glibc: Fix CVE-2017-1000366

Add backported patches from the upstream release/2.24/master branch to fix CVE-2017-1000366. Also add a backported patch that resolves SSE related build problems introduced by these patches. (From OE-Core rev: 07e041138f0b037e7ddc75a33c7960668acdb8bb) Signed-off-by: George McCollister <george.mccollister@gmail.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: George McCollister <george.mccollister@gmail.com> 2017-11-21 14:01:21 -0600
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-12-09 14:34:35 +0000
commit: bc8d34a327c50cb2ced295aa1105300783de322c (patch)
tree: 9173e7fc6cf03a8843d565861f17e9dbf5054c38 /meta/recipes-core/glibc
parent: 02ab4bdbf71d0fc9383578aaee5ce641bad9bc81 (diff)
download: poky-bc8d34a327c50cb2ced295aa1105300783de322c.tar.gz
5 files changed, 513 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
new file mode 100644
index 0000000000..78e9ea9e65
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,71 @@
+From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 18:33:26 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb
+CVE: CVE-2017-1000366
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+---
+ ChangeLog  | 7 +++++++
+ NEWS       | 1 +
+ elf/rtld.c | 3 ++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+diff --git a/ChangeLog b/ChangeLog
+index 2bdaf69e43..7a999802dd 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,10 @@
+2017-06-19  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #21624]
+       CVE-2017-1000366
+       * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
+       __libc_enable_secure.
+
+ 2016-12-31  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #18784]
+diff --git a/NEWS b/NEWS
+index 4b1ca3cb65..66b49dbbc0 100644
+--- a/NEWS
+++ b/NEWS
+@@ -17,6 +17,7 @@ using `glibc' in the "product" field.
+   question type which is outside the range of valid question type values.
+   (CVE-2015-5180)
+ 
+  [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
+ Version 2.24
+ 
+ * The minimum Linux kernel version that this version of the GNU C Library
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 647661ca45..215a9aec8f 100644
+--- a/elf/rtld.c
+++ b/elf/rtld.c
+@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep)
+ 
+        case 12:
+          /* The library search path.  */
+-         if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+         if (!__libc_enable_secure
+             && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+            {
+              library_path = &envline[13];
+              break;
+-- 
+2.15.0
diff --git a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
new file mode 100644
index 0000000000..7f81ed1566
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,145 @@
+From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb
+CVE: CVE-2017-1000366
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+---
+ ChangeLog  |  7 ++++++
+ elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 7a999802dd..ea5ecd4a1e 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,10 @@
+2017-06-19  Florian Weimer  <fweimer@redhat.com>
+
+       * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.
+       (dso_name_valid_for_suid): New function.
+       (handle_ld_preload): Likewise.
+       (dl_main): Call it.  Remove alloca.
+
+ 2017-06-19  Florian Weimer  <fweimer@redhat.com>
+ 
+        [BZ #21624]
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 215a9aec8f..1d8eab9fe2 100644
+--- a/elf/rtld.c
+++ b/elf/rtld.c
+@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
+ strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
+ #endif
+ 
+/* Length limits for names and paths, to protect the dynamic linker,
+   particularly when __libc_enable_secure is active.  */
+#ifdef NAME_MAX
+# define SECURE_NAME_LIMIT NAME_MAX
+#else
+# define SECURE_NAME_LIMIT 255
+#endif
+#ifdef PATH_MAX
+# define SECURE_PATH_LIMIT PATH_MAX
+#else
+# define SECURE_PATH_LIMIT 1024
+#endif
+
+/* Check that AT_SECURE=0, or that the passed name does not contain
+   directories and is not overly long.  Reject empty names
+   unconditionally.  */
+static bool
+dso_name_valid_for_suid (const char *p)
+{
+  if (__glibc_unlikely (__libc_enable_secure))
+    {
+      /* Ignore pathnames with directories for AT_SECURE=1
+        programs, and also skip overlong names.  */
+      size_t len = strlen (p);
+      if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL)
+       return false;
+    }
+  return *p != '\0';
+}
+ 
+ /* List of auditing DSOs.  */
+ static struct audit_list
+@@ -730,6 +759,42 @@ static const char *preloadlist attribute_relro;
+ /* Nonzero if information about versions has to be printed.  */
+ static int version_info attribute_relro;
+ 
+/* The LD_PRELOAD environment variable gives list of libraries
+   separated by white space or colons that are loaded before the
+   executable's dependencies and prepended to the global scope list.
+   (If the binary is running setuid all elements containing a '/' are
+   ignored since it is insecure.)  Return the number of preloads
+   performed.  */
+unsigned int
+handle_ld_preload (const char *preloadlist, struct link_map *main_map)
+{
+  unsigned int npreloads = 0;
+  const char *p = preloadlist;
+  char fname[SECURE_PATH_LIMIT];
+
+  while (*p != '\0')
+    {
+      /* Split preload list at space/colon.  */
+      size_t len = strcspn (p, " :");
+      if (len > 0 && len < sizeof (fname))
+       {
+         memcpy (fname, p, len);
+         fname[len] = '\0';
+       }
+      else
+       fname[0] = '\0';
+
+      /* Skip over the substring and the following delimiter.  */
+      p += len;
+      if (*p != '\0')
+       ++p;
+
+      if (dso_name_valid_for_suid (fname))
+       npreloads += do_preload (fname, main_map, "LD_PRELOAD");
+    }
+  return npreloads;
+}
+
+ static void
+ dl_main (const ElfW(Phdr) *phdr,
+         ElfW(Word) phnum,
+@@ -1481,23 +1546,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ 
+   if (__glibc_unlikely (preloadlist != NULL))
+     {
+-      /* The LD_PRELOAD environment variable gives list of libraries
+-        separated by white space or colons that are loaded before the
+-        executable's dependencies and prepended to the global scope
+-        list.  If the binary is running setuid all elements
+-        containing a '/' are ignored since it is insecure.  */
+-      char *list = strdupa (preloadlist);
+-      char *p;
+-
+       HP_TIMING_NOW (start);
+-
+-      /* Prevent optimizing strsep.  Speed is not important here.  */
+-      while ((p = (strsep) (&list, " :")) != NULL)
+-       if (p[0] != '\0'
+-           && (__builtin_expect (! __libc_enable_secure, 1)
+-               || strchr (p, '/') == NULL))
+-         npreloads += do_preload (p, main_map, "LD_PRELOAD");
+-
+      npreloads += handle_ld_preload (preloadlist, main_map);
+       HP_TIMING_NOW (stop);
+       HP_TIMING_DIFF (diff, start, stop);
+       HP_TIMING_ACCUM_NT (load_time, diff);
+-- 
+2.15.0
diff --git a/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch b/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
new file mode 100644
index 0000000000..b52b8a1fa7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
@@ -0,0 +1,231 @@
+From c0b25407def32718147530da72959a034cd1318d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:32:12 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
+Also only process the last LD_AUDIT entry.
+(cherry picked from commit 81b82fb966ffbd94353f793ad17116c6088dedd9)
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=2febff860b31df3666bef5ade0d0744c93f76a74
+https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb
+CVE: CVE-2017-1000366
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+---
+ ChangeLog  |  11 +++++++
+ elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 106 insertions(+), 15 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index ea5ecd4a1e..638cb632b1 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,14 @@
+2017-06-19  Florian Weimer  <fweimer@redhat.com>
+
+       * elf/rtld.c (audit_list_string): New variable.
+       (audit_list): Update comment.
+       (struct audit_list_iter): Define.
+       (audit_list_iter_init, audit_list_iter_next): New function.
+       (dl_main): Use struct audit_list_iter to process audit modules.
+       (process_dl_audit): Call dso_name_valid_for_suid.
+       (process_envvars): Set audit_list_string instead of calling
+       process_dl_audit.
+
+ 2017-06-19  Florian Weimer  <fweimer@redhat.com>
+ 
+        * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 1d8eab9fe2..302bb63620 100644
+--- a/elf/rtld.c
+++ b/elf/rtld.c
+@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
+   return *p != '\0';
+ }
+ 
+-/* List of auditing DSOs.  */
+/* LD_AUDIT variable contents.  Must be processed before the
+   audit_list below.  */
+const char *audit_list_string;
+
+/* Cyclic list of auditing DSOs.  audit_list->next is the first
+   element.  */
+ static struct audit_list
+ {
+   const char *name;
+   struct audit_list *next;
+ } *audit_list;
+ 
+/* Iterator for audit_list_string followed by audit_list.  */
+struct audit_list_iter
+{
+  /* Tail of audit_list_string still needing processing, or NULL.  */
+  const char *audit_list_tail;
+
+  /* The list element returned in the previous iteration.  NULL before
+     the first element.  */
+  struct audit_list *previous;
+
+  /* Scratch buffer for returning a name which is part of
+     audit_list_string.  */
+  char fname[SECURE_NAME_LIMIT];
+};
+
+/* Initialize an audit list iterator.  */
+static void
+audit_list_iter_init (struct audit_list_iter *iter)
+{
+  iter->audit_list_tail = audit_list_string;
+  iter->previous = NULL;
+}
+
+/* Iterate through both audit_list_string and audit_list.  */
+static const char *
+audit_list_iter_next (struct audit_list_iter *iter)
+{
+  if (iter->audit_list_tail != NULL)
+    {
+      /* First iterate over audit_list_string.  */
+      while (*iter->audit_list_tail != '\0')
+       {
+         /* Split audit list at colon.  */
+         size_t len = strcspn (iter->audit_list_tail, ":");
+         if (len > 0 && len < sizeof (iter->fname))
+           {
+             memcpy (iter->fname, iter->audit_list_tail, len);
+             iter->fname[len] = '\0';
+           }
+         else
+           /* Do not return this name to the caller.  */
+           iter->fname[0] = '\0';
+
+         /* Skip over the substring and the following delimiter.  */
+         iter->audit_list_tail += len;
+         if (*iter->audit_list_tail == ':')
+           ++iter->audit_list_tail;
+
+         /* If the name is valid, return it.  */
+         if (dso_name_valid_for_suid (iter->fname))
+           return iter->fname;
+         /* Otherwise, wrap around and try the next name.  */
+       }
+      /* Fall through to the procesing of audit_list.  */
+    }
+
+  if (iter->previous == NULL)
+    {
+      if (audit_list == NULL)
+       /* No pre-parsed audit list.  */
+       return NULL;
+      /* Start of audit list.  The first list element is at
+        audit_list->next (cyclic list).  */
+      iter->previous = audit_list->next;
+      return iter->previous->name;
+    }
+  if (iter->previous == audit_list)
+    /* Cyclic list wrap-around.  */
+    return NULL;
+  iter->previous = iter->previous->next;
+  return iter->previous->name;
+}
+
+ #ifndef HAVE_INLINED_SYSCALLS
+ /* Set nonzero during loading and initialization of executable and
+    libraries, cleared before the executable's entry point runs.  This
+@@ -1322,11 +1400,13 @@ of this helper program; chances are you did not intend to run this program.\n\
+     GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
+ 
+   /* If we have auditing DSOs to load, do it now.  */
+-  if (__glibc_unlikely (audit_list != NULL))
+  bool need_security_init = true;
+  if (__glibc_unlikely (audit_list != NULL)
+      || __glibc_unlikely (audit_list_string != NULL))
+     {
+-      /* Iterate over all entries in the list.  The order is important.  */
+       struct audit_ifaces *last_audit = NULL;
+-      struct audit_list *al = audit_list->next;
+      struct audit_list_iter al_iter;
+      audit_list_iter_init (&al_iter);
+ 
+       /* Since we start using the auditing DSOs right away we need to
+         initialize the data structures now.  */
+@@ -1337,9 +1417,14 @@ of this helper program; chances are you did not intend to run this program.\n\
+         use different values (especially the pointer guard) and will
+         fail later on.  */
+       security_init ();
+      need_security_init = false;
+ 
+-      do
+      while (true)
+        {
+         const char *name = audit_list_iter_next (&al_iter);
+         if (name == NULL)
+           break;
+
+          int tls_idx = GL(dl_tls_max_dtv_idx);
+ 
+          /* Now it is time to determine the layout of the static TLS
+@@ -1348,7 +1433,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+             no DF_STATIC_TLS bit is set.  The reason is that we know
+             glibc will use the static model.  */
+          struct dlmopen_args dlmargs;
+-         dlmargs.fname = al->name;
+         dlmargs.fname = name;
+          dlmargs.map = NULL;
+ 
+          const char *objname;
+@@ -1361,7 +1446,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+            not_loaded:
+              _dl_error_printf ("\
+ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+-                               al->name, err_str);
+                               name, err_str);
+              if (malloced)
+                free ((char *) err_str);
+            }
+@@ -1465,10 +1550,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+                  goto not_loaded;
+                }
+            }
+-
+-         al = al->next;
+        }
+-      while (al != audit_list->next);
+ 
+       /* If we have any auditing modules, announce that we already
+         have two objects loaded.  */
+@@ -1732,7 +1814,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+   if (tcbp == NULL)
+     tcbp = init_tls ();
+ 
+-  if (__glibc_likely (audit_list == NULL))
+  if (__glibc_likely (need_security_init))
+     /* Initialize security features.  But only if we have not done it
+        earlier.  */
+     security_init ();
+@@ -2363,9 +2445,7 @@ process_dl_audit (char *str)
+   char *p;
+ 
+   while ((p = (strsep) (&str, ":")) != NULL)
+-    if (p[0] != '\0'
+-       && (__builtin_expect (! __libc_enable_secure, 1)
+-           || strchr (p, '/') == NULL))
+    if (dso_name_valid_for_suid (p))
+       {
+        /* This is using the local malloc, not the system malloc.  The
+           memory can never be freed.  */
+@@ -2429,7 +2509,7 @@ process_envvars (enum mode *modep)
+              break;
+            }
+          if (memcmp (envline, "AUDIT", 5) == 0)
+-           process_dl_audit (&envline[6]);
+           audit_list_string = &envline[6];
+          break;
+ 
+        case 7:
+-- 
+2.15.0
diff --git a/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch b/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch
new file mode 100644
index 0000000000..43c4398fec
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch
@@ -0,0 +1,62 @@
+From 203835b3bf6f1edfe1ebe4a7fa15dc085e6dc8f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Wed, 14 Jun 2017 08:11:22 +0200
+Subject: [PATCH] i686: Add missing IS_IN (libc) guards to vectorized strcspn
+Since commit d957c4d3fa48d685ff2726c605c988127ef99395 (i386: Compile
+rtld-*.os with -mno-sse -mno-mmx -mfpmath=387), vector intrinsics can
+no longer be used in ld.so, even if the compiled code never makes it
+into the final ld.so link.  This commit adds the missing IS_IN (libc)
+guard to the SSE 4.2 strcspn implementation, so that it can be used from
+ld.so in the future.
+(cherry picked from commit 69052a3a95da37169a08f9e59b2cc1808312753c)
+Upstream-Status: Backport
+https://sourceware.org/git/?p=glibc.git;a=commit;h=86ac4a78a9218d1e1dcfbacc6f7d09957c1fe3a4
+Required to build fixes for CVE-2017-1000366.
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+---
+ ChangeLog                               | 5 +++++
+ sysdeps/i386/i686/multiarch/strcspn-c.c | 6 ++++--
+ sysdeps/i386/i686/multiarch/varshift.c  | 4 +++-
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+diff --git a/ChangeLog b/ChangeLog
+index 638cb632b1..3f89a2cdb2 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,8 @@
+2017-06-14  Florian Weimer  <fweimer@redhat.com>
+
+       * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.
+       * sysdeps/i386/i686/multiarch/varshift.c: Likewise.
+
+ 2017-06-19  Florian Weimer  <fweimer@redhat.com>
+ 
+        * elf/rtld.c (audit_list_string): New variable.
+diff --git a/sysdeps/i386/i686/multiarch/strcspn-c.c b/sysdeps/i386/i686/multiarch/strcspn-c.c
+index 6d61e190a8..ec230fb383 100644
+--- a/sysdeps/i386/i686/multiarch/strcspn-c.c
+++ b/sysdeps/i386/i686/multiarch/strcspn-c.c
+@@ -1,2 +1,4 @@
+-#define __strcspn_sse2 __strcspn_ia32
+-#include <sysdeps/x86_64/multiarch/strcspn-c.c>
+#if IS_IN (libc)
+# define __strcspn_sse2 __strcspn_ia32
+# include <sysdeps/x86_64/multiarch/strcspn-c.c>
+#endif
+diff --git a/sysdeps/i386/i686/multiarch/varshift.c b/sysdeps/i386/i686/multiarch/varshift.c
+index 7760b966e2..6742a35d41 100644
+--- a/sysdeps/i386/i686/multiarch/varshift.c
+++ b/sysdeps/i386/i686/multiarch/varshift.c
+@@ -1 +1,3 @@
+-#include <sysdeps/x86_64/multiarch/varshift.c>
+#if IS_IN (libc)
+# include <sysdeps/x86_64/multiarch/varshift.c>
+#endif
+-- 
+2.15.0
diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb
index 4c7d901149..359379bac5 100644
--- a/meta/recipes-core/glibc/glibc_2.24.bb
+++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -46,6 +46,10 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0005-Remove-__ASSUME_REQUEUE_PI.patch \
           file://0006-Fix-atomic_fetch_xor_release.patch \
           file://0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch \
+           file://0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch \
+           file://0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch \
+           file://0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch \
+           file://0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch \
 "
 SRC_URI += "\
author	George McCollister <george.mccollister@gmail.com>	2017-11-21 14:01:21 -0600
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-12-09 14:34:35 +0000
commit	bc8d34a327c50cb2ced295aa1105300783de322c (patch)
tree	9173e7fc6cf03a8843d565861f17e9dbf5054c38 /meta/recipes-core/glibc
parent	02ab4bdbf71d0fc9383578aaee5ce641bad9bc81 (diff)
download	poky-bc8d34a327c50cb2ced295aa1105300783de322c.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch new file mode 100644 index 0000000000..78e9ea9e65 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch
@@ -0,0 +1,71 @@
		1	From 400f170750a4b2c94a2670ca44de166cc5dd6e3b Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Mon, 19 Jun 2017 18:33:26 +0200
		4	Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
		5	programs [BZ #21624]
		6
		7	LD_LIBRARY_PATH can only be used to reorder system search paths, which
		8	is not useful functionality.
		9
		10	This makes an exploitable unbounded alloca in _dl_init_paths unreachable
		11	for AT_SECURE=1 programs.
		12
		13	(cherry picked from commit f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d)
		14
		15	Upstream-Status: Backport
		16	https://sourceware.org/git/?p=glibc.git;a=commit;h=87bd4186da10371f46e2f1a7bf7c0a45bb04f1ac
		17	https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb
		18
		19	CVE: CVE-2017-1000366
		20
		21	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		22	---
		23	ChangeLog \| 7 +++++++
		24	NEWS \| 1 +
		25	elf/rtld.c \| 3 ++-
		26	3 files changed, 10 insertions(+), 1 deletion(-)
		27
		28	diff --git a/ChangeLog b/ChangeLog
		29	index 2bdaf69e43..7a999802dd 100644
		30	--- a/ChangeLog
		31	+++ b/ChangeLog
		32	@@ -1,3 +1,10 @@
		33	+2017-06-19 Florian Weimer <fweimer@redhat.com>
		34	+
		35	+ [BZ #21624]
		36	+ CVE-2017-1000366
		37	+ * elf/rtld.c (process_envvars): Ignore LD_LIBRARY_PATH for
		38	+ __libc_enable_secure.
		39	+
		40	2016-12-31 Florian Weimer <fweimer@redhat.com>
		41
		42	[BZ #18784]
		43	diff --git a/NEWS b/NEWS
		44	index 4b1ca3cb65..66b49dbbc0 100644
		45	--- a/NEWS
		46	+++ b/NEWS
		47	@@ -17,6 +17,7 @@ using `glibc' in the "product" field.
		48	question type which is outside the range of valid question type values.
		49	(CVE-2015-5180)
		50
		51	+ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
		52	Version 2.24
		53
		54	* The minimum Linux kernel version that this version of the GNU C Library
		55	diff --git a/elf/rtld.c b/elf/rtld.c
		56	index 647661ca45..215a9aec8f 100644
		57	--- a/elf/rtld.c
		58	+++ b/elf/rtld.c
		59	@@ -2437,7 +2437,8 @@ process_envvars (enum mode *modep)
		60
		61	case 12:
		62	/* The library search path. */
		63	- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
		64	+ if (!__libc_enable_secure
		65	+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
		66	{
		67	library_path = &envline[13];
		68	break;
		69	--
		70	2.15.0
		71


diff --git a/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch new file mode 100644 index 0000000000..7f81ed1566 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch
@@ -0,0 +1,145 @@
		1	From 6d49272e6d6741496e3456f2cc22ebc2b9f7f989 Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Mon, 19 Jun 2017 22:31:04 +0200
		4	Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
		5
		6	(cherry picked from commit 6d0ba622891bed9d8394eef1935add53003b12e8)
		7
		8	Upstream-Status: Backport
		9	https://sourceware.org/git/?p=glibc.git;a=commit;h=aab04ca5d359150e17631e6a9b44b65e93bdc467
		10	https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb
		11
		12	CVE: CVE-2017-1000366
		13
		14	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		15	---
		16	ChangeLog \| 7 ++++++
		17	elf/rtld.c \| 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
		18	2 files changed, 73 insertions(+), 16 deletions(-)
		19
		20	diff --git a/ChangeLog b/ChangeLog
		21	index 7a999802dd..ea5ecd4a1e 100644
		22	--- a/ChangeLog
		23	+++ b/ChangeLog
		24	@@ -1,3 +1,10 @@
		25	+2017-06-19 Florian Weimer <fweimer@redhat.com>
		26	+
		27	+ * elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.
		28	+ (dso_name_valid_for_suid): New function.
		29	+ (handle_ld_preload): Likewise.
		30	+ (dl_main): Call it. Remove alloca.
		31	+
		32	2017-06-19 Florian Weimer <fweimer@redhat.com>
		33
		34	[BZ #21624]
		35	diff --git a/elf/rtld.c b/elf/rtld.c
		36	index 215a9aec8f..1d8eab9fe2 100644
		37	--- a/elf/rtld.c
		38	+++ b/elf/rtld.c
		39	@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
		40	strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
		41	#endif
		42
		43	+/* Length limits for names and paths, to protect the dynamic linker,
		44	+ particularly when __libc_enable_secure is active. */
		45	+#ifdef NAME_MAX
		46	+# define SECURE_NAME_LIMIT NAME_MAX
		47	+#else
		48	+# define SECURE_NAME_LIMIT 255
		49	+#endif
		50	+#ifdef PATH_MAX
		51	+# define SECURE_PATH_LIMIT PATH_MAX
		52	+#else
		53	+# define SECURE_PATH_LIMIT 1024
		54	+#endif
		55	+
		56	+/* Check that AT_SECURE=0, or that the passed name does not contain
		57	+ directories and is not overly long. Reject empty names
		58	+ unconditionally. */
		59	+static bool
		60	+dso_name_valid_for_suid (const char *p)
		61	+{
		62	+ if (__glibc_unlikely (__libc_enable_secure))
		63	+ {
		64	+ /* Ignore pathnames with directories for AT_SECURE=1
		65	+ programs, and also skip overlong names. */
		66	+ size_t len = strlen (p);
		67	+ if (len >= SECURE_NAME_LIMIT \|\| memchr (p, '/', len) != NULL)
		68	+ return false;
		69	+ }
		70	+ return *p != '\0';
		71	+}
		72
		73	/* List of auditing DSOs. */
		74	static struct audit_list
		75	@@ -730,6 +759,42 @@ static const char *preloadlist attribute_relro;
		76	/* Nonzero if information about versions has to be printed. */
		77	static int version_info attribute_relro;
		78
		79	+/* The LD_PRELOAD environment variable gives list of libraries
		80	+ separated by white space or colons that are loaded before the
		81	+ executable's dependencies and prepended to the global scope list.
		82	+ (If the binary is running setuid all elements containing a '/' are
		83	+ ignored since it is insecure.) Return the number of preloads
		84	+ performed. */
		85	+unsigned int
		86	+handle_ld_preload (const char preloadlist, struct link_map main_map)
		87	+{
		88	+ unsigned int npreloads = 0;
		89	+ const char *p = preloadlist;
		90	+ char fname[SECURE_PATH_LIMIT];
		91	+
		92	+ while (*p != '\0')
		93	+ {
		94	+ /* Split preload list at space/colon. */
		95	+ size_t len = strcspn (p, " :");
		96	+ if (len > 0 && len < sizeof (fname))
		97	+ {
		98	+ memcpy (fname, p, len);
		99	+ fname[len] = '\0';
		100	+ }
		101	+ else
		102	+ fname[0] = '\0';
		103	+
		104	+ /* Skip over the substring and the following delimiter. */
		105	+ p += len;
		106	+ if (*p != '\0')
		107	+ ++p;
		108	+
		109	+ if (dso_name_valid_for_suid (fname))
		110	+ npreloads += do_preload (fname, main_map, "LD_PRELOAD");
		111	+ }
		112	+ return npreloads;
		113	+}
		114	+
		115	static void
		116	dl_main (const ElfW(Phdr) *phdr,
		117	ElfW(Word) phnum,
		118	@@ -1481,23 +1546,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
		119
		120	if (__glibc_unlikely (preloadlist != NULL))
		121	{
		122	- /* The LD_PRELOAD environment variable gives list of libraries
		123	- separated by white space or colons that are loaded before the
		124	- executable's dependencies and prepended to the global scope
		125	- list. If the binary is running setuid all elements
		126	- containing a '/' are ignored since it is insecure. */
		127	- char *list = strdupa (preloadlist);
		128	- char *p;
		129	-
		130	HP_TIMING_NOW (start);
		131	-
		132	- /* Prevent optimizing strsep. Speed is not important here. */
		133	- while ((p = (strsep) (&list, " :")) != NULL)
		134	- if (p[0] != '\0'
		135	- && (__builtin_expect (! __libc_enable_secure, 1)
		136	- \|\| strchr (p, '/') == NULL))
		137	- npreloads += do_preload (p, main_map, "LD_PRELOAD");
		138	-
		139	+ npreloads += handle_ld_preload (preloadlist, main_map);
		140	HP_TIMING_NOW (stop);
		141	HP_TIMING_DIFF (diff, start, stop);
		142	HP_TIMING_ACCUM_NT (load_time, diff);
		143	--
		144	2.15.0
		145


diff --git a/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch b/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch new file mode 100644 index 0000000000..b52b8a1fa7 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch
@@ -0,0 +1,231 @@
		1	From c0b25407def32718147530da72959a034cd1318d Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Mon, 19 Jun 2017 22:32:12 +0200
		4	Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
		5
		6	Also only process the last LD_AUDIT entry.
		7
		8	(cherry picked from commit 81b82fb966ffbd94353f793ad17116c6088dedd9)
		9
		10	Upstream-Status: Backport
		11	https://sourceware.org/git/?p=glibc.git;a=commit;h=2febff860b31df3666bef5ade0d0744c93f76a74
		12	https://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=stretch&id=2755c57269f24e9d59c22c49788f92515346c1bb
		13
		14	CVE: CVE-2017-1000366
		15
		16	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		17	---
		18	ChangeLog \| 11 +++++++
		19	elf/rtld.c \| 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
		20	2 files changed, 106 insertions(+), 15 deletions(-)
		21
		22	diff --git a/ChangeLog b/ChangeLog
		23	index ea5ecd4a1e..638cb632b1 100644
		24	--- a/ChangeLog
		25	+++ b/ChangeLog
		26	@@ -1,3 +1,14 @@
		27	+2017-06-19 Florian Weimer <fweimer@redhat.com>
		28	+
		29	+ * elf/rtld.c (audit_list_string): New variable.
		30	+ (audit_list): Update comment.
		31	+ (struct audit_list_iter): Define.
		32	+ (audit_list_iter_init, audit_list_iter_next): New function.
		33	+ (dl_main): Use struct audit_list_iter to process audit modules.
		34	+ (process_dl_audit): Call dso_name_valid_for_suid.
		35	+ (process_envvars): Set audit_list_string instead of calling
		36	+ process_dl_audit.
		37	+
		38	2017-06-19 Florian Weimer <fweimer@redhat.com>
		39
		40	* elf/rtld.c (SECURE_NAME_LIMIT, SECURE_PATH_LIMIT): Define.
		41	diff --git a/elf/rtld.c b/elf/rtld.c
		42	index 1d8eab9fe2..302bb63620 100644
		43	--- a/elf/rtld.c
		44	+++ b/elf/rtld.c
		45	@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
		46	return *p != '\0';
		47	}
		48
		49	-/* List of auditing DSOs. */
		50	+/* LD_AUDIT variable contents. Must be processed before the
		51	+ audit_list below. */
		52	+const char *audit_list_string;
		53	+
		54	+/* Cyclic list of auditing DSOs. audit_list->next is the first
		55	+ element. */
		56	static struct audit_list
		57	{
		58	const char *name;
		59	struct audit_list *next;
		60	} *audit_list;
		61
		62	+/* Iterator for audit_list_string followed by audit_list. */
		63	+struct audit_list_iter
		64	+{
		65	+ /* Tail of audit_list_string still needing processing, or NULL. */
		66	+ const char *audit_list_tail;
		67	+
		68	+ /* The list element returned in the previous iteration. NULL before
		69	+ the first element. */
		70	+ struct audit_list *previous;
		71	+
		72	+ /* Scratch buffer for returning a name which is part of
		73	+ audit_list_string. */
		74	+ char fname[SECURE_NAME_LIMIT];
		75	+};
		76	+
		77	+/* Initialize an audit list iterator. */
		78	+static void
		79	+audit_list_iter_init (struct audit_list_iter *iter)
		80	+{
		81	+ iter->audit_list_tail = audit_list_string;
		82	+ iter->previous = NULL;
		83	+}
		84	+
		85	+/* Iterate through both audit_list_string and audit_list. */
		86	+static const char *
		87	+audit_list_iter_next (struct audit_list_iter *iter)
		88	+{
		89	+ if (iter->audit_list_tail != NULL)
		90	+ {
		91	+ /* First iterate over audit_list_string. */
		92	+ while (*iter->audit_list_tail != '\0')
		93	+ {
		94	+ /* Split audit list at colon. */
		95	+ size_t len = strcspn (iter->audit_list_tail, ":");
		96	+ if (len > 0 && len < sizeof (iter->fname))
		97	+ {
		98	+ memcpy (iter->fname, iter->audit_list_tail, len);
		99	+ iter->fname[len] = '\0';
		100	+ }
		101	+ else
		102	+ /* Do not return this name to the caller. */
		103	+ iter->fname[0] = '\0';
		104	+
		105	+ /* Skip over the substring and the following delimiter. */
		106	+ iter->audit_list_tail += len;
		107	+ if (*iter->audit_list_tail == ':')
		108	+ ++iter->audit_list_tail;
		109	+
		110	+ /* If the name is valid, return it. */
		111	+ if (dso_name_valid_for_suid (iter->fname))
		112	+ return iter->fname;
		113	+ /* Otherwise, wrap around and try the next name. */
		114	+ }
		115	+ /* Fall through to the procesing of audit_list. */
		116	+ }
		117	+
		118	+ if (iter->previous == NULL)
		119	+ {
		120	+ if (audit_list == NULL)
		121	+ /* No pre-parsed audit list. */
		122	+ return NULL;
		123	+ /* Start of audit list. The first list element is at
		124	+ audit_list->next (cyclic list). */
		125	+ iter->previous = audit_list->next;
		126	+ return iter->previous->name;
		127	+ }
		128	+ if (iter->previous == audit_list)
		129	+ /* Cyclic list wrap-around. */
		130	+ return NULL;
		131	+ iter->previous = iter->previous->next;
		132	+ return iter->previous->name;
		133	+}
		134	+
		135	#ifndef HAVE_INLINED_SYSCALLS
		136	/* Set nonzero during loading and initialization of executable and
		137	libraries, cleared before the executable's entry point runs. This
		138	@@ -1322,11 +1400,13 @@ of this helper program; chances are you did not intend to run this program.\n\
		139	GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
		140
		141	/* If we have auditing DSOs to load, do it now. */
		142	- if (__glibc_unlikely (audit_list != NULL))
		143	+ bool need_security_init = true;
		144	+ if (__glibc_unlikely (audit_list != NULL)
		145	+ \|\| __glibc_unlikely (audit_list_string != NULL))
		146	{
		147	- /* Iterate over all entries in the list. The order is important. */
		148	struct audit_ifaces *last_audit = NULL;
		149	- struct audit_list *al = audit_list->next;
		150	+ struct audit_list_iter al_iter;
		151	+ audit_list_iter_init (&al_iter);
		152
		153	/* Since we start using the auditing DSOs right away we need to
		154	initialize the data structures now. */
		155	@@ -1337,9 +1417,14 @@ of this helper program; chances are you did not intend to run this program.\n\
		156	use different values (especially the pointer guard) and will
		157	fail later on. */
		158	security_init ();
		159	+ need_security_init = false;
		160
		161	- do
		162	+ while (true)
		163	{
		164	+ const char *name = audit_list_iter_next (&al_iter);
		165	+ if (name == NULL)
		166	+ break;
		167	+
		168	int tls_idx = GL(dl_tls_max_dtv_idx);
		169
		170	/* Now it is time to determine the layout of the static TLS
		171	@@ -1348,7 +1433,7 @@ of this helper program; chances are you did not intend to run this program.\n\
		172	no DF_STATIC_TLS bit is set. The reason is that we know
		173	glibc will use the static model. */
		174	struct dlmopen_args dlmargs;
		175	- dlmargs.fname = al->name;
		176	+ dlmargs.fname = name;
		177	dlmargs.map = NULL;
		178
		179	const char *objname;
		180	@@ -1361,7 +1446,7 @@ of this helper program; chances are you did not intend to run this program.\n\
		181	not_loaded:
		182	_dl_error_printf ("\
		183	ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
		184	- al->name, err_str);
		185	+ name, err_str);
		186	if (malloced)
		187	free ((char *) err_str);
		188	}
		189	@@ -1465,10 +1550,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
		190	goto not_loaded;
		191	}
		192	}
		193	-
		194	- al = al->next;
		195	}
		196	- while (al != audit_list->next);
		197
		198	/* If we have any auditing modules, announce that we already
		199	have two objects loaded. */
		200	@@ -1732,7 +1814,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
		201	if (tcbp == NULL)
		202	tcbp = init_tls ();
		203
		204	- if (__glibc_likely (audit_list == NULL))
		205	+ if (__glibc_likely (need_security_init))
		206	/* Initialize security features. But only if we have not done it
		207	earlier. */
		208	security_init ();
		209	@@ -2363,9 +2445,7 @@ process_dl_audit (char *str)
		210	char *p;
		211
		212	while ((p = (strsep) (&str, ":")) != NULL)
		213	- if (p[0] != '\0'
		214	- && (__builtin_expect (! __libc_enable_secure, 1)
		215	- \|\| strchr (p, '/') == NULL))
		216	+ if (dso_name_valid_for_suid (p))
		217	{
		218	/* This is using the local malloc, not the system malloc. The
		219	memory can never be freed. */
		220	@@ -2429,7 +2509,7 @@ process_envvars (enum mode *modep)
		221	break;
		222	}
		223	if (memcmp (envline, "AUDIT", 5) == 0)
		224	- process_dl_audit (&envline[6]);
		225	+ audit_list_string = &envline[6];
		226	break;
		227
		228	case 7:
		229	--
		230	2.15.0
		231


diff --git a/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch b/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch new file mode 100644 index 0000000000..43c4398fec --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch
@@ -0,0 +1,62 @@
		1	From 203835b3bf6f1edfe1ebe4a7fa15dc085e6dc8f7 Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Wed, 14 Jun 2017 08:11:22 +0200
		4	Subject: [PATCH] i686: Add missing IS_IN (libc) guards to vectorized strcspn
		5
		6	Since commit d957c4d3fa48d685ff2726c605c988127ef99395 (i386: Compile
		7	rtld-*.os with -mno-sse -mno-mmx -mfpmath=387), vector intrinsics can
		8	no longer be used in ld.so, even if the compiled code never makes it
		9	into the final ld.so link. This commit adds the missing IS_IN (libc)
		10	guard to the SSE 4.2 strcspn implementation, so that it can be used from
		11	ld.so in the future.
		12
		13	(cherry picked from commit 69052a3a95da37169a08f9e59b2cc1808312753c)
		14
		15	Upstream-Status: Backport
		16	https://sourceware.org/git/?p=glibc.git;a=commit;h=86ac4a78a9218d1e1dcfbacc6f7d09957c1fe3a4
		17
		18	Required to build fixes for CVE-2017-1000366.
		19
		20	Signed-off-by: George McCollister <george.mccollister@gmail.com>
		21	---
		22	ChangeLog \| 5 +++++
		23	sysdeps/i386/i686/multiarch/strcspn-c.c \| 6 ++++--
		24	sysdeps/i386/i686/multiarch/varshift.c \| 4 +++-
		25	3 files changed, 12 insertions(+), 3 deletions(-)
		26
		27	diff --git a/ChangeLog b/ChangeLog
		28	index 638cb632b1..3f89a2cdb2 100644
		29	--- a/ChangeLog
		30	+++ b/ChangeLog
		31	@@ -1,3 +1,8 @@
		32	+2017-06-14 Florian Weimer <fweimer@redhat.com>
		33	+
		34	+ * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.
		35	+ * sysdeps/i386/i686/multiarch/varshift.c: Likewise.
		36	+
		37	2017-06-19 Florian Weimer <fweimer@redhat.com>
		38
		39	* elf/rtld.c (audit_list_string): New variable.
		40	diff --git a/sysdeps/i386/i686/multiarch/strcspn-c.c b/sysdeps/i386/i686/multiarch/strcspn-c.c
		41	index 6d61e190a8..ec230fb383 100644
		42	--- a/sysdeps/i386/i686/multiarch/strcspn-c.c
		43	+++ b/sysdeps/i386/i686/multiarch/strcspn-c.c
		44	@@ -1,2 +1,4 @@
		45	-#define __strcspn_sse2 __strcspn_ia32
		46	-#include <sysdeps/x86_64/multiarch/strcspn-c.c>
		47	+#if IS_IN (libc)
		48	+# define __strcspn_sse2 __strcspn_ia32
		49	+# include <sysdeps/x86_64/multiarch/strcspn-c.c>
		50	+#endif
		51	diff --git a/sysdeps/i386/i686/multiarch/varshift.c b/sysdeps/i386/i686/multiarch/varshift.c
		52	index 7760b966e2..6742a35d41 100644
		53	--- a/sysdeps/i386/i686/multiarch/varshift.c
		54	+++ b/sysdeps/i386/i686/multiarch/varshift.c
		55	@@ -1 +1,3 @@
		56	-#include <sysdeps/x86_64/multiarch/varshift.c>
		57	+#if IS_IN (libc)
		58	+# include <sysdeps/x86_64/multiarch/varshift.c>
		59	+#endif
		60	--
		61	2.15.0
		62


diff --git a/meta/recipes-core/glibc/glibc_2.24.bb b/meta/recipes-core/glibc/glibc_2.24.bb index 4c7d901149..359379bac5 100644 --- a/meta/recipes-core/glibc/glibc_2.24.bb +++ b/meta/recipes-core/glibc/glibc_2.24.bb
@@ -46,6 +46,10 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
46	file://0005-Remove-__ASSUME_REQUEUE_PI.patch \	46	file://0005-Remove-__ASSUME_REQUEUE_PI.patch \
47	file://0006-Fix-atomic_fetch_xor_release.patch \	47	file://0006-Fix-atomic_fetch_xor_release.patch \
48	file://0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch \	48	file://0001-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch \
		49	file://0001-CVE-2017-1000366-Ignore-LD_LIBRARY_PATH-for-AT_SECUR.patch \
		50	file://0002-ld.so-Reject-overly-long-LD_PRELOAD-path-elements.patch \
		51	file://0003-ld.so-Reject-overly-long-LD_AUDIT-path-elements.patch \
		52	file://0004-i686-Add-missing-IS_IN-libc-guards-to-vectorized-str.patch \
49	"	53	"
50		54
51	SRC_URI += "\	55	SRC_URI += "\