVE-2011-4069
+
+
+---
+ sunrpc/svc_tcp.c  |    6 ++++++
+ sunrpc/svc_udp.c  |   13 +++++++++++--
+ sunrpc/svc_unix.c |    6 ++++++
+ 3 files changed, 23 insertions(+), 2 deletions(-)
+
+Index: b/sunrpc/svc_tcp.c
+===================================================================
+--- a/sunrpc/svc_tcp.c
++++ b/sunrpc/svc_tcp.c
+@@ -44,6 +44,7 @@
+ #include <sys/poll.h>
+ #include <errno.h>
+ #include <stdlib.h>
++#include <time.h>
+ 
+ #ifdef USE_IN_LIBIO
+ # include <wchar.h>
+@@ -243,6 +244,11 @@ again:
+     {
+       if (errno == EINTR)
+ 	goto again;
++      if (errno == EMFILE)
++        {
++          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
++          __nanosleep(&ts , NULL);
++        }
+       return FALSE;
+     }
+   /*
+Index: b/sunrpc/svc_udp.c
+===================================================================
+--- a/sunrpc/svc_udp.c
++++ b/sunrpc/svc_udp.c
+@@ -40,6 +40,7 @@
+ #include <sys/socket.h>
+ #include <errno.h>
+ #include <libintl.h>
++#include <time.h>
+ 
+ #ifdef IP_PKTINFO
+ #include <sys/uio.h>
+@@ -272,8 +273,16 @@ again:
+ 		       (int) su->su_iosz, 0,
+ 		       (struct sockaddr *) &(xprt->xp_raddr), &len);
+   xprt->xp_addrlen = len;
+-  if (rlen == -1 && errno == EINTR)
+-    goto again;
++  if (rlen == -1)
++    {
++      if (errno == EINTR)
++        goto again;
++      if (errno == EMFILE)
++        {
++          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
++          __nanosleep(&ts , NULL);
++        }
++    }
+   if (rlen < 16)		/* < 4 32-bit ints? */
+     return FALSE;
+   xdrs->x_op = XDR_DECODE;
+Index: b/sunrpc/svc_unix.c
+===================================================================
+--- a/sunrpc/svc_unix.c
++++ b/sunrpc/svc_unix.c
+@@ -46,6 +46,7 @@
+ #include <errno.h>
+ #include <stdlib.h>
+ #include <libintl.h>
++#include <time.h>
+ 
+ #ifdef USE_IN_LIBIO
+ # include <wchar.h>
+@@ -245,6 +246,11 @@ again:
+     {
+       if (errno == EINTR)
+ 	goto again;
++      if (errno == EMFILE)
++        {
++          struct timespec ts = { .tv_sec = 0, .tv_nsec = 50000000 };
++          __nanosleep(&ts , NULL);
++        }
+       return FALSE;
+     }
+   /*

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675886; Package release.debian.org. (Tue, 05 Jun 2012 16:15:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 05 Jun 2012 16:15:09 GMT) Full text and rfc822 format available.

Message #10 received at 675886@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Aurelien Jarno <aurel32@debian.org>, 675886@bugs.debian.org
Subject: Re: Bug#675886: pu: package eglibc/2.11.3-4
Date: Tue, 05 Jun 2012 17:12:50 +0100
tag 675886 + squeeze confirmed
thanks

On Mon, 2012-06-04 at 00:26 +0200, Aurelien Jarno wrote:
> We would like to fix some bugs in the stable eglibc version. 
> 
> One bug was supposed to be fixed in the previous upload, but it was 
> not due to the patch not being added to patches/series. It seems this 
> bug is quite important to be fixed given the number of bug report or
> mails we get about it.
> 
> The remaining two other bugs are security issues that the security team
> asked to be fixed in stable.

Assuming that the resulting package has been tested on squeeze systems,
please go ahead; thanks.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Tue, 05 Jun 2012 16:15:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675886; Package release.debian.org. (Wed, 06 Jun 2012 22:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Aurelien Jarno <aurel32@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 06 Jun 2012 22:09:03 GMT) Full text and rfc822 format available.

Message #17 received at 675886@bugs.debian.org (full text, mbox):

From: Aurelien Jarno <aurel32@debian.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 675886@bugs.debian.org
Subject: Re: Bug#675886: pu: package eglibc/2.11.3-4
Date: Thu, 7 Jun 2012 00:05:43 +0200
On Tue, Jun 05, 2012 at 05:12:50PM +0100, Adam D. Barratt wrote:
> tag 675886 + squeeze confirmed
> thanks
> 
> On Mon, 2012-06-04 at 00:26 +0200, Aurelien Jarno wrote:
> > We would like to fix some bugs in the stable eglibc version. 
> > 
> > One bug was supposed to be fixed in the previous upload, but it was 
> > not due to the patch not being added to patches/series. It seems this 
> > bug is quite important to be fixed given the number of bug report or
> > mails we get about it.
> > 
> > The remaining two other bugs are security issues that the security team
> > asked to be fixed in stable.
> 
> Assuming that the resulting package has been tested on squeeze systems,
> please go ahead; thanks.
> 

Yes, I am using it for a few days on a few machines without issues. I
have therefore just uploaded it.

Regards,
Aurelien

-- 
Aurelien Jarno	                        GPG: 1024D/F1BCDB73
aurelien@aurel32.net                 http://www.aurel32.net




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#675886; Package release.debian.org. (Thu, 07 Jun 2012 21:36:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 07 Jun 2012 21:36:16 GMT) Full text and rfc822 format available.

Message #22 received at 675886@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Aurelien Jarno <aurel32@debian.org>, 675886@bugs.debian.org
Subject: Re: Bug#675886: pu: package eglibc/2.11.3-4
Date: Thu, 07 Jun 2012 22:32:08 +0100
tags 675886 + pending
thanks

On Thu, 2012-06-07 at 00:05 +0200, Aurelien Jarno wrote:
> On Tue, Jun 05, 2012 at 05:12:50PM +0100, Adam D. Barratt wrote:
> > On Mon, 2012-06-04 at 00:26 +0200, Aurelien Jarno wrote:
> > > We would like to fix some bugs in the stable eglibc version. 
[...]
> > Assuming that the resulting package has been tested on squeeze systems,
> > please go ahead; thanks.
> > 
> 
> Yes, I am using it for a few days on a few machines without issues. I
> have therefore just uploaded it.

I've just flagged the package for acceptance in to p-u; thanks.

Regards,

Adam





Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Thu, 07 Jun 2012 21:36:26 GMT) Full text and rfc822 format available.

Marked as fixed in versions 6.0.6. Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 29 Sep 2012 14:03:13 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 29 Sep 2012 14:03:13 GMT) Full text and rfc822 format available.

Notification sent to Aurelien Jarno <aurel32@debian.org>:
Bug acknowledged by developer. (Sat, 29 Sep 2012 14:03:14 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 28 Oct 2012 07:32:18 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 11:15:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.