1 files changed, 122 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000000..780fcb9a53
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
+From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 15 Oct 2015 09:23:07 +0200
+Subject: [PATCH] Always enable pointer guard [BZ #18928]
+Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
+has security implications.  This commit enables pointer guard
+unconditionally, and the environment variable is now ignored.
+        [BZ #18928]
+        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+        _dl_pointer_guard member.
+        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+        initializer.
+        (security_init): Always set up pointer guard.
+        (process_envvars): Do not process LD_POINTER_GUARD.
+Upstream-Status: Backport
+CVE: CVE-2015-8777
+[Yocto # 8980]
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog                  | 10 ++++++++++
+ NEWS                       | 13 ++++++++-----
+ elf/rtld.c                 | 15 ++++-----------
+ sysdeps/generic/ldsodefs.h |  3 ---
+ 4 files changed, 22 insertions(+), 19 deletions(-)
+Index: git/elf/rtld.c
+===================================================================
+--- git.orig/elf/rtld.c
+++ git/elf/rtld.c
+@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+     ._dl_pagesize = EXEC_PAGESIZE,
+     ._dl_inhibit_cache = 0,
+ 
+@@ -710,15 +709,12 @@ security_init (void)
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-                                                            stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2476,9 +2472,6 @@ process_envvars (enum mode *modep)
+              GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+              break;
+            }
+-
+-         if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-           GLRO(dl_pointer_guard) = envline[14] != '0';
+          break;
+ 
+        case 14:
+Index: git/sysdeps/generic/ldsodefs.h
+===================================================================
+--- git.orig/sysdeps/generic/ldsodefs.h
+++ git/sysdeps/generic/ldsodefs.h
+@@ -590,9 +590,6 @@ struct rtld_global_ro
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # ifdef IS_IN_rtld
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,13 @@
+2015-10-15  Florian Weimer  <fweimer@redhat.com>
+
+   [BZ #18928]
+   * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+   _dl_pointer_guard member.
+   * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+   initializer.
+   (security_init): Always set up pointer guard.
+   (process_envvars): Do not process LD_POINTER_GUARD.
+
+ 2015-02-05  Paul Pluzhnikov  <ppluzhnikov@google.com>
+ 
+        [BZ #16618] CVE-2015-1472
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -24,7 +24,10 @@ Version 2.20
+   17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
+   17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
+   17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
+-  17625, 17630.
+  17625, 17630, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+  disable the pointer guard feature.  It is always enabled.
+ 
+ * The nss_dns implementation of getnetbyname could run into an infinite loop
+   if the DNS response contained a PTR record of an unexpected format.

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 0000000000..780fcb9a53 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
	1	From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
	2	From: Florian Weimer <fweimer@redhat.com>
	3	Date: Thu, 15 Oct 2015 09:23:07 +0200
	4	Subject: [PATCH] Always enable pointer guard [BZ #18928]
	5
	6	Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
	7	has security implications. This commit enables pointer guard
	8	unconditionally, and the environment variable is now ignored.
	9
	10	[BZ #18928]
	11	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
	12	_dl_pointer_guard member.
	13	* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
	14	initializer.
	15	(security_init): Always set up pointer guard.
	16	(process_envvars): Do not process LD_POINTER_GUARD.
	17
	18	Upstream-Status: Backport
	19	CVE: CVE-2015-8777
	20	[Yocto # 8980]
	21
	22	https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
	23
	24	Signed-off-by: Armin Kuster <akuster@mvista.com>
	25
	26	---
	27	ChangeLog \| 10 ++++++++++
	28	NEWS \| 13 ++++++++-----
	29	elf/rtld.c \| 15 ++++-----------
	30	sysdeps/generic/ldsodefs.h \| 3 ---
	31	4 files changed, 22 insertions(+), 19 deletions(-)
	32
	33	Index: git/elf/rtld.c
	34	===================================================================
	35	--- git.orig/elf/rtld.c
	36	+++ git/elf/rtld.c
	37	@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
	38	._dl_hwcap_mask = HWCAP_IMPORTANT,
	39	._dl_lazy = 1,
	40	._dl_fpu_control = _FPU_DEFAULT,
	41	- ._dl_pointer_guard = 1,
	42	._dl_pagesize = EXEC_PAGESIZE,
	43	._dl_inhibit_cache = 0,
	44
	45	@@ -710,15 +709,12 @@ security_init (void)
	46	#endif
	47
	48	/* Set up the pointer guard as well, if necessary. */
	49	- if (GLRO(dl_pointer_guard))
	50	- {
	51	- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
	52	- stack_chk_guard);
	53	+ uintptr_t pointer_chk_guard
	54	+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
	55	#ifdef THREAD_SET_POINTER_GUARD
	56	- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
	57	+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
	58	#endif
	59	- __pointer_chk_guard_local = pointer_chk_guard;
	60	- }
	61	+ __pointer_chk_guard_local = pointer_chk_guard;
	62
	63	/* We do not need the _dl_random value anymore. The less
	64	information we leave behind, the better, so clear the
	65	@@ -2476,9 +2472,6 @@ process_envvars (enum mode *modep)
	66	GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
	67	break;
	68	}
	69	-
	70	- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
	71	- GLRO(dl_pointer_guard) = envline[14] != '0';
	72	break;
	73
	74	case 14:
	75	Index: git/sysdeps/generic/ldsodefs.h
	76	===================================================================
	77	--- git.orig/sysdeps/generic/ldsodefs.h
	78	+++ git/sysdeps/generic/ldsodefs.h
	79	@@ -590,9 +590,6 @@ struct rtld_global_ro
	80	/* List of auditing interfaces. */
	81	struct audit_ifaces *_dl_audit;
	82	unsigned int _dl_naudit;
	83	-
	84	- /* 0 if internal pointer values should not be guarded, 1 if they should. */
	85	- EXTERN int _dl_pointer_guard;
	86	};
	87	# define __rtld_global_attribute__
	88	# ifdef IS_IN_rtld
	89	Index: git/ChangeLog
	90	===================================================================
	91	--- git.orig/ChangeLog
	92	+++ git/ChangeLog
	93	@@ -1,3 +1,13 @@
	94	+2015-10-15 Florian Weimer <fweimer@redhat.com>
	95	+
	96	+ [BZ #18928]
	97	+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
	98	+ _dl_pointer_guard member.
	99	+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
	100	+ initializer.
	101	+ (security_init): Always set up pointer guard.
	102	+ (process_envvars): Do not process LD_POINTER_GUARD.
	103	+
	104	2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
	105
	106	[BZ #16618] CVE-2015-1472
	107	Index: git/NEWS
	108	===================================================================
	109	--- git.orig/NEWS
	110	+++ git/NEWS
	111	@@ -24,7 +24,10 @@ Version 2.20
	112	17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
	113	17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
	114	17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
	115	- 17625, 17630.
	116	+ 17625, 17630, 18928.
	117	+
	118	+* The LD_POINTER_GUARD environment variable can no longer be used to
	119	+ disable the pointer guard feature. It is always enabled.
	120
	121	* The nss_dns implementation of getnetbyname could run into an infinite loop
	122	if the DNS response contained a PTR record of an unexpected format.