summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster808@gmail.com>2014-11-25 08:21:40 (GMT)
committerTudor Florea <tudor.florea@enea.com>2015-07-06 18:19:37 (GMT)
commitf5648403cc045b4bf549f824ec40aee64018c1e5 (patch)
tree695e7c30e8ab5799abb443d299bdd835a8a9ef08
parenta886d431a3284e75865ebf53e172a4d36773107e (diff)
downloadpoky-f5648403cc045b4bf549f824ec40aee64018c1e5.tar.gz
eglibc: CVE-2014-5119 fix
__gconv_translit_find: Disable function [BZ #17187] This functionality has never worked correctly, and the implementation contained a security vulnerability (CVE-2014-5119). (From OE-Core rev: 3f0a4551969798803e019435f1f4b5e8f88bea1a) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-5119.patch240
-rw-r--r--meta/recipes-core/eglibc/eglibc_2.19.bb1
2 files changed, 241 insertions, 0 deletions
diff --git a/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-5119.patch b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-5119.patch
new file mode 100644
index 0000000..51c7037
--- /dev/null
+++ b/meta/recipes-core/eglibc/eglibc-2.19/CVE-2014-5119.patch
@@ -0,0 +1,240 @@
1CVE-2014-5119
2
3Signed-off-by: Armin Kuster <akuster808@gmail.com>
4
5Upstream commit:
6
7https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
8
9
10From a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 Mon Sep 17 00:00:00 2001
11From: Florian Weimer <fweimer@redhat.com>
12Date: Tue, 26 Aug 2014 19:38:59 +0200
13Subject: [PATCH] __gconv_translit_find: Disable function [BZ #17187]
14
15This functionality has never worked correctly, and the implementation
16contained a security vulnerability (CVE-2014-5119).
17---
18 ChangeLog | 7 ++
19 NEWS | 9 ++-
20 iconv/gconv_trans.c | 177 +-------------------------------------------------
21 3 files changed, 19 insertions(+), 174 deletions(-)
22
23Index: libc/NEWS
24===================================================================
25--- libc.orig/NEWS
26+++ libc/NEWS
27@@ -26,7 +26,7 @@ Version 2.19
28 16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338,
29 16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386,
30 16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431,
31- 16453, 16474, 16506, 16510, 16529
32+ 16453, 16474, 16506, 16510, 16529, 17187
33
34 * Slovenian translations for glibc messages have been contributed by the
35 Translation Project's Slovenian team of translators.
36Index: libc/iconv/gconv_trans.c
37===================================================================
38--- libc.orig/iconv/gconv_trans.c
39+++ libc/iconv/gconv_trans.c
40@@ -241,181 +241,12 @@ __gconv_transliterate (struct __gconv_st
41 return __GCONV_ILLEGAL_INPUT;
42 }
43
44-
45-/* Structure to represent results of found (or not) transliteration
46- modules. */
47-struct known_trans
48-{
49- /* This structure must remain the first member. */
50- struct trans_struct info;
51-
52- char *fname;
53- void *handle;
54- int open_count;
55-};
56-
57-
58-/* Tree with results of previous calls to __gconv_translit_find. */
59-static void *search_tree;
60-
61-/* We modify global data. */
62-__libc_lock_define_initialized (static, lock);
63-
64-
65-/* Compare two transliteration entries. */
66-static int
67-trans_compare (const void *p1, const void *p2)
68-{
69- const struct known_trans *s1 = (const struct known_trans *) p1;
70- const struct known_trans *s2 = (const struct known_trans *) p2;
71-
72- return strcmp (s1->info.name, s2->info.name);
73-}
74-
75-
76-/* Open (maybe reopen) the module named in the struct. Get the function
77- and data structure pointers we need. */
78-static int
79-open_translit (struct known_trans *trans)
80-{
81- __gconv_trans_query_fct queryfct;
82-
83- trans->handle = __libc_dlopen (trans->fname);
84- if (trans->handle == NULL)
85- /* Not available. */
86- return 1;
87-
88- /* Find the required symbol. */
89- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
90- if (queryfct == NULL)
91- {
92- /* We cannot live with that. */
93- close_and_out:
94- __libc_dlclose (trans->handle);
95- trans->handle = NULL;
96- return 1;
97- }
98-
99- /* Get the context. */
100- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
101- != 0)
102- goto close_and_out;
103-
104- /* Of course we also have to have the actual function. */
105- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
106- if (trans->info.trans_fct == NULL)
107- goto close_and_out;
108-
109- /* Now the optional functions. */
110- trans->info.trans_init_fct =
111- __libc_dlsym (trans->handle, "gconv_trans_init");
112- trans->info.trans_context_fct =
113- __libc_dlsym (trans->handle, "gconv_trans_context");
114- trans->info.trans_end_fct =
115- __libc_dlsym (trans->handle, "gconv_trans_end");
116-
117- trans->open_count = 1;
118-
119- return 0;
120-}
121-
122-
123 int
124 internal_function
125 __gconv_translit_find (struct trans_struct *trans)
126 {
127- struct known_trans **found;
128- const struct path_elem *runp;
129- int res = 1;
130-
131- /* We have to have a name. */
132- assert (trans->name != NULL);
133-
134- /* Acquire the lock. */
135- __libc_lock_lock (lock);
136-
137- /* See whether we know this module already. */
138- found = __tfind (trans, &search_tree, trans_compare);
139- if (found != NULL)
140- {
141- /* Is this module available? */
142- if ((*found)->handle != NULL)
143- {
144- /* Maybe we have to reopen the file. */
145- if ((*found)->handle != (void *) -1)
146- /* The object is not unloaded. */
147- res = 0;
148- else if (open_translit (*found) == 0)
149- {
150- /* Copy the data. */
151- *trans = (*found)->info;
152- (*found)->open_count++;
153- res = 0;
154- }
155- }
156- }
157- else
158- {
159- size_t name_len = strlen (trans->name) + 1;
160- int need_so = 0;
161- struct known_trans *newp;
162-
163- /* We have to continue looking for the module. */
164- if (__gconv_path_elem == NULL)
165- __gconv_get_path ();
166-
167- /* See whether we have to append .so. */
168- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
169- need_so = 1;
170-
171- /* Create a new entry. */
172- newp = (struct known_trans *) malloc (sizeof (struct known_trans)
173- + (__gconv_max_path_elem_len
174- + name_len + 3)
175- + name_len);
176- if (newp != NULL)
177- {
178- char *cp;
179-
180- /* Clear the struct. */
181- memset (newp, '\0', sizeof (struct known_trans));
182-
183- /* Store a copy of the module name. */
184- newp->info.name = cp = (char *) (newp + 1);
185- cp = __mempcpy (cp, trans->name, name_len);
186-
187- newp->fname = cp;
188-
189- /* Search in all the directories. */
190- for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
191- {
192- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
193- trans->name, name_len);
194- if (need_so)
195- memcpy (cp, ".so", sizeof (".so"));
196-
197- if (open_translit (newp) == 0)
198- {
199- /* We found a module. */
200- res = 0;
201- break;
202- }
203- }
204-
205- if (res)
206- newp->fname = NULL;
207-
208- /* In any case we'll add the entry to our search tree. */
209- if (__tsearch (newp, &search_tree, trans_compare) == NULL)
210- {
211- /* Yickes, this should not happen. Unload the object. */
212- res = 1;
213- /* XXX unload here. */
214- }
215- }
216- }
217-
218- __libc_lock_unlock (lock);
219-
220- return res;
221+ /* Transliteration module loading has been removed because it never
222+ worked as intended and suffered from a security vulnerability.
223+ Consequently, this function always fails. */
224+ return 1;
225 }
226Index: libc/ChangeLog
227===================================================================
228--- libc.orig/ChangeLog
229+++ libc/ChangeLog
230@@ -1,3 +1,10 @@
231+2014-08-26 Florian Weimer <fweimer@redhat.com>
232+
233+ [BZ #17187]
234+ * iconv/gconv_trans.c (struct known_trans, search_tree, lock,
235+ trans_compare, open_translit, __gconv_translit_find):
236+ Remove module loading code.
237+
238 2014-02-06 Carlos O'Donell <carlos@redhat.com>
239
240 [BZ #16529]
diff --git a/meta/recipes-core/eglibc/eglibc_2.19.bb b/meta/recipes-core/eglibc/eglibc_2.19.bb
index 8f09676..b9e43a1 100644
--- a/meta/recipes-core/eglibc/eglibc_2.19.bb
+++ b/meta/recipes-core/eglibc/eglibc_2.19.bb
@@ -25,6 +25,7 @@ SRC_URI = "http://downloads.yoctoproject.org/releases/eglibc/eglibc-${PV}-svnr25
25 file://0001-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch \ 25 file://0001-eglibc-run-libm-err-tab.pl-with-specific-dirs-in-S.patch \
26 file://fix-tibetian-locales.patch \ 26 file://fix-tibetian-locales.patch \
27 file://ppce6500-32b_slow_ieee754_sqrt.patch \ 27 file://ppce6500-32b_slow_ieee754_sqrt.patch \
28 file://CVE-2014-5119.patch \
28 " 29 "
29SRC_URI[md5sum] = "197836c2ba42fb146e971222647198dd" 30SRC_URI[md5sum] = "197836c2ba42fb146e971222647198dd"
30SRC_URI[sha256sum] = "baaa030531fc308f7820c46acdf8e1b2f8e3c1f40bcd28b6e440d1c95d170d4c" 31SRC_URI[sha256sum] = "baaa030531fc308f7820c46acdf8e1b2f8e3c1f40bcd28b6e440d1c95d170d4c"