2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch
new file mode 100644
index 0000000000..5cae1bc91c
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch
@@ -0,0 +1,44 @@
+From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Fri, 25 Jun 2021 15:02:47 +0200
+Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug
+ 28011)
+Use strtoul instead of atoi so that overflow can be detected.
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c]
+CVE: CVE-2021-35942
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ posix/wordexp-test.c | 1 +
+ posix/wordexp.c      | 2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
+index f93a546d7e..9df02dbbb3 100644
+--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
+@@ -183,6 +183,7 @@ struct test_case_struct
+     { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
+     { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
+     { 0, NULL, "", 0, 0, { NULL, }, IFS },
+    { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
+ 
+     /* Flags not already covered (testit() has special handling for these) */
+     { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
+diff --git a/posix/wordexp.c b/posix/wordexp.c
+index bcbe96e48d..1f3b09f721 100644
+--- a/posix/wordexp.c
+++ b/posix/wordexp.c
+@@ -1399,7 +1399,7 @@ envsubst:
+   /* Is it a numeric parameter? */
+   else if (isdigit (env[0]))
+     {
+-      int n = atoi (env);
+      unsigned long n = strtoul (env, NULL, 10);
+ 
+       if (n >= __libc_argc)
+        /* Substitute NULL. */
+-- 
+2.17.1
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index bb35c50c98..7f516d2bbe 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -63,6 +63,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \
           file://CVE-2021-33574_1.patch \
           file://CVE-2021-33574_2.patch \
+           file://CVE-2021-35942.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch new file mode 100644 index 0000000000..5cae1bc91c --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch
@@ -0,0 +1,44 @@
		1	From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001
		2	From: Andreas Schwab <schwab@linux-m68k.org>
		3	Date: Fri, 25 Jun 2021 15:02:47 +0200
		4	Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug
		5	28011)
		6
		7	Use strtoul instead of atoi so that overflow can be detected.
		8
		9	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c]
		10	CVE: CVE-2021-35942
		11	Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
		12	---
		13	posix/wordexp-test.c \| 1 +
		14	posix/wordexp.c \| 2 +-
		15	2 files changed, 2 insertions(+), 1 deletion(-)
		16
		17	diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
		18	index f93a546d7e..9df02dbbb3 100644
		19	--- a/posix/wordexp-test.c
		20	+++ b/posix/wordexp-test.c
		21	@@ -183,6 +183,7 @@ struct test_case_struct
		22	{ 0, NULL, "$var", 0, 0, { NULL, }, IFS },
		23	{ 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
		24	{ 0, NULL, "", 0, 0, { NULL, }, IFS },
		25	+ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
		26
		27	/* Flags not already covered (testit() has special handling for these) */
		28	{ 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
		29	diff --git a/posix/wordexp.c b/posix/wordexp.c
		30	index bcbe96e48d..1f3b09f721 100644
		31	--- a/posix/wordexp.c
		32	+++ b/posix/wordexp.c
		33	@@ -1399,7 +1399,7 @@ envsubst:
		34	/* Is it a numeric parameter? */
		35	else if (isdigit (env[0]))
		36	{
		37	- int n = atoi (env);
		38	+ unsigned long n = strtoul (env, NULL, 10);
		39
		40	if (n >= __libc_argc)
		41	/* Substitute NULL. */
		42	--
		43	2.17.1
		44


diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb index bb35c50c98..7f516d2bbe 100644 --- a/meta/recipes-core/glibc/glibc_2.33.bb +++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -63,6 +63,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
63	file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \	63	file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \
64	file://CVE-2021-33574_1.patch \	64	file://CVE-2021-33574_1.patch \
65	file://CVE-2021-33574_2.patch \	65	file://CVE-2021-33574_2.patch \
		66	file://CVE-2021-35942.patch \
66	"	67	"
67	S = "${WORKDIR}/git"	68	S = "${WORKDIR}/git"
68	B = "${WORKDIR}/build-${TARGET_SYS}"	69	B = "${WORKDIR}/build-${TARGET_SYS}"