[oe-commits] [openembedded-core] 12/12: glibc: Update to tip of 2.26
git at git.openembedded.org
git at git.openembedded.org
Tue Feb 27 15:51:43 UTC 2018
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch rocko
in repository openembedded-core.
commit cb7cf1d12377d3b9a1cc159b68fc1d841004e6dd
Author: Khem Raj <raj.khem at gmail.com>
AuthorDate: Tue Feb 20 19:12:49 2018 -0800
glibc: Update to tip of 2.26
This will make it easy to backport to rocko if needed after 2.27 is landed in master
plus it fixes the aarch64 build issue seen with binutils 2.30
(From OE-Core rev: 774e372d95c9082766477ea6dbfcd10c48ac4658)
Signed-off-by: Khem Raj <raj.khem at gmail.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
[fixup to align with rocko context]
Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
.../glibc/cross-localedef-native_2.26.bb | 2 +-
meta/recipes-core/glibc/glibc/CVE-2017-15671.patch | 66 ---------
meta/recipes-core/glibc/glibc/CVE-2017-16997.patch | 150 ---------------------
meta/recipes-core/glibc/glibc/CVE-2017-17426.patch | 80 -----------
meta/recipes-core/glibc/glibc_2.26.bb | 8 +-
5 files changed, 2 insertions(+), 304 deletions(-)
diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.26.bb b/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
index fc5d70d..af02a0c 100644
--- a/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
+++ b/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
@@ -21,7 +21,7 @@ SRCBRANCH ?= "release/${PV}/master"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
-SRCREV_glibc ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV_glibc ?= "d300041c533a3d837c9f37a099bcc95466860e98"
SRCREV_localedef ?= "dfb4afe551c6c6e94f9cc85417bd1f582168c843"
SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
deleted file mode 100644
index 3569282..0000000
--- a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert at cs.ucla.edu>
-Date: Sun, 22 Oct 2017 10:00:57 +0200
-Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
- #22332]
-
-(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
-
-Upstream-Status: Backport
-CVE: CVE-2017-15671
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog | 6 ++++++
- NEWS | 4 ++++
- posix/glob.c | 4 ++--
- 3 files changed, 12 insertions(+), 2 deletions(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -211,6 +211,10 @@ Security related changes:
- on the stack or the heap, depending on the length of the user name).
- Reported by Tim Rühsen.
-
-+ The glob function, when invoked with GLOB_TILDE and without
-+ GLOB_NOESCAPE, could write past the end of a buffer while
-+ unescaping user names. Reported by Tim Rühsen.
-+
- The following bugs are resolved with this release:
-
- [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/posix/glob.c
-===================================================================
---- git.orig/posix/glob.c
-+++ git/posix/glob.c
-@@ -823,11 +823,11 @@ glob (const char *pattern, int flags, in
- char *p = mempcpy (newp, dirname + 1,
- unescape - dirname - 1);
- char *q = unescape;
-- while (*q != '\0')
-+ while (q != end_name)
- {
- if (*q == '\\')
- {
-- if (q[1] == '\0')
-+ if (q + 1 == end_name)
- {
- /* "~fo\\o\\" unescape to user_name "foo\\",
- but "~fo\\o\\/" unescape to user_name
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,5 +1,10 @@
-+
- 2017-10-20 Paul Eggert <eggert at cs.ucla.edu>
-
-+ [BZ #22332]
-+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
-+ unescaping.
-+
- [BZ #22320]
- CVE-2017-15670
- * posix/glob.c (__glob): Fix one-byte overflow.
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
deleted file mode 100644
index 38731e4..0000000
--- a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
+++ /dev/null
@@ -1,150 +0,0 @@
-From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien at aurel32.net>
-Date: Sat, 30 Dec 2017 10:54:23 +0100
-Subject: [PATCH] elf: Check for empty tokens before dynamic string token
- expansion [BZ #22625]
-
-The fillin_rpath function in elf/dl-load.c loops over each RPATH or
-RUNPATH tokens and interprets empty tokens as the current directory
-("./"). In practice the check for empty token is done *after* the
-dynamic string token expansion. The expansion process can return an
-empty string for the $ORIGIN token if __libc_enable_secure is set
-or if the path of the binary can not be determined (/proc not mounted).
-
-Fix that by moving the check for empty tokens before the dynamic string
-token expansion. In addition, check for NULL pointer or empty strings
-return by expand_dynamic_string_token.
-
-The above changes highlighted a bug in decompose_rpath, an empty array
-is represented by the first element being NULL at the fillin_rpath
-level, but by using a -1 pointer in decompose_rpath and other functions.
-
-Changelog:
- [BZ #22625]
- * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
- string token expansion. Check for NULL pointer or empty string possibly
- returned by expand_dynamic_string_token.
- (decompose_rpath): Check for empty path after dynamic string
- token expansion.
-(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
-
-Upstream-Status: Backport
-CVE: CVE-2017-16997
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog | 10 ++++++++++
- NEWS | 4 ++++
- elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
- 3 files changed, 47 insertions(+), 16 deletions(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -215,6 +215,10 @@ Security related changes:
- GLOB_NOESCAPE, could write past the end of a buffer while
- unescaping user names. Reported by Tim Rühsen.
-
-+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
-+ for AT_SECURE or SUID binaries could be used to load libraries from the
-+ current directory.
-+
- The following bugs are resolved with this release:
-
- [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/elf/dl-load.c
-===================================================================
---- git.orig/elf/dl-load.c
-+++ git/elf/dl-load.c
-@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
- {
- char *cp;
- size_t nelems = 0;
-- char *to_free;
-
- while ((cp = __strsep (&rpath, sep)) != NULL)
- {
- struct r_search_path_elem *dirp;
-+ char *to_free = NULL;
-+ size_t len = 0;
-
-- to_free = cp = expand_dynamic_string_token (l, cp, 1);
-+ /* `strsep' can pass an empty string. */
-+ if (*cp != '\0')
-+ {
-+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
-
-- size_t len = strlen (cp);
-+ /* expand_dynamic_string_token can return NULL in case of empty
-+ path or memory allocation failure. */
-+ if (cp == NULL)
-+ continue;
-+
-+ /* Compute the length after dynamic string token expansion and
-+ ignore empty paths. */
-+ len = strlen (cp);
-+ if (len == 0)
-+ {
-+ free (to_free);
-+ continue;
-+ }
-
-- /* `strsep' can pass an empty string. This has to be
-- interpreted as `use the current directory'. */
-- if (len == 0)
-- {
-- static const char curwd[] = "./";
-- cp = (char *) curwd;
-+ /* Remove trailing slashes (except for "/"). */
-+ while (len > 1 && cp[len - 1] == '/')
-+ --len;
-+
-+ /* Now add one if there is none so far. */
-+ if (len > 0 && cp[len - 1] != '/')
-+ cp[len++] = '/';
- }
-
-- /* Remove trailing slashes (except for "/"). */
-- while (len > 1 && cp[len - 1] == '/')
-- --len;
--
-- /* Now add one if there is none so far. */
-- if (len > 0 && cp[len - 1] != '/')
-- cp[len++] = '/';
--
- /* Make sure we don't use untrusted directories if we run SUID. */
- if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
- {
-@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
- necessary. */
- free (copy);
-
-+ /* There is no path after expansion. */
-+ if (result[0] == NULL)
-+ {
-+ free (result);
-+ sps->dirs = (struct r_search_path_elem **) -1;
-+ return false;
-+ }
-+
- sps->dirs = result;
- /* The caller will change this value if we haven't used a real malloc. */
- sps->malloced = 1;
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,12 @@
-+2017-12-30 Aurelien Jarno <aurelien at aurel32.net>
-+ Dmitry V. Levin <ldv at altlinux.org>
-+
-+ [BZ #22625]
-+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
-+ string token expansion. Check for NULL pointer or empty string possibly
-+ returned by expand_dynamic_string_token.
-+ (decompose_rpath): Check for empty path after dynamic string
-+ token expansion.
-
- 2017-10-20 Paul Eggert <eggert at cs.ucla.edu>
-
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
deleted file mode 100644
index c7d1cb8..0000000
--- a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From df8c219cb987cfe85c550efa693a1383a11e38aa Mon Sep 17 00:00:00 2001
-From: Arjun Shankar <arjun at redhat.com>
-Date: Thu, 30 Nov 2017 13:31:45 +0100
-Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
- #22375]
-
-When the per-thread cache is enabled, __libc_malloc uses request2size (which
-does not perform an overflow check) to calculate the chunk size from the
-requested allocation size. This leads to an integer overflow causing malloc
-to incorrectly return the last successfully allocated block when called with
-a very large size argument (close to SIZE_MAX).
-
-This commit uses checked_request2size instead, removing the overflow.
-
-(cherry picked from commit 34697694e8a93b325b18f25f7dcded55d6baeaf6)
-
-Upstream-Status: Backport
-CVE: CVE-2017-17426
-Signed-off-by: Armin Kuster <akuster at mvista.com>
-
----
- ChangeLog | 7 +++++++
- NEWS | 6 ++++++
- malloc/malloc.c | 3 ++-
- 3 files changed, 15 insertions(+), 1 deletion(-)
-
-Index: git/NEWS
-===================================================================
---- git.orig/NEWS
-+++ git/NEWS
-@@ -4,6 +4,8 @@ See the end for copying conditions.
-
- Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
- using `glibc' in the "product" field.
-+
-+[22375] malloc returns pointer from tcache instead of NULL (CVE-2017-17426)
- �
- Version 2.26
-
-@@ -215,6 +217,11 @@ Security related changes:
- for AT_SECURE or SUID binaries could be used to load libraries from the
- current directory.
-
-+ CVE-2017-17426: The malloc function, when called with an object size near
-+ the value SIZE_MAX, would return a pointer to a buffer which is too small,
-+ instead of NULL. This was a regression introduced with the new malloc
-+ thread cache in glibc 2.26. Reported by Iain Buclaw.
-+
- The following bugs are resolved with this release:
-
- [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/malloc/malloc.c
-===================================================================
---- git.orig/malloc/malloc.c
-+++ git/malloc/malloc.c
-@@ -3050,7 +3050,8 @@ __libc_malloc (size_t bytes)
- return (*hook)(bytes, RETURN_ADDRESS (0));
- #if USE_TCACHE
- /* int_free also calls request2size, be careful to not pad twice. */
-- size_t tbytes = request2size (bytes);
-+ size_t tbytes;
-+ checked_request2size (bytes, tbytes);
- size_t tc_idx = csize2tidx (tbytes);
-
- MAYBE_INIT_TCACHE ();
-Index: git/ChangeLog
-===================================================================
---- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,10 @@
-+2017-11-30 Arjun Shankar <arjun at redhat.com>
-+
-+ [BZ #22375]
-+ CVE-2017-17426
-+ * malloc/malloc.c (__libc_malloc): Use checked_request2size
-+ instead of request2size.
-+
- 2017-12-30 Aurelien Jarno <aurelien at aurel32.net>
- Dmitry V. Levin <ldv at altlinux.org>
-
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 8c0eb98..464b654 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
DEPENDS += "gperf-native bison-native"
-SRCREV ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV ?= "d300041c533a3d837c9f37a099bcc95466860e98"
SRCBRANCH ?= "release/${PV}/master"
@@ -40,14 +40,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0023-Define-DUMMY_LOCALE_T-if-not-defined.patch \
file://0024-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch \
file://0025-locale-fix-hard-coded-reference-to-gcc-E.patch \
- file://0026-assert-Suppress-pedantic-warning-caused-by-statement.patch \
file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
- file://CVE-2017-15670.patch \
- file://CVE-2017-15671.patch \
- file://0029-assert-Support-types-without-operator-int-BZ-21972.patch \
- file://CVE-2017-16997.patch \
- file://CVE-2017-17426.patch \
"
NATIVESDKFIXES ?= ""
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list