1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
CVE-2014-5119
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Upstream commit:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8
From a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 26 Aug 2014 19:38:59 +0200
Subject: [PATCH] __gconv_translit_find: Disable function [BZ #17187]
This functionality has never worked correctly, and the implementation
contained a security vulnerability (CVE-2014-5119).
---
ChangeLog | 7 ++
NEWS | 9 ++-
iconv/gconv_trans.c | 177 +-------------------------------------------------
3 files changed, 19 insertions(+), 174 deletions(-)
Index: libc/NEWS
===================================================================
--- libc.orig/NEWS
+++ libc/NEWS
@@ -26,7 +26,7 @@ Version 2.19
16271, 16274, 16283, 16289, 16293, 16314, 16316, 16330, 16337, 16338,
16356, 16365, 16366, 16369, 16372, 16375, 16379, 16384, 16385, 16386,
16387, 16390, 16394, 16398, 16400, 16407, 16408, 16414, 16430, 16431,
- 16453, 16474, 16506, 16510, 16529
+ 16453, 16474, 16506, 16510, 16529, 17187
* Slovenian translations for glibc messages have been contributed by the
Translation Project's Slovenian team of translators.
Index: libc/iconv/gconv_trans.c
===================================================================
--- libc.orig/iconv/gconv_trans.c
+++ libc/iconv/gconv_trans.c
@@ -241,181 +241,12 @@ __gconv_transliterate (struct __gconv_st
return __GCONV_ILLEGAL_INPUT;
}
-
-/* Structure to represent results of found (or not) transliteration
- modules. */
-struct known_trans
-{
- /* This structure must remain the first member. */
- struct trans_struct info;
-
- char *fname;
- void *handle;
- int open_count;
-};
-
-
-/* Tree with results of previous calls to __gconv_translit_find. */
-static void *search_tree;
-
-/* We modify global data. */
-__libc_lock_define_initialized (static, lock);
-
-
-/* Compare two transliteration entries. */
-static int
-trans_compare (const void *p1, const void *p2)
-{
- const struct known_trans *s1 = (const struct known_trans *) p1;
- const struct known_trans *s2 = (const struct known_trans *) p2;
-
- return strcmp (s1->info.name, s2->info.name);
-}
-
-
-/* Open (maybe reopen) the module named in the struct. Get the function
- and data structure pointers we need. */
-static int
-open_translit (struct known_trans *trans)
-{
- __gconv_trans_query_fct queryfct;
-
- trans->handle = __libc_dlopen (trans->fname);
- if (trans->handle == NULL)
- /* Not available. */
- return 1;
-
- /* Find the required symbol. */
- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context");
- if (queryfct == NULL)
- {
- /* We cannot live with that. */
- close_and_out:
- __libc_dlclose (trans->handle);
- trans->handle = NULL;
- return 1;
- }
-
- /* Get the context. */
- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames)
- != 0)
- goto close_and_out;
-
- /* Of course we also have to have the actual function. */
- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans");
- if (trans->info.trans_fct == NULL)
- goto close_and_out;
-
- /* Now the optional functions. */
- trans->info.trans_init_fct =
- __libc_dlsym (trans->handle, "gconv_trans_init");
- trans->info.trans_context_fct =
- __libc_dlsym (trans->handle, "gconv_trans_context");
- trans->info.trans_end_fct =
- __libc_dlsym (trans->handle, "gconv_trans_end");
-
- trans->open_count = 1;
-
- return 0;
-}
-
-
int
internal_function
__gconv_translit_find (struct trans_struct *trans)
{
- struct known_trans **found;
- const struct path_elem *runp;
- int res = 1;
-
- /* We have to have a name. */
- assert (trans->name != NULL);
-
- /* Acquire the lock. */
- __libc_lock_lock (lock);
-
- /* See whether we know this module already. */
- found = __tfind (trans, &search_tree, trans_compare);
- if (found != NULL)
- {
- /* Is this module available? */
- if ((*found)->handle != NULL)
- {
- /* Maybe we have to reopen the file. */
- if ((*found)->handle != (void *) -1)
- /* The object is not unloaded. */
- res = 0;
- else if (open_translit (*found) == 0)
- {
- /* Copy the data. */
- *trans = (*found)->info;
- (*found)->open_count++;
- res = 0;
- }
- }
- }
- else
- {
- size_t name_len = strlen (trans->name) + 1;
- int need_so = 0;
- struct known_trans *newp;
-
- /* We have to continue looking for the module. */
- if (__gconv_path_elem == NULL)
- __gconv_get_path ();
-
- /* See whether we have to append .so. */
- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0)
- need_so = 1;
-
- /* Create a new entry. */
- newp = (struct known_trans *) malloc (sizeof (struct known_trans)
- + (__gconv_max_path_elem_len
- + name_len + 3)
- + name_len);
- if (newp != NULL)
- {
- char *cp;
-
- /* Clear the struct. */
- memset (newp, '\0', sizeof (struct known_trans));
-
- /* Store a copy of the module name. */
- newp->info.name = cp = (char *) (newp + 1);
- cp = __mempcpy (cp, trans->name, name_len);
-
- newp->fname = cp;
-
- /* Search in all the directories. */
- for (runp = __gconv_path_elem; runp->name != NULL; ++runp)
- {
- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name),
- trans->name, name_len);
- if (need_so)
- memcpy (cp, ".so", sizeof (".so"));
-
- if (open_translit (newp) == 0)
- {
- /* We found a module. */
- res = 0;
- break;
- }
- }
-
- if (res)
- newp->fname = NULL;
-
- /* In any case we'll add the entry to our search tree. */
- if (__tsearch (newp, &search_tree, trans_compare) == NULL)
- {
- /* Yickes, this should not happen. Unload the object. */
- res = 1;
- /* XXX unload here. */
- }
- }
- }
-
- __libc_lock_unlock (lock);
-
- return res;
+ /* Transliteration module loading has been removed because it never
+ worked as intended and suffered from a security vulnerability.
+ Consequently, this function always fails. */
+ return 1;
}
Index: libc/ChangeLog
===================================================================
--- libc.orig/ChangeLog
+++ libc/ChangeLog
@@ -1,3 +1,10 @@
+2014-08-26 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #17187]
+ * iconv/gconv_trans.c (struct known_trans, search_tree, lock,
+ trans_compare, open_translit, __gconv_translit_find):
+ Remove module loading code.
+
2014-02-06 Carlos O'Donell <carlos@redhat.com>
[BZ #16529]
|
