glibc: CVE-2015-8776
it was found that out-of-range time values passed to the strftime function may cause it to crash, leading to a denial of service, or potentially disclosure information. (From OE-Core rev: cf747f0bbcd53af41a7f3981ac65c2b6b6e668f8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
842177a113
commit
c834ebc2ac
|
@ -0,0 +1,155 @@
|
|||
From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
|
||||
From: Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||
Date: Sat, 26 Sep 2015 13:27:48 -0700
|
||||
Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
|
||||
segfault
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2015-8776
|
||||
[Yocto # 8980]
|
||||
|
||||
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
ChangeLog | 8 ++++++++
|
||||
NEWS | 2 +-
|
||||
time/strftime_l.c | 20 +++++++++++++-------
|
||||
time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
|
||||
4 files changed, 73 insertions(+), 9 deletions(-)
|
||||
|
||||
Index: git/ChangeLog
|
||||
===================================================================
|
||||
--- git.orig/ChangeLog
|
||||
+++ git/ChangeLog
|
||||
@@ -1,3 +1,11 @@
|
||||
+2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||
+
|
||||
+ [BZ #18985]
|
||||
+ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
|
||||
+ (__strftime_internal): Likewise.
|
||||
+ * time/tst-strftime.c (do_bz18985): New test.
|
||||
+ (do_test): Call it.
|
||||
+
|
||||
2015-12-04 Joseph Myers <joseph@codesourcery.com>
|
||||
|
||||
[BZ #16961]
|
||||
Index: git/time/strftime_l.c
|
||||
===================================================================
|
||||
--- git.orig/time/strftime_l.c
|
||||
+++ git/time/strftime_l.c
|
||||
@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
|
||||
only a few elements. Dereference the pointers only if the format
|
||||
requires this. Then it is ok to fail if the pointers are invalid. */
|
||||
# define a_wkday \
|
||||
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
|
||||
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
|
||||
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
|
||||
# define f_wkday \
|
||||
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
|
||||
+ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
|
||||
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
|
||||
# define a_month \
|
||||
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
|
||||
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
|
||||
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
|
||||
# define f_month \
|
||||
- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
|
||||
+ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
|
||||
+ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
|
||||
# define ampm \
|
||||
((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
|
||||
? NLW(PM_STR) : NLW(AM_STR)))
|
||||
@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
|
||||
# define ap_len STRLEN (ampm)
|
||||
#else
|
||||
# if !HAVE_STRFTIME
|
||||
-# define f_wkday (weekday_name[tp->tm_wday])
|
||||
-# define f_month (month_name[tp->tm_mon])
|
||||
+# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
|
||||
+ ? "?" : weekday_name[tp->tm_wday])
|
||||
+# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
|
||||
+ ? "?" : month_name[tp->tm_mon])
|
||||
# define a_wkday f_wkday
|
||||
# define a_month f_month
|
||||
# define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
|
||||
@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
|
||||
*tzset_called = true;
|
||||
}
|
||||
# endif
|
||||
- zone = tzname[tp->tm_isdst];
|
||||
+ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
|
||||
}
|
||||
#endif
|
||||
if (! zone)
|
||||
Index: git/time/tst-strftime.c
|
||||
===================================================================
|
||||
--- git.orig/time/tst-strftime.c
|
||||
+++ git/time/tst-strftime.c
|
||||
@@ -4,6 +4,56 @@
|
||||
#include <time.h>
|
||||
|
||||
|
||||
+static int
|
||||
+do_bz18985 (void)
|
||||
+{
|
||||
+ char buf[1000];
|
||||
+ struct tm ttm;
|
||||
+ int rc, ret = 0;
|
||||
+
|
||||
+ memset (&ttm, 1, sizeof (ttm));
|
||||
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
|
||||
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
|
||||
+
|
||||
+ if (rc == 66)
|
||||
+ {
|
||||
+ const char expected[]
|
||||
+ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
|
||||
+ if (0 != strcmp (buf, expected))
|
||||
+ {
|
||||
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
|
||||
+ ret += 1;
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ printf ("expected 66, got %d\n", rc);
|
||||
+ ret += 1;
|
||||
+ }
|
||||
+
|
||||
+ /* Check negative values as well. */
|
||||
+ memset (&ttm, 0xFF, sizeof (ttm));
|
||||
+ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
|
||||
+ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
|
||||
+
|
||||
+ if (rc == 30)
|
||||
+ {
|
||||
+ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
|
||||
+ if (0 != strcmp (buf, expected))
|
||||
+ {
|
||||
+ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
|
||||
+ ret += 1;
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ printf ("expected 30, got %d\n", rc);
|
||||
+ ret += 1;
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static struct
|
||||
{
|
||||
const char *fmt;
|
||||
@@ -104,7 +154,7 @@ do_test (void)
|
||||
}
|
||||
}
|
||||
|
||||
- return result;
|
||||
+ return result + do_bz18985 ();
|
||||
}
|
||||
|
||||
#define TEST_FUNCTION do_test ()
|
|
@ -47,6 +47,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
|
|||
file://CVE-2015-8779.patch \
|
||||
file://CVE-2015-9761_1.patch \
|
||||
file://CVE-2015-9761_2.patch \
|
||||
file://CVE-2015-8776.patch \
|
||||
"
|
||||
|
||||
SRC_URI += "\
|
||||
|
|
Loading…
Reference in New Issue