ports/core
4
3
Fork 0
Code Issues 3 Pull Requests Activity

glic-32: security fix for CVE-2013-0242

Browse Source
This commit is contained in:
Juergen Daubert 2013-02-12 23:41:56 +01:00
parent be5eaa216f
commit b20fedd5ea
3 changed files with 77 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
glibc-32/.md5sum
View File

@ -1,5 +1,6 @@
80b181b02ab249524ec92822c0174cf7 glibc-2.16.0.tar.xz 80b181b02ab249524ec92822c0174cf7 glibc-2.16.0.tar.xz
c3f3499e0a6272cba7b6e46bfe6bbcea glibc-32-2.16.0-multilib-dirs.patch c3f3499e0a6272cba7b6e46bfe6bbcea glibc-32-2.16.0-multilib-dirs.patch
d4a2a19efe1e9b59b86fd15a968f7e10 glibc-regexp_buffer_overrun.patch
7e6a5a13c37f93213db9803d9790b7de glibc-resolv_assert.patch 7e6a5a13c37f93213db9803d9790b7de glibc-resolv_assert.patch
99ed7b88221475d51a073f00d7ee9c42 glibc-segfault_in_strncasecmp.patch 99ed7b88221475d51a073f00d7ee9c42 glibc-segfault_in_strncasecmp.patch
8be5a4516a896a4cd589134ccf113575 glibc-strtod_integer_overflow.patch 8be5a4516a896a4cd589134ccf113575 glibc-strtod_integer_overflow.patch

6
glibc-32/Pkgfile
View File

@ -4,7 +4,7 @@
name=glibc-32 name=glibc-32
version=2.16.0 version=2.16.0
release=3 release=4
source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \
http://crux.nu/files/distfiles/kernel-headers-3.4.11.tar.xz \ http://crux.nu/files/distfiles/kernel-headers-3.4.11.tar.xz \
$name-$version-multilib-dirs.patch \ $name-$version-multilib-dirs.patch \
@ -12,7 +12,8 @@ source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \
lib32.conf \ lib32.conf \
glibc-resolv_assert.patch \ glibc-resolv_assert.patch \
glibc-segfault_in_strncasecmp.patch \ glibc-segfault_in_strncasecmp.patch \
glibc-strtod_integer_overflow.patch) glibc-strtod_integer_overflow.patch \
glibc-regexp_buffer_overrun.patch)
build() { build() {
# install kernel headers # install kernel headers
@ -23,6 +24,7 @@ build() {
patch -p1 -d glibc-$version -i $SRC/glibc-resolv_assert.patch patch -p1 -d glibc-$version -i $SRC/glibc-resolv_assert.patch
patch -p1 -d glibc-$version -i $SRC/glibc-segfault_in_strncasecmp.patch patch -p1 -d glibc-$version -i $SRC/glibc-segfault_in_strncasecmp.patch
patch -p1 -d glibc-$version -i $SRC/glibc-strtod_integer_overflow.patch patch -p1 -d glibc-$version -i $SRC/glibc-strtod_integer_overflow.patch
patch -p1 -d glibc-$version -i $SRC/glibc-regexp_buffer_overrun.patch
patch -p1 -d glibc-$version -i $SRC/$name-$version-multilib-dirs.patch patch -p1 -d glibc-$version -i $SRC/$name-$version-multilib-dirs.patch
mkdir build mkdir build

72
glibc-32/glibc-regexp_buffer_overrun.patch Normal file
View File

@ -0,0 +1,72 @@
# http://sourceware.org/bugzilla/show_bug.cgi?id=15078
# CVE-2013-0242
# ChangeLog, NEWS and new test removed to apply clean
commit a445af0bc722d620afed7683cd320c0e4c7c6059
Author: Andreas Schwab <schwab@suse.de>
Date: Tue Jan 29 14:45:15 2013 +0100
Fix buffer overrun in regexp matcher
diff --git a/posix/regexec.c b/posix/regexec.c
index 7f2de85..5ca2bf6 100644
--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
static int check_node_accept (const re_match_context_t *mctx,
const re_token_t *node, int idx)
internal_function;
-static reg_errcode_t extend_buffers (re_match_context_t *mctx)
+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
internal_function;
/* Entry point for POSIX code. */
@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
|| (BE (next_char_idx >= mctx->input.valid_len, 0)
&& mctx->input.valid_len < mctx->input.len))
{
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_char_idx + 1);
if (BE (err != REG_NOERROR, 0))
{
assert (err == REG_ESPACE);
@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
&& mctx->input.valid_len < mctx->input.len))
{
reg_errcode_t err;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, next_state_log_idx + 1);
if (BE (err != REG_NOERROR, 0))
return err;
}
@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
if (bkref_str_off >= mctx->input.len)
break;
- err = extend_buffers (mctx);
+ err = extend_buffers (mctx, bkref_str_off + 1);
if (BE (err != REG_NOERROR, 0))
return err;
@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
static reg_errcode_t
internal_function __attribute_warn_unused_result__
-extend_buffers (re_match_context_t *mctx)
+extend_buffers (re_match_context_t *mctx, int min_len)
{
reg_errcode_t ret;
re_string_t *pstr = &mctx->input;
@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
return REG_ESPACE;
- /* Double the lengthes of the buffers. */
- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
+ ret = re_string_realloc_buffers (pstr,
+ MAX (min_len,
+ MIN (pstr->len, pstr->bufs_len * 2)));
if (BE (ret != REG_NOERROR, 0))
return ret;