glibc: CVE-2015-8776

it was found that out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information. (From OE-Core rev: cf747f0bbcd53af41a7f3981ac65c2b6b6e668f8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-01-22 20:25:19 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-18 07:37:49 +0000
commit: c834ebc2acb1135d1b1179ee36858e3033d393e4 (patch)
tree: 7d28f7db74528801633d39cb3d9cc5ba38918644
parent: 842177a1130f10806f55a895bcf342c7332b1458 (diff)
download: poky-c834ebc2acb1135d1b1179ee36858e3033d393e4.tar.gz
2 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
new file mode 100644
index 0000000000..684f344177
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,155 @@
+From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
+From: Paul Pluzhnikov <ppluzhnikov@google.com>
+Date: Sat, 26 Sep 2015 13:27:48 -0700
+Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
+ segfault
+Upstream-Status: Backport
+CVE: CVE-2015-8776
+[Yocto # 8980]
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog           |  8 ++++++++
+ NEWS                |  2 +-
+ time/strftime_l.c   | 20 +++++++++++++-------
+ time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 4 files changed, 73 insertions(+), 9 deletions(-)
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,11 @@
+2015-09-26  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+       [BZ #18985]
+       * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
+       (__strftime_internal): Likewise.
+       * time/tst-strftime.c (do_bz18985): New test.
+       (do_test): Call it.
+
+ 2015-12-04  Joseph Myers  <joseph@codesourcery.com>
+ 
+        [BZ #16961]
+Index: git/time/strftime_l.c
+===================================================================
+--- git.orig/time/strftime_l.c
+++ git/time/strftime_l.c
+@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
+      only a few elements.  Dereference the pointers only if the format
+      requires this.  Then it is ok to fail if the pointers are invalid.  */
+ # define a_wkday \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
+  ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6                             \
+                    ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
+ # define f_wkday \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
+  ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6                             \
+                    ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
+ # define a_month \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
+  ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11                      \
+                    ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
+ # define f_month \
+-  ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
+  ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11                      \
+                    ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
+ # define ampm \
+   ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11                   \
+                                 ? NLW(PM_STR) : NLW(AM_STR)))
+@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
+ # define ap_len STRLEN (ampm)
+ #else
+ # if !HAVE_STRFTIME
+-#  define f_wkday (weekday_name[tp->tm_wday])
+-#  define f_month (month_name[tp->tm_mon])
+#  define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6  \
+                  ? "?" : weekday_name[tp->tm_wday])
+#  define f_month (tp->tm_mon < 0 || tp->tm_mon > 11   \
+                  ? "?" : month_name[tp->tm_mon])
+ #  define a_wkday f_wkday
+ #  define a_month f_month
+ #  define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
+@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
+                  *tzset_called = true;
+                }
+ # endif
+-             zone = tzname[tp->tm_isdst];
+             zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
+            }
+ #endif
+          if (! zone)
+Index: git/time/tst-strftime.c
+===================================================================
+--- git.orig/time/tst-strftime.c
+++ git/time/tst-strftime.c
+@@ -4,6 +4,56 @@
+ #include <time.h>
+ 
+ 
+static int
+do_bz18985 (void)
+{
+  char buf[1000];
+  struct tm ttm;
+  int rc, ret = 0;
+
+  memset (&ttm, 1, sizeof (ttm));
+  ttm.tm_zone = NULL;  /* Dereferenced directly if non-NULL.  */
+  rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+  if (rc == 66)
+    {
+      const char expected[]
+       = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
+      if (0 != strcmp (buf, expected))
+       {
+         printf ("expected:\n  %s\ngot:\n  %s\n", expected, buf);
+         ret += 1;
+       }
+    }
+  else
+    {
+      printf ("expected 66, got %d\n", rc);
+      ret += 1;
+    }
+
+  /* Check negative values as well.  */
+  memset (&ttm, 0xFF, sizeof (ttm));
+  ttm.tm_zone = NULL;  /* Dereferenced directly if non-NULL.  */
+  rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+
+  if (rc == 30)
+    {
+      const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899  ";
+      if (0 != strcmp (buf, expected))
+       {
+         printf ("expected:\n  %s\ngot:\n  %s\n", expected, buf);
+         ret += 1;
+       }
+    }
+  else
+    {
+      printf ("expected 30, got %d\n", rc);
+      ret += 1;
+    }
+
+  return ret;
+}
+
+ static struct
+ {
+   const char *fmt;
+@@ -104,7 +154,7 @@ do_test (void)
+        }
+     }
+ 
+-  return result;
+  return result + do_bz18985 ();
+ }
+ 
+ #define TEST_FUNCTION do_test ()
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index fd8ace69e9..e2134de423 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://CVE-2015-8779.patch \
           file://CVE-2015-9761_1.patch \
           file://CVE-2015-9761_2.patch \
+           file://CVE-2015-8776.patch \
 "
 SRC_URI += "\
author	Armin Kuster <akuster@mvista.com>	2016-01-22 20:25:19 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-18 07:37:49 +0000
commit	c834ebc2acb1135d1b1179ee36858e3033d393e4 (patch)
tree	7d28f7db74528801633d39cb3d9cc5ba38918644
parent	842177a1130f10806f55a895bcf342c7332b1458 (diff)
download	poky-c834ebc2acb1135d1b1179ee36858e3033d393e4.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch new file mode 100644 index 0000000000..684f344177 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,155 @@
		1	From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
		2	From: Paul Pluzhnikov <ppluzhnikov@google.com>
		3	Date: Sat, 26 Sep 2015 13:27:48 -0700
		4	Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
		5	segfault
		6
		7	Upstream-Status: Backport
		8	CVE: CVE-2015-8776
		9	[Yocto # 8980]
		10
		11	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
		12
		13	Signed-off-by: Armin Kuster <akuster@mvista.com>
		14
		15	---
		16	ChangeLog \| 8 ++++++++
		17	NEWS \| 2 +-
		18	time/strftime_l.c \| 20 +++++++++++++-------
		19	time/tst-strftime.c \| 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
		20	4 files changed, 73 insertions(+), 9 deletions(-)
		21
		22	Index: git/ChangeLog
		23	===================================================================
		24	--- git.orig/ChangeLog
		25	+++ git/ChangeLog
		26	@@ -1,3 +1,11 @@
		27	+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
		28	+
		29	+ [BZ #18985]
		30	+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
		31	+ (__strftime_internal): Likewise.
		32	+ * time/tst-strftime.c (do_bz18985): New test.
		33	+ (do_test): Call it.
		34	+
		35	2015-12-04 Joseph Myers <joseph@codesourcery.com>
		36
		37	[BZ #16961]
		38	Index: git/time/strftime_l.c
		39	===================================================================
		40	--- git.orig/time/strftime_l.c
		41	+++ git/time/strftime_l.c
		42	@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
		43	only a few elements. Dereference the pointers only if the format
		44	requires this. Then it is ok to fail if the pointers are invalid. */
		45	# define a_wkday \
		46	- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
		47	+ ((const CHAR_T *) (tp->tm_wday < 0 \|\| tp->tm_wday > 6 \
		48	+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
		49	# define f_wkday \
		50	- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
		51	+ ((const CHAR_T *) (tp->tm_wday < 0 \|\| tp->tm_wday > 6 \
		52	+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
		53	# define a_month \
		54	- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
		55	+ ((const CHAR_T *) (tp->tm_mon < 0 \|\| tp->tm_mon > 11 \
		56	+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
		57	# define f_month \
		58	- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
		59	+ ((const CHAR_T *) (tp->tm_mon < 0 \|\| tp->tm_mon > 11 \
		60	+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
		61	# define ampm \
		62	((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
		63	? NLW(PM_STR) : NLW(AM_STR)))
		64	@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
		65	# define ap_len STRLEN (ampm)
		66	#else
		67	# if !HAVE_STRFTIME
		68	-# define f_wkday (weekday_name[tp->tm_wday])
		69	-# define f_month (month_name[tp->tm_mon])
		70	+# define f_wkday (tp->tm_wday < 0 \|\| tp->tm_wday > 6 \
		71	+ ? "?" : weekday_name[tp->tm_wday])
		72	+# define f_month (tp->tm_mon < 0 \|\| tp->tm_mon > 11 \
		73	+ ? "?" : month_name[tp->tm_mon])
		74	# define a_wkday f_wkday
		75	# define a_month f_month
		76	# define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
		77	@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
		78	*tzset_called = true;
		79	}
		80	# endif
		81	- zone = tzname[tp->tm_isdst];
		82	+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
		83	}
		84	#endif
		85	if (! zone)
		86	Index: git/time/tst-strftime.c
		87	===================================================================
		88	--- git.orig/time/tst-strftime.c
		89	+++ git/time/tst-strftime.c
		90	@@ -4,6 +4,56 @@
		91	#include <time.h>
		92
		93
		94	+static int
		95	+do_bz18985 (void)
		96	+{
		97	+ char buf[1000];
		98	+ struct tm ttm;
		99	+ int rc, ret = 0;
		100	+
		101	+ memset (&ttm, 1, sizeof (ttm));
		102	+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
		103	+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
		104	+
		105	+ if (rc == 66)
		106	+ {
		107	+ const char expected[]
		108	+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
		109	+ if (0 != strcmp (buf, expected))
		110	+ {
		111	+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
		112	+ ret += 1;
		113	+ }
		114	+ }
		115	+ else
		116	+ {
		117	+ printf ("expected 66, got %d\n", rc);
		118	+ ret += 1;
		119	+ }
		120	+
		121	+ /* Check negative values as well. */
		122	+ memset (&ttm, 0xFF, sizeof (ttm));
		123	+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
		124	+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
		125	+
		126	+ if (rc == 30)
		127	+ {
		128	+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
		129	+ if (0 != strcmp (buf, expected))
		130	+ {
		131	+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
		132	+ ret += 1;
		133	+ }
		134	+ }
		135	+ else
		136	+ {
		137	+ printf ("expected 30, got %d\n", rc);
		138	+ ret += 1;
		139	+ }
		140	+
		141	+ return ret;
		142	+}
		143	+
		144	static struct
		145	{
		146	const char *fmt;
		147	@@ -104,7 +154,7 @@ do_test (void)
		148	}
		149	}
		150
		151	- return result;
		152	+ return result + do_bz18985 ();
		153	}
		154
		155	#define TEST_FUNCTION do_test ()


diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb index fd8ace69e9..e2134de423 100644 --- a/meta/recipes-core/glibc/glibc_2.22.bb +++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
47	file://CVE-2015-8779.patch \	47	file://CVE-2015-8779.patch \
48	file://CVE-2015-9761_1.patch \	48	file://CVE-2015-9761_1.patch \
49	file://CVE-2015-9761_2.patch \	49	file://CVE-2015-9761_2.patch \
		50	file://CVE-2015-8776.patch \
50	"	51	"
51		52
52	SRC_URI += "\	53	SRC_URI += "\