summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2015-04-29 17:44:27 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-05-01 11:34:52 (GMT)
commitccd470ba5fd739d3ca7c0e74c828642e9b9828c7 (patch)
tree3f960efd808018584e22545922585f1485b73d2b
parent90a33dde44446185d41bf6eb5e7aa27faacbc936 (diff)
downloadpoky-ccd470ba5fd739d3ca7c0e74c828642e9b9828c7.tar.gz
eglibc: fix two security issues.
The includes two CVE fixes: CVE-2012-3406 CVE-2014-7817 (From OE-Core rev: fed4d140da67fc51d54b02df83882177f6ddab10) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch317
-rw-r--r--meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch216
-rw-r--r--meta/recipes-core/eglibc/eglibc_2.19.bb2
3 files changed, 535 insertions, 0 deletions
diff --git a/meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
new file mode 100644
index 0000000..c94e682
--- /dev/null
+++ b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch
@@ -0,0 +1,317 @@
1From a5357b7ce2a2982c5778435704bcdb55ce3667a0 Mon Sep 17 00:00:00 2001
2From: Jeff Law <law@redhat.com>
3Date: Mon, 15 Dec 2014 10:09:32 +0100
4Subject: [PATCH] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
5
6A larger number of format specifiers coudld cause a stack overflow,
7potentially allowing to bypass _FORTIFY_SOURCE format string
8protection.
9---
10 ChangeLog | 9 +++++++
11 NEWS | 13 +++++----
12 stdio-common/Makefile | 2 +-
13 stdio-common/bug23-2.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
14 stdio-common/bug23-3.c | 50 +++++++++++++++++++++++++++++++++++
15 stdio-common/bug23-4.c | 31 ++++++++++++++++++++++
16 stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++--
17 7 files changed, 207 insertions(+), 8 deletions(-)
18 create mode 100644 stdio-common/bug23-2.c
19 create mode 100644 stdio-common/bug23-3.c
20 create mode 100644 stdio-common/bug23-4.c
21
22Index: libc/ChangeLog
23===================================================================
24--- libc.orig/ChangeLog
25+++ libc/ChangeLog
26@@ -1,3 +1,12 @@
27+2014-12-15 Jeff Law <law@redhat.com>
28+
29+ [BZ #16617]
30+ * stdio-common/vfprintf.c (vfprintf): Allocate large specs array
31+ on the heap. (CVE-2012-3406)
32+ * stdio-common/bug23-2.c, stdio-common/bug23-3.c: New file.
33+ * stdio-common/bug23-4.c: New file. Test case by Joseph Myers.
34+ * stdio-common/Makefile (tests): Add bug23-2, bug23-3, bug23-4.
35+
36 2014-11-19 Carlos O'Donell <carlos@redhat.com>
37 Florian Weimer <fweimer@redhat.com>
38 Joseph Myers <joseph@codesourcery.com>
39Index: libc/NEWS
40===================================================================
41--- libc.orig/NEWS
42+++ libc/NEWS
43@@ -26,7 +26,7 @@ Version 2.19
44 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338,
45 16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386,
46 16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431,
47- 16453, 16474, 16506, 16510, 16529, 17187, 17625.
48+ 16453, 16474, 16506, 16510, 16529, 16619, 17187, 17625.
49
50 * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
51 under certain input conditions resulting in the execution of a shell for
52@@ -34,6 +34,9 @@ Version 2.19
53 implementation now checks WRDE_NOCMD immediately before executing the
54 shell and returns the error WRDE_CMDSUB as expected.
55
56+* CVE-2012-3406 printf-style functions could run into a stack overflow when
57+ processing format strings with a large number of format specifiers.
58+
59 * Slovenian translations for glibc messages have been contributed by the
60 Translation Project's Slovenian team of translators.
61
62Index: libc/stdio-common/bug23-2.c
63===================================================================
64--- /dev/null
65+++ libc/stdio-common/bug23-2.c
66@@ -0,0 +1,70 @@
67+#include <stdio.h>
68+#include <string.h>
69+#include <stdlib.h>
70+
71+static const char expected[] = "\
72+\n\
73+a\n\
74+abbcd55\
75+\n\
76+a\n\
77+abbcd55\
78+\n\
79+a\n\
80+abbcd55\
81+\n\
82+a\n\
83+abbcd55\
84+\n\
85+a\n\
86+abbcd55\
87+\n\
88+a\n\
89+abbcd55\
90+\n\
91+a\n\
92+abbcd55\
93+\n\
94+a\n\
95+abbcd55\
96+\n\
97+a\n\
98+abbcd55\
99+\n\
100+a\n\
101+abbcd55\
102+\n\
103+a\n\
104+abbcd55\
105+\n\
106+a\n\
107+abbcd55\
108+\n\
109+a\n\
110+abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
111+
112+static int
113+do_test (void)
114+{
115+ char *buf = malloc (strlen (expected) + 1);
116+ snprintf (buf, strlen (expected) + 1,
117+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
118+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
119+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
120+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
121+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
122+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
123+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
124+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
125+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
126+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
127+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
128+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
129+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
130+ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
131+ "a", "b", "c", "d", 5);
132+ return strcmp (buf, expected) != 0;
133+}
134+
135+#define TEST_FUNCTION do_test ()
136+#include "../test-skeleton.c"
137Index: libc/stdio-common/bug23-3.c
138===================================================================
139--- /dev/null
140+++ libc/stdio-common/bug23-3.c
141@@ -0,0 +1,50 @@
142+#include <stdio.h>
143+#include <string.h>
144+#include <stdlib.h>
145+
146+int
147+do_test (void)
148+{
149+ size_t instances = 16384;
150+#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
151+ const char *item = "\na\nabbcd55";
152+#define X3 X0 X0 X0 X0 X0 X0 X0 X0
153+#define X6 X3 X3 X3 X3 X3 X3 X3 X3
154+#define X9 X6 X6 X6 X6 X6 X6 X6 X6
155+#define X12 X9 X9 X9 X9 X9 X9 X9 X9
156+#define X14 X12 X12 X12 X12
157+#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
158+#define TRAILER2 TRAILER TRAILER
159+ size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
160+
161+ char *buf = malloc (length + 1);
162+ snprintf (buf, length + 1,
163+ X14 TRAILER2 "\n",
164+ "a", "b", "c", "d", 5);
165+
166+ const char *p = buf;
167+ size_t i;
168+ for (i = 0; i < instances; ++i)
169+ {
170+ const char *expected;
171+ for (expected = item; *expected; ++expected)
172+ {
173+ if (*p != *expected)
174+ {
175+ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
176+ (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF);
177+ return 1;
178+ }
179+ ++p;
180+ }
181+ }
182+ if (strcmp (p, TRAILER "\n") != 0)
183+ {
184+ printf ("mismatch at trailer: [%s]\n", p);
185+ return 1;
186+ }
187+ free (buf);
188+ return 0;
189+}
190+#define TEST_FUNCTION do_test ()
191+#include "../test-skeleton.c"
192Index: libc/stdio-common/bug23-4.c
193===================================================================
194--- /dev/null
195+++ libc/stdio-common/bug23-4.c
196@@ -0,0 +1,31 @@
197+#include <stdio.h>
198+#include <stdlib.h>
199+#include <string.h>
200+#include <sys/resource.h>
201+
202+#define LIMIT 1000000
203+
204+int
205+main (void)
206+{
207+ struct rlimit lim;
208+ getrlimit (RLIMIT_STACK, &lim);
209+ lim.rlim_cur = 1048576;
210+ setrlimit (RLIMIT_STACK, &lim);
211+ char *fmtstr = malloc (4 * LIMIT + 1);
212+ if (fmtstr == NULL)
213+ abort ();
214+ char *output = malloc (LIMIT + 1);
215+ if (output == NULL)
216+ abort ();
217+ for (size_t i = 0; i < LIMIT; i++)
218+ memcpy (fmtstr + 4 * i, "%1$d", 4);
219+ fmtstr[4 * LIMIT] = '\0';
220+ int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
221+ if (ret != LIMIT)
222+ abort ();
223+ for (size_t i = 0; i < LIMIT; i++)
224+ if (output[i] != '0')
225+ abort ();
226+ return 0;
227+}
228Index: libc/stdio-common/vfprintf.c
229===================================================================
230--- libc.orig/stdio-common/vfprintf.c
231+++ libc/stdio-common/vfprintf.c
232@@ -276,6 +276,12 @@ vfprintf (FILE *s, const CHAR_T *format,
233 /* For the argument descriptions, which may be allocated on the heap. */
234 void *args_malloced = NULL;
235
236+ /* For positional argument handling. */
237+ struct printf_spec *specs;
238+
239+ /* Track if we malloced the SPECS array and thus must free it. */
240+ bool specs_malloced = false;
241+
242 /* This table maps a character into a number representing a
243 class. In each step there is a destination label for each
244 class. */
245@@ -1698,8 +1704,8 @@ do_positional:
246 size_t nspecs = 0;
247 /* A more or less arbitrary start value. */
248 size_t nspecs_size = 32 * sizeof (struct printf_spec);
249- struct printf_spec *specs = alloca (nspecs_size);
250
251+ specs = alloca (nspecs_size);
252 /* The number of arguments the format string requests. This will
253 determine the size of the array needed to store the argument
254 attributes. */
255@@ -1742,11 +1748,39 @@ do_positional:
256 if (nspecs * sizeof (*specs) >= nspecs_size)
257 {
258 /* Extend the array of format specifiers. */
259+ if (nspecs_size * 2 < nspecs_size)
260+ {
261+ __set_errno (ENOMEM);
262+ done = -1;
263+ goto all_done;
264+ }
265 struct printf_spec *old = specs;
266- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
267+ if (__libc_use_alloca (2 * nspecs_size))
268+ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
269+ else
270+ {
271+ nspecs_size *= 2;
272+ specs = malloc (nspecs_size);
273+ if (specs == NULL)
274+ {
275+ __set_errno (ENOMEM);
276+ specs = old;
277+ done = -1;
278+ goto all_done;
279+ }
280+ }
281
282 /* Copy the old array's elements to the new space. */
283 memmove (specs, old, nspecs * sizeof (*specs));
284+
285+ /* If we had previously malloc'd space for SPECS, then
286+ release it after the copy is complete. */
287+ if (specs_malloced)
288+ free (old);
289+
290+ /* Now set SPECS_MALLOCED if needed. */
291+ if (!__libc_use_alloca (nspecs_size))
292+ specs_malloced = true;
293 }
294
295 /* Parse the format specifier. */
296@@ -2067,6 +2101,8 @@ do_positional:
297 }
298
299 all_done:
300+ if (specs_malloced)
301+ free (specs);
302 if (__glibc_unlikely (args_malloced != NULL))
303 free (args_malloced);
304 if (__glibc_unlikely (workstart != NULL))
305Index: libc/stdio-common/Makefile
306===================================================================
307--- libc.orig/stdio-common/Makefile
308+++ libc/stdio-common/Makefile
309@@ -64,7 +64,7 @@ tests := tstscanf test_rdwr test-popen t
310 tst-fwrite bug16 bug17 tst-sprintf2 bug18 \
311 bug19 tst-popen2 scanf14 scanf15 bug21 bug22 scanf16 scanf17 \
312 tst-setvbuf1 bug23 bug24 bug-vfprintf-nargs tst-sprintf3 bug25 \
313- tst-printf-round bug26
314+ tst-printf-round bug23-2 bug23-3 bug23-4
315 tests-$(OPTION_EGLIBC_LOCALE_CODE) \
316 += tst-sscanf tst-swprintf test-vfprintf bug14 scanf13 tst-grouping
317 tests-$(OPTION_POSIX_WIDE_CHAR_DEVICE_IO) \
diff --git a/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
new file mode 100644
index 0000000..2741ce6
--- /dev/null
+++ b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch
@@ -0,0 +1,216 @@
1From a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c Mon Sep 17 00:00:00 2001
2From: Carlos O'Donell <carlos@redhat.com>
3Date: Wed, 19 Nov 2014 11:44:12 -0500
4Subject: [PATCH] CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
5
6The function wordexp() fails to properly handle the WRDE_NOCMD
7flag when processing arithmetic inputs in the form of "$((... ``))"
8where "..." can be anything valid. The backticks in the arithmetic
9epxression are evaluated by in a shell even if WRDE_NOCMD forbade
10command substitution. This allows an attacker to attempt to pass
11dangerous commands via constructs of the above form, and bypass
12the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
13in exec_comm(), the only place that can execute a shell. All other
14checks for WRDE_NOCMD are superfluous and removed.
15
16We expand the testsuite and add 3 new regression tests of roughly
17the same form but with a couple of nested levels.
18
19On top of the 3 new tests we add fork validation to the WRDE_NOCMD
20testing. If any forks are detected during the execution of a wordexp()
21call with WRDE_NOCMD, the test is marked as failed. This is slightly
22heuristic since vfork might be used in the future, but it provides a
23higher level of assurance that no shells were executed as part of
24command substitution with WRDE_NOCMD in effect. In addition it doesn't
25require libpthread or libdl, instead we use the public implementation
26namespace function __register_atfork (already part of the public ABI
27for libpthread).
28
29Tested on x86_64 with no regressions.
30---
31 ChangeLog | 22 ++++++++++++++++++++++
32 NEWS | 8 +++++++-
33 posix/wordexp-test.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
34 posix/wordexp.c | 16 ++++------------
35 4 files changed, 77 insertions(+), 13 deletions(-)
36
37Index: libc/ChangeLog
38===================================================================
39--- libc.orig/ChangeLog
40+++ libc/ChangeLog
41@@ -1,3 +1,25 @@
42+2014-11-19 Carlos O'Donell <carlos@redhat.com>
43+ Florian Weimer <fweimer@redhat.com>
44+ Joseph Myers <joseph@codesourcery.com>
45+ Adam Conrad <adconrad@0c3.net>
46+ Andreas Schwab <schwab@suse.de>
47+ Brooks <bmoses@google.com>
48+
49+ [BZ #17625]
50+ * wordexp-test.c (__dso_handle): Add prototype.
51+ (__register_atfork): Likewise.
52+ (__app_register_atfork): New function.
53+ (registered_forks): New global.
54+ (register_fork): New function.
55+ (test_case): Add 3 new tests for WRDE_CMDSUB.
56+ (main): Call __app_register_atfork.
57+ (testit): If WRDE_NOCMD set registered_forks to zero, run test, and if
58+ fork count is non-zero fail the test.
59+ * posix/wordexp.c (exec_comm): Return WRDE_CMDSUB if WRDE_NOCMD flag
60+ is set.
61+ (parse_dollars): Remove check for WRDE_NOCMD.
62+ (parse_dquote): Likewise.
63+
64 2014-08-26 Florian Weimer <fweimer@redhat.com>
65
66 [BZ #17187]
67Index: libc/posix/wordexp-test.c
68===================================================================
69--- libc.orig/posix/wordexp-test.c
70+++ libc/posix/wordexp-test.c
71@@ -27,6 +27,25 @@
72
73 #define IFS " \n\t"
74
75+extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
76+extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
77+
78+static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
79+{
80+ return __register_atfork (prepare, parent, child,
81+ &__dso_handle == NULL ? NULL : __dso_handle);
82+}
83+
84+/* Number of forks seen. */
85+static int registered_forks;
86+
87+/* For each fork increment the fork count. */
88+static void
89+register_fork (void)
90+{
91+ registered_forks++;
92+}
93+
94 struct test_case_struct
95 {
96 int retval;
97@@ -206,6 +225,12 @@ struct test_case_struct
98 { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
99 { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
100 { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
101+ /* Test for CVE-2014-7817. We test 3 combinations of command
102+ substitution inside an arithmetic expression to make sure that
103+ no commands are executed and error is returned. */
104+ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
105+ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
106+ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
107
108 { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
109 };
110@@ -258,6 +283,15 @@ main (int argc, char *argv[])
111 return -1;
112 }
113
114+ /* If we are not allowed to do command substitution, we install
115+ fork handlers to verify that no forks happened. No forks should
116+ happen at all if command substitution is disabled. */
117+ if (__app_register_atfork (register_fork, NULL, NULL) != 0)
118+ {
119+ printf ("Failed to register fork handler.\n");
120+ return -1;
121+ }
122+
123 for (test = 0; test_case[test].retval != -1; test++)
124 if (testit (&test_case[test]))
125 ++fail;
126@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
127
128 printf ("Test %d (%s): ", ++tests, tc->words);
129
130+ if (tc->flags & WRDE_NOCMD)
131+ registered_forks = 0;
132+
133 if (tc->flags & WRDE_APPEND)
134 {
135 /* initial wordexp() call, to be appended to */
136@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
137 }
138 retval = wordexp (tc->words, &we, tc->flags);
139
140+ if ((tc->flags & WRDE_NOCMD)
141+ && (registered_forks > 0))
142+ {
143+ printf ("FAILED fork called for WRDE_NOCMD\n");
144+ return 1;
145+ }
146+
147 if (tc->flags & WRDE_DOOFFS)
148 start_offs = sav_we.we_offs;
149
150Index: libc/posix/wordexp.c
151===================================================================
152--- libc.orig/posix/wordexp.c
153+++ libc/posix/wordexp.c
154@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size
155 pid_t pid;
156 int noexec = 0;
157
158+ /* Do nothing if command substitution should not succeed. */
159+ if (flags & WRDE_NOCMD)
160+ return WRDE_CMDSUB;
161+
162 /* Don't fork() unless necessary */
163 if (!comm || !*comm)
164 return 0;
165@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word
166 }
167 }
168
169- if (flags & WRDE_NOCMD)
170- return WRDE_CMDSUB;
171-
172 (*offset) += 2;
173 return parse_comm (word, word_length, max_length, words, offset, flags,
174 quoted? NULL : pwordexp, ifs, ifs_white);
175@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_
176 break;
177
178 case '`':
179- if (flags & WRDE_NOCMD)
180- return WRDE_CMDSUB;
181-
182 ++(*offset);
183 error = parse_backtick (word, word_length, max_length, words,
184 offset, flags, NULL, NULL, NULL);
185@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *p
186 break;
187
188 case '`':
189- if (flags & WRDE_NOCMD)
190- {
191- error = WRDE_CMDSUB;
192- goto do_error;
193- }
194-
195 ++words_offset;
196 error = parse_backtick (&word, &word_length, &max_length, words,
197 &words_offset, flags, pwordexp, ifs,
198Index: libc/NEWS
199===================================================================
200--- libc.orig/NEWS
201+++ libc/NEWS
202@@ -26,7 +26,13 @@ Version 2.19
203 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338,
204 16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386,
205 16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431,
206- 16453, 16474, 16506, 16510, 16529, 17187
207+ 16453, 16474, 16506, 16510, 16529, 17187, 17625.
208+
209+* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
210+ under certain input conditions resulting in the execution of a shell for
211+ command substitution when the applicaiton did not request it. The
212+ implementation now checks WRDE_NOCMD immediately before executing the
213+ shell and returns the error WRDE_CMDSUB as expected.
214
215 * Slovenian translations for glibc messages have been contributed by the
216 Translation Project's Slovenian team of translators.
diff --git a/meta/recipes-core/eglibc/eglibc_2.19.bb b/meta/recipes-core/eglibc/eglibc_2.19.bb
index 090cfe6..a15573c 100644
--- a/meta/recipes-core/eglibc/eglibc_2.19.bb
+++ b/meta/recipes-core/eglibc/eglibc_2.19.bb
@@ -27,6 +27,8 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/eglibc/eglibc-${PV}-svnr25
27 file://ppce6500-32b_slow_ieee754_sqrt.patch \ 27 file://ppce6500-32b_slow_ieee754_sqrt.patch \
28 file://grok_gold.patch \ 28 file://grok_gold.patch \
29 file://CVE-2014-5119.patch \ 29 file://CVE-2014-5119.patch \
30 file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
31 file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
30 " 32 "
31SRC_URI[md5sum] = "197836c2ba42fb146e971222647198dd" 33SRC_URI[md5sum] = "197836c2ba42fb146e971222647198dd"
32SRC_URI[sha256sum] = "baaa030531fc308f7820c46acdf8e1b2f8e3c1f40bcd28b6e440d1c95d170d4c" 34SRC_URI[sha256sum] = "baaa030531fc308f7820c46acdf8e1b2f8e3c1f40bcd28b6e440d1c95d170d4c"