summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-02-03 10:59:15 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-02-03 21:21:50 (GMT)
commita3b82f660c689b3310f1c1d9197cfd7494cc8e5e (patch)
tree5e88567a78193915f5350803b971950f54edfe05
parenta0b44f4563515377fa4944d220f7e0f948729872 (diff)
downloadpoky-a3b82f660c689b3310f1c1d9197cfd7494cc8e5e.tar.gz
glibc: CVE-2015-8776
It was found that out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information. (From OE-Core rev: b9bc001ee834e4f8f756a2eaf2671aac3324b0ee) References: Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18985 CVE assignment: http://seclists.org/oss-sec/2016/q1/153 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8776 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8776.patch160
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 161 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
new file mode 100644
index 0000000..601176a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,160 @@
1From f3b898ce731a2925de4833ed5cfebfae09603d3e Mon Sep 17 00:00:00 2001
2From: Sona Sarmadi <sona.sarmadi@enea.com>
3Date: Wed, 3 Feb 2016 07:40:15 +0100
4Subject: [PATCH] From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17
5 00:00:00 2001 From: Paul Pluzhnikov <ppluzhnikov@google.com> Date: Sat, 26
6 Sep 2015 13:27:48 -0700 Subject: [PATCH] Fix BZ #18985 -- out of range data
7 to strftime() causes a segfault
8
9Upstream-Status: Backport
10CVE: CVE-2015-8776
11[Yocto # 8980]
12
13https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
14
15Signed-off-by: Armin Kuster <akuster@mvista.com>
16Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
17---
18 ChangeLog | 9 +++++++++
19 time/strftime_l.c | 20 +++++++++++++-------
20 time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
21 3 files changed, 73 insertions(+), 8 deletions(-)
22
23diff --git a/ChangeLog b/ChangeLog
24index 93a4e61..ed4a5fa 100644
25--- a/ChangeLog
26+++ b/ChangeLog
27@@ -1,3 +1,12 @@
28+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
29+
30+ [BZ #18985]
31+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
32+ (__strftime_internal): Likewise.
33+ * time/tst-strftime.c (do_bz18985): New test.
34+ (do_test): Call it.
35+
36+
37 2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
38
39 [BZ #16618] CVE-2015-1472
40diff --git a/time/strftime_l.c b/time/strftime_l.c
41index a7e3283..40d608c 100644
42--- a/time/strftime_l.c
43+++ b/time/strftime_l.c
44@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument
45 only a few elements. Dereference the pointers only if the format
46 requires this. Then it is ok to fail if the pointers are invalid. */
47 # define a_wkday \
48- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
49+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
50+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
51 # define f_wkday \
52- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
53+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
54+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
55 # define a_month \
56- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
57+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
58+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
59 # define f_month \
60- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
61+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
62+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
63 # define ampm \
64 ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
65 ? NLW(PM_STR) : NLW(AM_STR)))
66@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument
67 # define ap_len STRLEN (ampm)
68 #else
69 # if !HAVE_STRFTIME
70-# define f_wkday (weekday_name[tp->tm_wday])
71-# define f_month (month_name[tp->tm_mon])
72+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
73+ ? "?" : weekday_name[tp->tm_wday])
74+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
75+ ? "?" : month_name[tp->tm_mon])
76 # define a_wkday f_wkday
77 # define a_month f_month
78 # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
79@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument
80 *tzset_called = true;
81 }
82 # endif
83- zone = tzname[tp->tm_isdst];
84+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
85 }
86 #endif
87 if (! zone)
88diff --git a/time/tst-strftime.c b/time/tst-strftime.c
89index 374fba4..af3ff72 100644
90--- a/time/tst-strftime.c
91+++ b/time/tst-strftime.c
92@@ -4,6 +4,56 @@
93 #include <time.h>
94
95
96+static int
97+do_bz18985 (void)
98+{
99+ char buf[1000];
100+ struct tm ttm;
101+ int rc, ret = 0;
102+
103+ memset (&ttm, 1, sizeof (ttm));
104+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
105+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
106+
107+ if (rc == 66)
108+ {
109+ const char expected[]
110+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
111+ if (0 != strcmp (buf, expected))
112+ {
113+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
114+ ret += 1;
115+ }
116+ }
117+ else
118+ {
119+ printf ("expected 66, got %d\n", rc);
120+ ret += 1;
121+ }
122+
123+ /* Check negative values as well. */
124+ memset (&ttm, 0xFF, sizeof (ttm));
125+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
126+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
127+
128+ if (rc == 30)
129+ {
130+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
131+ if (0 != strcmp (buf, expected))
132+ {
133+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
134+ ret += 1;
135+ }
136+ }
137+ else
138+ {
139+ printf ("expected 30, got %d\n", rc);
140+ ret += 1;
141+ }
142+
143+ return ret;
144+}
145+
146 static struct
147 {
148 const char *fmt;
149@@ -104,7 +154,7 @@ do_test (void)
150 }
151 }
152
153- return result;
154+ return result + do_bz18985 ();
155 }
156
157 #define TEST_FUNCTION do_test ()
158--
1591.9.1
160
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 6544b52..4b0e927 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -51,6 +51,7 @@ CVEPATCHES = "\
51 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ 51 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
52 file://CVE-2014-9761_1.patch \ 52 file://CVE-2014-9761_1.patch \
53 file://CVE-2014-9761_2.patch \ 53 file://CVE-2014-9761_2.patch \
54 file://CVE-2015-8776.patch \
54 " 55 "
55LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 56LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
56 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 57 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \