diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-02-03 11:59:15 +0100 |
---|---|---|
committer | Tudor Florea <tudor.florea@enea.com> | 2016-02-03 22:21:50 +0100 |
commit | a3b82f660c689b3310f1c1d9197cfd7494cc8e5e (patch) | |
tree | 5e88567a78193915f5350803b971950f54edfe05 /meta/recipes-core/glibc | |
parent | a0b44f4563515377fa4944d220f7e0f948729872 (diff) | |
download | poky-a3b82f660c689b3310f1c1d9197cfd7494cc8e5e.tar.gz |
glibc: CVE-2015-8776
It was found that out-of-range time values passed to the strftime function may
cause it to crash, leading to a denial of service, or potentially disclosure
information.
(From OE-Core rev: b9bc001ee834e4f8f756a2eaf2671aac3324b0ee)
References:
Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18985
CVE assignment: http://seclists.org/oss-sec/2016/q1/153
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8776
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Tudor Florea <tudor.florea@enea.com>
Diffstat (limited to 'meta/recipes-core/glibc')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 160 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.20.bb | 1 |
2 files changed, 161 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch new file mode 100644 index 0000000000..601176a991 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | |||
@@ -0,0 +1,160 @@ | |||
1 | From f3b898ce731a2925de4833ed5cfebfae09603d3e Mon Sep 17 00:00:00 2001 | ||
2 | From: Sona Sarmadi <sona.sarmadi@enea.com> | ||
3 | Date: Wed, 3 Feb 2016 07:40:15 +0100 | ||
4 | Subject: [PATCH] From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 | ||
5 | 00:00:00 2001 From: Paul Pluzhnikov <ppluzhnikov@google.com> Date: Sat, 26 | ||
6 | Sep 2015 13:27:48 -0700 Subject: [PATCH] Fix BZ #18985 -- out of range data | ||
7 | to strftime() causes a segfault | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2015-8776 | ||
11 | [Yocto # 8980] | ||
12 | |||
13 | https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7 | ||
14 | |||
15 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
16 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
17 | --- | ||
18 | ChangeLog | 9 +++++++++ | ||
19 | time/strftime_l.c | 20 +++++++++++++------- | ||
20 | time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- | ||
21 | 3 files changed, 73 insertions(+), 8 deletions(-) | ||
22 | |||
23 | diff --git a/ChangeLog b/ChangeLog | ||
24 | index 93a4e61..ed4a5fa 100644 | ||
25 | --- a/ChangeLog | ||
26 | +++ b/ChangeLog | ||
27 | @@ -1,3 +1,12 @@ | ||
28 | +2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
29 | + | ||
30 | + [BZ #18985] | ||
31 | + * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check. | ||
32 | + (__strftime_internal): Likewise. | ||
33 | + * time/tst-strftime.c (do_bz18985): New test. | ||
34 | + (do_test): Call it. | ||
35 | + | ||
36 | + | ||
37 | 2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
38 | |||
39 | [BZ #16618] CVE-2015-1472 | ||
40 | diff --git a/time/strftime_l.c b/time/strftime_l.c | ||
41 | index a7e3283..40d608c 100644 | ||
42 | --- a/time/strftime_l.c | ||
43 | +++ b/time/strftime_l.c | ||
44 | @@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument | ||
45 | only a few elements. Dereference the pointers only if the format | ||
46 | requires this. Then it is ok to fail if the pointers are invalid. */ | ||
47 | # define a_wkday \ | ||
48 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)) | ||
49 | + ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ | ||
50 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))) | ||
51 | # define f_wkday \ | ||
52 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)) | ||
53 | + ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \ | ||
54 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))) | ||
55 | # define a_month \ | ||
56 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)) | ||
57 | + ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ | ||
58 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))) | ||
59 | # define f_month \ | ||
60 | - ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)) | ||
61 | + ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \ | ||
62 | + ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))) | ||
63 | # define ampm \ | ||
64 | ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \ | ||
65 | ? NLW(PM_STR) : NLW(AM_STR))) | ||
66 | @@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument | ||
67 | # define ap_len STRLEN (ampm) | ||
68 | #else | ||
69 | # if !HAVE_STRFTIME | ||
70 | -# define f_wkday (weekday_name[tp->tm_wday]) | ||
71 | -# define f_month (month_name[tp->tm_mon]) | ||
72 | +# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \ | ||
73 | + ? "?" : weekday_name[tp->tm_wday]) | ||
74 | +# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \ | ||
75 | + ? "?" : month_name[tp->tm_mon]) | ||
76 | # define a_wkday f_wkday | ||
77 | # define a_month f_month | ||
78 | # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11)) | ||
79 | @@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format, tp, tzset_called ut_argument | ||
80 | *tzset_called = true; | ||
81 | } | ||
82 | # endif | ||
83 | - zone = tzname[tp->tm_isdst]; | ||
84 | + zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?"; | ||
85 | } | ||
86 | #endif | ||
87 | if (! zone) | ||
88 | diff --git a/time/tst-strftime.c b/time/tst-strftime.c | ||
89 | index 374fba4..af3ff72 100644 | ||
90 | --- a/time/tst-strftime.c | ||
91 | +++ b/time/tst-strftime.c | ||
92 | @@ -4,6 +4,56 @@ | ||
93 | #include <time.h> | ||
94 | |||
95 | |||
96 | +static int | ||
97 | +do_bz18985 (void) | ||
98 | +{ | ||
99 | + char buf[1000]; | ||
100 | + struct tm ttm; | ||
101 | + int rc, ret = 0; | ||
102 | + | ||
103 | + memset (&ttm, 1, sizeof (ttm)); | ||
104 | + ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ | ||
105 | + rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); | ||
106 | + | ||
107 | + if (rc == 66) | ||
108 | + { | ||
109 | + const char expected[] | ||
110 | + = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?"; | ||
111 | + if (0 != strcmp (buf, expected)) | ||
112 | + { | ||
113 | + printf ("expected:\n %s\ngot:\n %s\n", expected, buf); | ||
114 | + ret += 1; | ||
115 | + } | ||
116 | + } | ||
117 | + else | ||
118 | + { | ||
119 | + printf ("expected 66, got %d\n", rc); | ||
120 | + ret += 1; | ||
121 | + } | ||
122 | + | ||
123 | + /* Check negative values as well. */ | ||
124 | + memset (&ttm, 0xFF, sizeof (ttm)); | ||
125 | + ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */ | ||
126 | + rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm); | ||
127 | + | ||
128 | + if (rc == 30) | ||
129 | + { | ||
130 | + const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 "; | ||
131 | + if (0 != strcmp (buf, expected)) | ||
132 | + { | ||
133 | + printf ("expected:\n %s\ngot:\n %s\n", expected, buf); | ||
134 | + ret += 1; | ||
135 | + } | ||
136 | + } | ||
137 | + else | ||
138 | + { | ||
139 | + printf ("expected 30, got %d\n", rc); | ||
140 | + ret += 1; | ||
141 | + } | ||
142 | + | ||
143 | + return ret; | ||
144 | +} | ||
145 | + | ||
146 | static struct | ||
147 | { | ||
148 | const char *fmt; | ||
149 | @@ -104,7 +154,7 @@ do_test (void) | ||
150 | } | ||
151 | } | ||
152 | |||
153 | - return result; | ||
154 | + return result + do_bz18985 (); | ||
155 | } | ||
156 | |||
157 | #define TEST_FUNCTION do_test () | ||
158 | -- | ||
159 | 1.9.1 | ||
160 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index 6544b522df..4b0e927bfa 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb | |||
@@ -51,6 +51,7 @@ CVEPATCHES = "\ | |||
51 | file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ | 51 | file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ |
52 | file://CVE-2014-9761_1.patch \ | 52 | file://CVE-2014-9761_1.patch \ |
53 | file://CVE-2014-9761_2.patch \ | 53 | file://CVE-2014-9761_2.patch \ |
54 | file://CVE-2015-8776.patch \ | ||
54 | " | 55 | " |
55 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ | 56 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ |
56 | file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ | 57 | file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ |