From a9d032345f78f7a46c455b69f9cf0268944729f7 Mon Sep 17 00:00:00 2001
From: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
Date: Thu, 11 Mar 2021 23:21:28 +0800
Subject: glibc: Fix CVE-2021-27645

CVE:
CVE-2021-27645

(From OE-Core rev: 0d6b266c469a35628a3602590611d05ebbf4d562)

Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch

(limited to 'meta/recipes-core/glibc/glibc/CVE-2021-27645.patch')

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
new file mode 100644
index 0000000000..26c5c0d2a9
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch
@@ -0,0 +1,51 @@
+From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001
+From: DJ Delorie <dj@redhat.com>
+Date: Thu, 25 Feb 2021 16:08:21 -0500
+Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462]
+
+In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free
+was fixed, but this led to an occasional double-free.  This patch
+tracks the "live" allocation better.
+
+Tested manually by a third party.
+
+Related: RHBZ 1927877
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673]
+
+CVE: CVE-2021-27645
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ nscd/netgroupcache.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+index dba6ceec1b..ad2daddafd 100644
+--- a/nscd/netgroupcache.c
++++ b/nscd/netgroupcache.c
+@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ 					     : NULL);
+ 				    ndomain = (ndomain ? newbuf + ndomaindiff
+ 					       : NULL);
+-				    buffer = newbuf;
++				    *tofreep = buffer = newbuf;
+ 				  }
+ 
+ 				nhost = memcpy (buffer + bufused,
+@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
+ 		    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
+ 		      {
+ 			buflen *= 2;
+-			buffer = xrealloc (buffer, buflen);
++			*tofreep = buffer = xrealloc (buffer, buflen);
+ 		      }
+ 		    else if (status == NSS_STATUS_RETURN
+ 			     || status == NSS_STATUS_NOTFOUND
+-- 
+2.27.0
+
-- 
cgit v1.2.3-54-g00ecf