GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
-SRCREV_glibc ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV_glibc ?= "d300041c533a3d837c9f37a099bcc95466860e98"
SRCREV_localedef ?= "dfb4afe551c6c6e94f9cc85417bd1f582168c843"
SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
+++ /dev/null
-From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@cs.ucla.edu>
-Date: Sun, 22 Oct 2017 10:00:57 +0200
-Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
- #22332]
-
-(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
-
-Upstream-Status: Backport
-CVE: CVE-2017-15671
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 6 ++++++
- NEWS | 4 ++++
- posix/glob.c | 4 ++--
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -211,6 +211,10 @@ Security related changes:
- on the stack or the heap, depending on the length of the user name).
- Reported by Tim Rühsen.
-
-+ The glob function, when invoked with GLOB_TILDE and without
-+ GLOB_NOESCAPE, could write past the end of a buffer while
-+ unescaping user names. Reported by Tim Rühsen.
-+
- The following bugs are resolved with this release:
-
- [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/posix/glob.c
-===================================================================
---- git.orig/posix/glob.c
-+++ git/posix/glob.c
-@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
- char *p = mempcpy (newp, dirname + 1,
- unescape - dirname - 1);
- char *q = unescape;
-- while (*q != '\0')
-+ while (q != end_name)
- {
- if (*q == '\\')
- {
-- if (q[1] == '\0')
-+ if (q + 1 == end_name)
- {
- /* "~fo\\o\\" unescape to user_name "foo\\",
- but "~fo\\o\\/" unescape to user_name
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,5 +1,10 @@
-+
- 2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
-
-+ [BZ #22332]
-+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
-+ unescaping.
-+
- [BZ #22320]
- CVE-2017-15670
- * posix/glob.c (__glob): Fix one-byte overflow.
+++ /dev/null
-From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sat, 30 Dec 2017 10:54:23 +0100
-Subject: [PATCH] elf: Check for empty tokens before dynamic string token
- expansion [BZ #22625]
-
-The fillin_rpath function in elf/dl-load.c loops over each RPATH or
-RUNPATH tokens and interprets empty tokens as the current directory
-("./"). In practice the check for empty token is done *after* the
-dynamic string token expansion. The expansion process can return an
-empty string for the $ORIGIN token if __libc_enable_secure is set
-or if the path of the binary can not be determined (/proc not mounted).
-
-Fix that by moving the check for empty tokens before the dynamic string
-token expansion. In addition, check for NULL pointer or empty strings
-return by expand_dynamic_string_token.
-
-The above changes highlighted a bug in decompose_rpath, an empty array
-is represented by the first element being NULL at the fillin_rpath
-level, but by using a -1 pointer in decompose_rpath and other functions.
-
-Changelog:
- [BZ #22625]
- * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
- string token expansion. Check for NULL pointer or empty string possibly
- returned by expand_dynamic_string_token.
- (decompose_rpath): Check for empty path after dynamic string
- token expansion.
-(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
-
-Upstream-Status: Backport
-CVE: CVE-2017-16997
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 10 ++++++++++
- NEWS | 4 ++++
- elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
- 3 files changed, 47 insertions(+), 16 deletions(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -215,6 +215,10 @@ Security related changes:
- GLOB_NOESCAPE, could write past the end of a buffer while
- unescaping user names. Reported by Tim Rühsen.
-
-+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
-+ for AT_SECURE or SUID binaries could be used to load libraries from the
-+ current directory.
-+
- The following bugs are resolved with this release:
-
- [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/elf/dl-load.c
-===================================================================
---- git.orig/elf/dl-load.c
-+++ git/elf/dl-load.c
-@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
- {
- char *cp;
- size_t nelems = 0;
-- char *to_free;
-
- while ((cp = __strsep (&rpath, sep)) != NULL)
- {
- struct r_search_path_elem *dirp;
-+ char *to_free = NULL;
-+ size_t len = 0;
-
-- to_free = cp = expand_dynamic_string_token (l, cp, 1);
-+ /* `strsep' can pass an empty string. */
-+ if (*cp != '\0')
-+ {
-+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
-
-- size_t len = strlen (cp);
-+ /* expand_dynamic_string_token can return NULL in case of empty
-+ path or memory allocation failure. */
-+ if (cp == NULL)
-+ continue;
-+
-+ /* Compute the length after dynamic string token expansion and
-+ ignore empty paths. */
-+ len = strlen (cp);
-+ if (len == 0)
-+ {
-+ free (to_free);
-+ continue;
-+ }
-
-- /* `strsep' can pass an empty string. This has to be
-- interpreted as `use the current directory'. */
-- if (len == 0)
-- {
-- static const char curwd[] = "./";
-- cp = (char *) curwd;
-+ /* Remove trailing slashes (except for "/"). */
-+ while (len > 1 && cp[len - 1] == '/')
-+ --len;
-+
-+ /* Now add one if there is none so far. */
-+ if (len > 0 && cp[len - 1] != '/')
-+ cp[len++] = '/';
- }
-
-- /* Remove trailing slashes (except for "/"). */
-- while (len > 1 && cp[len - 1] == '/')
-- --len;
--
-- /* Now add one if there is none so far. */
-- if (len > 0 && cp[len - 1] != '/')
-- cp[len++] = '/';
--
- /* Make sure we don't use untrusted directories if we run SUID. */
- if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
- {
-@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
- necessary. */
- free (copy);
-
-+ /* There is no path after expansion. */
-+ if (result[0] == NULL)
-+ {
-+ free (result);
-+ sps->dirs = (struct r_search_path_elem **) -1;
-+ return false;
-+ }
-+
- sps->dirs = result;
- /* The caller will change this value if we haven't used a real malloc. */
- sps->malloced = 1;
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,12 @@
-+2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
-+ Dmitry V. Levin <ldv@altlinux.org>
-+
-+ [BZ #22625]
-+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
-+ string token expansion. Check for NULL pointer or empty string possibly
-+ returned by expand_dynamic_string_token.
-+ (decompose_rpath): Check for empty path after dynamic string
-+ token expansion.
-
- 2017-10-20 Paul Eggert <eggert@cs.ucla.edu>
-
+++ /dev/null
-From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001
-From: Arjun Shankar <arjun@redhat.com>
-Date: Thu, 30 Nov 2017 13:31:45 +0100
-Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
- #22375]
-
-When the per-thread cache is enabled, __libc_malloc uses request2size (which
-does not perform an overflow check) to calculate the chunk size from the
-requested allocation size. This leads to an integer overflow causing malloc
-to incorrectly return the last successfully allocated block when called with
-a very large size argument (close to SIZE_MAX).
-
-This commit uses checked_request2size instead, removing the overflow.
-
-(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6)
-
-Upstream-Status: Backport
-CVE: CVE-2017-17426
-Signed-off-by: Armin Kuster <akuster@mvista.com>
-
----
- ChangeLog | 7 +++++++
- NEWS | 6 ++++++
- malloc/malloc.c | 3 ++-
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -4,6 +4,8 @@ See the end for copying conditions.
-
- Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
- using `glibc' in the "product" field.
-+
-+[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
- \f
- Version 2.26
-
-@@ -215,6 +217,11 @@ Security related changes:
- for AT_SECURE or SUID binaries could be used to load libraries from the
- current directory.
-
-+ CVE-2017-17426: The malloc function, when called with an object size near
-+ the value SIZE_MAX, would return a pointer to a buffer which is too small,
-+ instead of NULL. This was a regression introduced with the new malloc
-+ thread cache in glibc 2.26. Reported by Iain Buclaw.
-+
- The following bugs are resolved with this release:
-
- [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/malloc/malloc.c
-===================================================================
---- git.orig/malloc/malloc.c
-+++ git/malloc/malloc.c
-@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
- return (*hook)(bytes, RETURN_ADDRESS (0));
- #if USE_TCACHE
- /* int_free also calls request2size, be careful to not pad twice. */
-- size_t tbytes = request2size (bytes);
-+ size_t tbytes;
-+ checked_request2size (bytes, tbytes);
- size_t tc_idx = csize2tidx (tbytes);
-
- MAYBE_INIT_TCACHE ();
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,10 @@
-+2017-11-30 Arjun Shankar <arjun@redhat.com>
-+
-+ [BZ #22375]
-+ CVE-2017-17426
-+ * malloc/malloc.c (__libc_malloc): Use checked_request2size
-+ instead of request2size.
-+
- 2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
- Dmitry V. Levin <ldv@altlinux.org>
-
DEPENDS += "gperf-native bison-native"
-SRCREV ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV ?= "d300041c533a3d837c9f37a099bcc95466860e98"
SRCBRANCH ?= "release/${PV}/master"
file://0023-Define-DUMMY_LOCALE_T-if-not-defined.patch \
file://0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch \
file://0025-locale-fix-hard-coded-reference-to-gcc-E.patch \
- file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
- file://CVE-2017-15670.patch \
- file://CVE-2017-15671.patch \
- file://0029-assert-Support-types-without-operator-int-BZ-21972.patch \
- file://CVE-2017-16997.patch \
- file://CVE-2017-17426.patch \
"
NATIVESDKFIXES ?= ""
