summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-28 18:53:35 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-21 15:48:47 (GMT)
commitc282df8993828bd7b1d50cfcf637a477eaf481a1 (patch)
tree27857cfeb3a0855e07a5e96d9c4e4414128b51ce
parent204ad23574e0958af110c180858198c502292566 (diff)
downloadpoky-c282df8993828bd7b1d50cfcf637a477eaf481a1.tar.gz
glibc: CVE-2015-8776
it was found that out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information. (From OE-Core rev: b9bc001ee834e4f8f756a2eaf2671aac3324b0ee) (From OE-Core rev: c50e30cb078ca0ad6f76241f0b0a5557cc17e3c0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8776.patch155
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
new file mode 100644
index 0000000..684f344
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,155 @@
1From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
2From: Paul Pluzhnikov <ppluzhnikov@google.com>
3Date: Sat, 26 Sep 2015 13:27:48 -0700
4Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
5 segfault
6
7Upstream-Status: Backport
8CVE: CVE-2015-8776
9[Yocto # 8980]
10
11https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
12
13Signed-off-by: Armin Kuster <akuster@mvista.com>
14
15---
16 ChangeLog | 8 ++++++++
17 NEWS | 2 +-
18 time/strftime_l.c | 20 +++++++++++++-------
19 time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
20 4 files changed, 73 insertions(+), 9 deletions(-)
21
22Index: git/ChangeLog
23===================================================================
24--- git.orig/ChangeLog
25+++ git/ChangeLog
26@@ -1,3 +1,11 @@
27+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
28+
29+ [BZ #18985]
30+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
31+ (__strftime_internal): Likewise.
32+ * time/tst-strftime.c (do_bz18985): New test.
33+ (do_test): Call it.
34+
35 2015-12-04 Joseph Myers <joseph@codesourcery.com>
36
37 [BZ #16961]
38Index: git/time/strftime_l.c
39===================================================================
40--- git.orig/time/strftime_l.c
41+++ git/time/strftime_l.c
42@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
43 only a few elements. Dereference the pointers only if the format
44 requires this. Then it is ok to fail if the pointers are invalid. */
45 # define a_wkday \
46- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
47+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
48+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
49 # define f_wkday \
50- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
51+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
52+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
53 # define a_month \
54- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
55+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
56+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
57 # define f_month \
58- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
59+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
60+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
61 # define ampm \
62 ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
63 ? NLW(PM_STR) : NLW(AM_STR)))
64@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
65 # define ap_len STRLEN (ampm)
66 #else
67 # if !HAVE_STRFTIME
68-# define f_wkday (weekday_name[tp->tm_wday])
69-# define f_month (month_name[tp->tm_mon])
70+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
71+ ? "?" : weekday_name[tp->tm_wday])
72+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
73+ ? "?" : month_name[tp->tm_mon])
74 # define a_wkday f_wkday
75 # define a_month f_month
76 # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
77@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
78 *tzset_called = true;
79 }
80 # endif
81- zone = tzname[tp->tm_isdst];
82+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
83 }
84 #endif
85 if (! zone)
86Index: git/time/tst-strftime.c
87===================================================================
88--- git.orig/time/tst-strftime.c
89+++ git/time/tst-strftime.c
90@@ -4,6 +4,56 @@
91 #include <time.h>
92
93
94+static int
95+do_bz18985 (void)
96+{
97+ char buf[1000];
98+ struct tm ttm;
99+ int rc, ret = 0;
100+
101+ memset (&ttm, 1, sizeof (ttm));
102+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
103+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
104+
105+ if (rc == 66)
106+ {
107+ const char expected[]
108+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
109+ if (0 != strcmp (buf, expected))
110+ {
111+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
112+ ret += 1;
113+ }
114+ }
115+ else
116+ {
117+ printf ("expected 66, got %d\n", rc);
118+ ret += 1;
119+ }
120+
121+ /* Check negative values as well. */
122+ memset (&ttm, 0xFF, sizeof (ttm));
123+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
124+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
125+
126+ if (rc == 30)
127+ {
128+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
129+ if (0 != strcmp (buf, expected))
130+ {
131+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
132+ ret += 1;
133+ }
134+ }
135+ else
136+ {
137+ printf ("expected 30, got %d\n", rc);
138+ ret += 1;
139+ }
140+
141+ return ret;
142+}
143+
144 static struct
145 {
146 const char *fmt;
147@@ -104,7 +154,7 @@ do_test (void)
148 }
149 }
150
151- return result;
152+ return result + do_bz18985 ();
153 }
154
155 #define TEST_FUNCTION do_test ()
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index d099d5d..8aaf94e 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -52,6 +52,7 @@ CVEPATCHES = "\
52 file://CVE-2015-8779.patch \ 52 file://CVE-2015-8779.patch \
53 file://CVE-2015-9761_1.patch \ 53 file://CVE-2015-9761_1.patch \
54 file://CVE-2015-9761_2.patch \ 54 file://CVE-2015-9761_2.patch \
55 file://CVE-2015-8776.patch \
55" 56"
56 57
57LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 58LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \