glibc.git, branch archlinux/2.18/master Unnamed repository; edit this file 'description' to name the repository. Fix stack overflow due to large AF_INET6 requests 2013-10-25T13:59:00+00:00 Siddhesh Poyarekar siddhesh@redhat.com 2013-10-25T04:52:12+00:00 0b0e50ce9efe2fec10e147eddba4f0802235a042 Resolves #16072 (CVE-2013-4458). This patch fixes another stack overflow in getaddrinfo when it is called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914, but the AF_INET6 case went undetected back then. (cherry picked from commit 7cbcdb3699584db8913ca90f705d6337633ee10f) Conflicts: NEWS 
Resolves #16072 (CVE-2013-4458).

This patch fixes another stack overflow in getaddrinfo when it is
called with AF_INET6.  The AF_UNSPEC case was fixed as CVE-2013-1914,
but the AF_INET6 case went undetected back then.

(cherry picked from commit 7cbcdb3699584db8913ca90f705d6337633ee10f)

Conflicts:
	NEWS
Fix incorrect getaddrinfo assertion trigger 2013-10-25T13:58:29+00:00 Allan McRae allan@archlinux.org 2013-10-25T04:25:38+00:00 54377921e7092f709c6a5985688769404637055f [BZ #9954] With the following /etc/hosts: 127.0.0.1 www.my-domain.es 127.0.1.1 www.my-domain.es 192.168.0.1 www.my-domain.es Using getaddrinfo() on www.my-domain.es, trigger the following assertion: ../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion `src->results[i].native == -1 || src->results[i].native == a1_native' failed. This is due to two different bugs: - In rfc3484_sort() rule 7, src->results[i].native is assigned even if src->results[i].index is -1, meaning that no interface is associated. - In getaddrinfo() the source IP address used with the lo interface needs a special case, as it can be any IP within 127.X.Y.Z. (cherry picked from commit 894f3f1049135dcbeaab8f18690973663ef3147c) 
[BZ #9954]

With the following /etc/hosts:
127.0.0.1       www.my-domain.es
127.0.1.1       www.my-domain.es
192.168.0.1     www.my-domain.es

Using getaddrinfo() on www.my-domain.es, trigger the following assertion:
../sysdeps/posix/getaddrinfo.c:1473: rfc3484_sort: Assertion
`src->results[i].native == -1 || src->results[i].native == a1_native' failed.

This is due to two different bugs:
- In rfc3484_sort() rule 7, src->results[i].native is assigned even if
src->results[i].index is -1, meaning that no interface is associated.
- In getaddrinfo() the source IP address used with the lo interface needs a
special case, as it can be any IP within 127.X.Y.Z.

(cherry picked from commit 894f3f1049135dcbeaab8f18690973663ef3147c)
BZ #15754: Fix test case for ARM. 2013-10-25T13:56:45+00:00 Carlos O'Donell carlos@redhat.com 2013-09-23T05:44:38+00:00 9a010a5f6328aa7ba353679e9a9e07465917d6a0 Statically built binaries use __pointer_chk_guard_local, while dynamically built binaries use __pointer_chk_guard. Provide the right definition depending on the test case we are building. 
Statically built binaries use __pointer_chk_guard_local,
while dynamically built binaries use __pointer_chk_guard.
Provide the right definition depending on the test case
we are building.
BZ #15754: CVE-2013-4788 2013-10-25T13:56:33+00:00 Carlos O'Donell carlos@redhat.com 2013-09-23T04:52:09+00:00 f03cfdf9bf62f776338171fe2ba6eebbf8948875 The pointer guard used for pointer mangling was not initialized for static applications resulting in the security feature being disabled. The pointer guard is now correctly initialized to a random value for static applications. Existing static applications need to be recompiled to take advantage of the fix. The test tst-ptrguard1-static and tst-ptrguard1 add regression coverage to ensure the pointer guards are sufficiently random and initialized to a default value. Conflicts: NEWS ports/ChangeLog.ia64 ports/ChangeLog.tile 
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.

The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.

Conflicts:
	NEWS
	ports/ChangeLog.ia64
	ports/ChangeLog.tile
Check for integer overflow in cache size computation in strcoll 2013-10-25T13:55:07+00:00 Siddhesh Poyarekar siddhesh@redhat.com 2013-09-23T05:54:30+00:00 6957bcb15456b5118c44bb49754b199462336639 strcoll is implemented using a cache for indices and weights of collation sequences in the strings so that subsequent passes do not have to search through collation data again. For very large string inputs, the cache size computation could overflow. In such a case, use the fallback function that does not cache indices and weights of collation sequences. Fixes CVE-2012-4412. (cherry picked from commit 303e567a8062200dc06acde7c76fc34679f08d8f) Conflicts: NEWS 
strcoll is implemented using a cache for indices and weights of
collation sequences in the strings so that subsequent passes do not
have to search through collation data again.  For very large string
inputs, the cache size computation could overflow.  In such a case,
use the fallback function that does not cache indices and weights of
collation sequences.

Fixes CVE-2012-4412.

(cherry picked from commit 303e567a8062200dc06acde7c76fc34679f08d8f)

Conflicts:
	NEWS
Fall back to non-cached sequence traversal and comparison on malloc fail 2013-10-25T13:54:29+00:00 Siddhesh Poyarekar siddhesh@redhat.com 2013-09-23T05:50:02+00:00 56532663f2881ce7b7996d75dbb6bbb438187457 strcoll currently falls back to alloca if malloc fails, resulting in a possible stack overflow. This patch implements sequence traversal and comparison without caching indices and rules. Fixes CVE-2012-4424. (cherry picked from commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883) Conflicts: NEWS 
strcoll currently falls back to alloca if malloc fails, resulting in a
possible stack overflow.  This patch implements sequence traversal and
comparison without caching indices and rules.

Fixes CVE-2012-4424.

(cherry picked from commit 141f3a77fe4f1b59b0afa9bf6909cd2000448883)

Conflicts:
	NEWS
Simplify strcoll implementation 2013-10-25T13:53:52+00:00 Siddhesh Poyarekar siddhesh@redhat.com 2013-08-20T03:10:05+00:00 52b8d67f22068991f404c51b38b30e7e35c1bb99 Break up strcoll into simpler functions so that the logic is easier to follow and maintain. (cherry picked from commit 1326ba1af22068db9488c2328bdaf852b8a93dcf) 
Break up strcoll into simpler functions so that the logic is easier to
follow and maintain.

(cherry picked from commit 1326ba1af22068db9488c2328bdaf852b8a93dcf)
malloc: Check for integer overflow in memalign. 2013-10-25T13:53:32+00:00 Will Newton will.newton@linaro.org 2013-08-16T11:54:29+00:00 dc7ba1835ba16cb49d6c38d50e153b70beb2a091 A large bytes parameter to memalign could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton <will.newton@linaro.org> [BZ #15857] * malloc/malloc.c (__libc_memalign): Check the value of bytes does not overflow. (cherry picked from commit b73ed247781d533628b681f57257dc85882645d3) 
A large bytes parameter to memalign could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.

ChangeLog:

2013-09-11  Will Newton  <will.newton@linaro.org>

	[BZ #15857]
	* malloc/malloc.c (__libc_memalign): Check the value of bytes
	does not overflow.

(cherry picked from commit b73ed247781d533628b681f57257dc85882645d3)
malloc: Check for integer overflow in valloc. 2013-10-25T13:53:24+00:00 Will Newton will.newton@linaro.org 2013-08-16T10:59:37+00:00 8f29d3b5ae201ae4af368d2221381c5a856913d5 A large bytes parameter to valloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton <will.newton@linaro.org> [BZ #15856] * malloc/malloc.c (__libc_valloc): Check the value of bytes does not overflow. (cherry picked from commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331) 
A large bytes parameter to valloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.

ChangeLog:

2013-09-11  Will Newton  <will.newton@linaro.org>

	[BZ #15856]
	* malloc/malloc.c (__libc_valloc): Check the value of bytes
	does not overflow.

(cherry picked from commit 55e17aadc1ef17a1df9626fb0e9fba290ece3331)
malloc: Check for integer overflow in pvalloc. 2013-10-25T13:53:17+00:00 Will Newton will.newton@linaro.org 2013-08-12T14:08:02+00:00 63e9a36056fe53621fa3001fe22b4833a9ea9457 A large bytes parameter to pvalloc could cause an integer overflow and corrupt allocator internals. Check the overflow does not occur before continuing with the allocation. ChangeLog: 2013-09-11 Will Newton <will.newton@linaro.org> [BZ #15855] * malloc/malloc.c (__libc_pvalloc): Check the value of bytes does not overflow. (cherry picked from commit 1159a193696ad48ec86e5895f6dee3e539619c0e) 
A large bytes parameter to pvalloc could cause an integer overflow
and corrupt allocator internals. Check the overflow does not occur
before continuing with the allocation.

ChangeLog:

2013-09-11  Will Newton  <will.newton@linaro.org>

	[BZ #15855]
	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
	does not overflow.

(cherry picked from commit 1159a193696ad48ec86e5895f6dee3e539619c0e)