This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)


https://sourceware.org/bugzilla/show_bug.cgi?id=17048

--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  daea1a9b2ab9ad1690a2770006f5964e188be11f (commit)
       via  b8d0acdb33866d0f67ee8a019bdbdaa6a00d0c99 (commit)
       via  92b410973f872297e0c1bfda06abead4b0a265d1 (commit)
       via  424f645c513d56a5b8323971197e3afa1ed8f003 (commit)
       via  75f66fe467b280d9fb192d3f32e06e4b20d12dcc (commit)
       via  ac39af9f195138a01b836fb4a30bd971de4aa163 (commit)
       via  2da15d05c54738ed2c53aaf555c7cf51a9057844 (commit)
       via  6ccc1c41f52f93548b5eb64d106219e287052472 (commit)
       via  4e27332819b6151ccb5031d0efd718d802168573 (commit)
       via  9583c3542133be925467c87df7f74882783d867d (commit)
       via  2ce47f454b6f1df5d2374fcac1b72e65e5f55a67 (commit)
       via  1f542fe398a1d02cce53d78f7a33e72078e7d4e9 (commit)
       via  d3b2d64576fcc1281841a48740f5f481d1b46a90 (commit)
       via  40da893a143224b0a41a004eb5e971fc5d94381b (commit)
       via  3a4f226eaf6aff5529711f7fa3885a1cec815c32 (commit)
       via  efbeb31ba5277132b683011714f8e77bc2156aa2 (commit)
       via  968b59ad2aecdbe67ac5016c395a7e38fd682bb7 (commit)
       via  29fd33140d964e0e08207ceecbf479b85658fcb8 (commit)
       via  8ec14bdc9c600cc273b242ebca6566fe15de107d (commit)
       via  e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa (commit)
      from  344e61df0200af758e794b9843ffb37bd89e5259 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=daea1a9b2ab9ad1690a2770006f5964e188be11f

commit daea1a9b2ab9ad1690a2770006f5964e188be11f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Sep 3 19:45:43 2014 +0200

    CVE-2014-6040: Crashes on invalid input in IBM gconv modules [BZ #17325]

    These changes are based on the fix for BZ #14134 in commit
    6e230d11837f3ae7b375ea69d7905f0d18eb79e5.

    (cherry picked from commit 41488498b6d9440ee66ab033808cce8323bba7ac)

    Conflicts:
        NEWS
        iconvdata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b8d0acdb33866d0f67ee8a019bdbdaa6a00d0c99

commit b8d0acdb33866d0f67ee8a019bdbdaa6a00d0c99
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=92b410973f872297e0c1bfda06abead4b0a265d1

commit 92b410973f872297e0c1bfda06abead4b0a265d1
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=424f645c513d56a5b8323971197e3afa1ed8f003

commit 424f645c513d56a5b8323971197e3afa1ed8f003
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=75f66fe467b280d9fb192d3f32e06e4b20d12dcc

commit 75f66fe467b280d9fb192d3f32e06e4b20d12dcc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ac39af9f195138a01b836fb4a30bd971de4aa163

commit ac39af9f195138a01b836fb4a30bd971de4aa163
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Addiational backporting fixes:
      Added tst-setlocale3-ENV to localedata/Makefile

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2da15d05c54738ed2c53aaf555c7cf51a9057844

commit 2da15d05c54738ed2c53aaf555c7cf51a9057844
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ccc1c41f52f93548b5eb64d106219e287052472

commit 6ccc1c41f52f93548b5eb64d106219e287052472
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4e27332819b6151ccb5031d0efd718d802168573

commit 4e27332819b6151ccb5031d0efd718d802168573
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9583c3542133be925467c87df7f74882783d867d

commit 9583c3542133be925467c87df7f74882783d867d
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2ce47f454b6f1df5d2374fcac1b72e65e5f55a67

commit 2ce47f454b6f1df5d2374fcac1b72e65e5f55a67
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1f542fe398a1d02cce53d78f7a33e72078e7d4e9

commit 1f542fe398a1d02cce53d78f7a33e72078e7d4e9
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d3b2d64576fcc1281841a48740f5f481d1b46a90

commit d3b2d64576fcc1281841a48740f5f481d1b46a90
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=40da893a143224b0a41a004eb5e971fc5d94381b

commit 40da893a143224b0a41a004eb5e971fc5d94381b
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3a4f226eaf6aff5529711f7fa3885a1cec815c32

commit 3a4f226eaf6aff5529711f7fa3885a1cec815c32
Author: OndÅej BÃlka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=efbeb31ba5277132b683011714f8e77bc2156aa2

commit efbeb31ba5277132b683011714f8e77bc2156aa2
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=968b59ad2aecdbe67ac5016c395a7e38fd682bb7

commit 968b59ad2aecdbe67ac5016c395a7e38fd682bb7
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=29fd33140d964e0e08207ceecbf479b85658fcb8

commit 29fd33140d964e0e08207ceecbf479b85658fcb8
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8ec14bdc9c600cc273b242ebca6566fe15de107d

commit 8ec14bdc9c600cc273b242ebca6566fe15de107d
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Jun 12 14:15:25 2014 +0200

    posix_spawn_faction_addopen: Add missing string.h include directive

    This is needed to avoid a PLT call on s390.

    (cherry picked from commit 35a5e3e338ae17f3d42c60a708763c5d498fb840)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |  247 ++++++++++++++++++++
 NEWS                                               |   40 +++-
 elf/Makefile                                       |    2 +-
 elf/tst-dl-iter-static.c                           |   47 ++++
 iconv/gconv_trans.c                                |  177 +--------------
 iconvdata/Makefile                                 |    1 +
 iconvdata/ibm1364.c                                |    3 +-
 iconvdata/ibm932.c                                 |    5 +-
 iconvdata/ibm933.c                                 |    2 +-
 iconvdata/ibm935.c                                 |    2 +-
 iconvdata/ibm937.c                                 |    2 +-
 iconvdata/ibm939.c                                 |    2 +-
 iconvdata/ibm943.c                                 |    5 +-
 iconvdata/run-iconv-test.sh                        |   18 ++
 include/resolv.h                                   |    6 +-
 locale/findlocale.c                                |   74 +++++-
 locale/setlocale.c                                 |   14 +-
 localedata/ChangeLog                               |    6 +
 localedata/Makefile                                |    5 +-
 localedata/tst-setlocale3.c                        |  203 ++++++++++++++++
 manual/locale.texi                                 |  146 +++++++++---
 nis/nss_nis/nis-hosts.c                            |   14 ++
 nis/nss_nis/nis-initgroups.c                       |    7 +
 nis/nss_nis/nis-network.c                          |    7 +
 nis/nss_nis/nis-service.c                          |   14 ++
 nptl/sysdeps/unix/sysv/linux/s390/pt-longjmp.c     |   71 ++----
 nscd/netgroupcache.c                               |   16 +-
 nss/nss_files/files-netgrp.c                       |    2 +-
 posix/Makefile                                     |   10 +-
 posix/bug-regex36.c                                |   29 +++
 posix/regcomp.c                                    |   19 ++-
 posix/spawn_faction_addopen.c                      |   14 +-
 posix/spawn_faction_destroy.c                      |   22 ++-
 posix/spawn_int.h                                  |    2 +-
 posix/tst-spawn.c                                  |   10 +-
 resolv/gethnamaddr.c                               |    6 +-
 resolv/nss_dns/dns-canon.c                         |    2 +-
 resolv/nss_dns/dns-host.c                          |   32 ++--
 resolv/nss_dns/dns-network.c                       |    4 +-
 resolv/res_query.c                                 |   45 ++--
 resolv/res_send.c                                  |   22 ++-
 sysdeps/s390/Makefile                              |    9 -
 sysdeps/s390/Versions                              |    6 +-
 sysdeps/s390/__longjmp.c                           |   31 ---
 sysdeps/s390/bits/setjmp.h                         |    4 -
 sysdeps/s390/longjmp.c                             |   68 ++----
 sysdeps/s390/rtld-__longjmp.c                      |   19 --
 sysdeps/s390/rtld-global-offsets.sym               |    7 -
 sysdeps/s390/rtld-setjmp.S                         |   20 --
 sysdeps/s390/s390-32/__longjmp-common.c            |   68 ------
 sysdeps/s390/s390-32/__longjmp.c                   |   68 ++++++
 sysdeps/s390/s390-32/setjmp-common.S               |   84 -------
 sysdeps/s390/s390-32/setjmp.S                      |  111 +++++++++
 sysdeps/s390/s390-64/__longjmp-common.c            |   74 ------
 sysdeps/s390/s390-64/__longjmp.c                   |   74 ++++++
 sysdeps/s390/s390-64/setjmp-common.S               |   79 -------
 sysdeps/s390/s390-64/setjmp.S                      |  106 +++++++++
 sysdeps/s390/setjmp.S                              |   64 -----
 sysdeps/s390/sigjmp.c                              |   34 ---
 sysdeps/s390/v1-longjmp.c                          |   57 -----
 sysdeps/s390/v1-setjmp.h                           |  111 ---------
 sysdeps/s390/v1-sigjmp.c                           |   44 ----
 sysdeps/unix/sysv/linux/s390/Makefile              |    6 -
 sysdeps/unix/sysv/linux/s390/getcontext.S          |   38 ---
 sysdeps/unix/sysv/linux/s390/longjmp_chk.c         |   36 ++--
 sysdeps/unix/sysv/linux/s390/rtld-getcontext.S     |   19 --
 .../unix/sysv/linux/s390/s390-32/____longjmp_chk.c |   24 +--
 .../sysv/linux/s390/s390-32/getcontext-common.S    |  112 ---------
 sysdeps/unix/sysv/linux/s390/s390-32/getcontext.S  |   86 +++++++
 .../unix/sysv/linux/s390/s390-32/nptl/libc.abilist |    1 -
 sysdeps/unix/sysv/linux/s390/s390-32/setcontext.S  |   10 +-
 sysdeps/unix/sysv/linux/s390/s390-32/swapcontext.S |   24 +--
 .../unix/sysv/linux/s390/s390-32/ucontext_i.sym    |   26 --
 .../unix/sysv/linux/s390/s390-64/____longjmp_chk.c |   25 +--
 .../sysv/linux/s390/s390-64/getcontext-common.S    |   79 -------
 sysdeps/unix/sysv/linux/s390/s390-64/getcontext.S  |   86 +++++++
 .../unix/sysv/linux/s390/s390-64/nptl/libc.abilist |    1 -
 sysdeps/unix/sysv/linux/s390/s390-64/swapcontext.S |   14 +-
 sysdeps/unix/sysv/linux/s390/sys/ucontext.h        |   13 -
 .../sysv/linux/s390/{s390-64 => }/ucontext_i.sym   |    0
 sysdeps/unix/sysv/linux/s390/v1-longjmp_chk.c      |   35 ---
 81 files changed, 1598 insertions(+), 1530 deletions(-)
 create mode 100644 elf/tst-dl-iter-static.c
 create mode 100644 localedata/tst-setlocale3.c
 create mode 100644 posix/bug-regex36.c
 delete mode 100644 sysdeps/s390/Makefile
 delete mode 100644 sysdeps/s390/__longjmp.c
 delete mode 100644 sysdeps/s390/rtld-__longjmp.c
 delete mode 100644 sysdeps/s390/rtld-global-offsets.sym
 delete mode 100644 sysdeps/s390/rtld-setjmp.S
 delete mode 100644 sysdeps/s390/s390-32/__longjmp-common.c
 create mode 100644 sysdeps/s390/s390-32/__longjmp.c
 delete mode 100644 sysdeps/s390/s390-32/setjmp-common.S
 create mode 100644 sysdeps/s390/s390-32/setjmp.S
 delete mode 100644 sysdeps/s390/s390-64/__longjmp-common.c
 create mode 100644 sysdeps/s390/s390-64/__longjmp.c
 delete mode 100644 sysdeps/s390/s390-64/setjmp-common.S
 create mode 100644 sysdeps/s390/s390-64/setjmp.S
 delete mode 100644 sysdeps/s390/setjmp.S
 delete mode 100644 sysdeps/s390/sigjmp.c
 delete mode 100644 sysdeps/s390/v1-longjmp.c
 delete mode 100644 sysdeps/s390/v1-setjmp.h
 delete mode 100644 sysdeps/s390/v1-sigjmp.c
 delete mode 100644 sysdeps/unix/sysv/linux/s390/getcontext.S
 delete mode 100644 sysdeps/unix/sysv/linux/s390/rtld-getcontext.S
 delete mode 100644 sysdeps/unix/sysv/linux/s390/s390-32/getcontext-common.S
 create mode 100644 sysdeps/unix/sysv/linux/s390/s390-32/getcontext.S
 delete mode 100644 sysdeps/unix/sysv/linux/s390/s390-32/ucontext_i.sym
 delete mode 100644 sysdeps/unix/sysv/linux/s390/s390-64/getcontext-common.S
 create mode 100644 sysdeps/unix/sysv/linux/s390/s390-64/getcontext.S
 rename sysdeps/unix/sysv/linux/s390/{s390-64 => }/ucontext_i.sym (100%)
 delete mode 100644 sysdeps/unix/sysv/linux/s390/v1-longjmp_chk.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]