From 3f08d642feb52ec08b09cff2ef668f3753a1803a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Sun, 31 May 2020 09:11:45 +0200 Subject: [PATCH] glibc: patch CVE-2020-1752 /cc roundup #88306; the issue seems quite serious to me. I also made two other patches non-conditional, as we rebuild all platforms anyway. --- .../libraries/glibc/2.30-cve-2020-1752.patch | 62 +++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 4 +- 2 files changed, 64 insertions(+), 2 deletions(-) create mode 100644 pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch diff --git a/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch b/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch new file mode 100644 index 000000000000..75d874b93d09 --- /dev/null +++ b/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch @@ -0,0 +1,62 @@ +From: Andreas Schwab +Date: Wed, 19 Feb 2020 16:21:46 +0000 (+0100) +Subject: Fix use-after-free in glob when expanding ~user (bug 25414) +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63;hp=dd34bce38c822b67fcc42e73969bf6699d6874b6 + +Fix use-after-free in glob when expanding ~user (bug 25414) + +The value of `end_name' points into the value of `dirname', thus don't +deallocate the latter before the last use of the former. + +(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c) +--- + +diff --git a/posix/glob.c b/posix/glob.c +index e73e35c510..c6cbd0eb43 100644 +--- a/posix/glob.c ++++ b/posix/glob.c +@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int), + { + size_t home_len = strlen (p->pw_dir); + size_t rest_len = end_name == NULL ? 0 : strlen (end_name); +- char *d; ++ char *d, *newp; ++ bool use_alloca = glob_use_alloca (alloca_used, ++ home_len + rest_len + 1); + +- if (__glibc_unlikely (malloc_dirname)) +- free (dirname); +- malloc_dirname = 0; +- +- if (glob_use_alloca (alloca_used, home_len + rest_len + 1)) +- dirname = alloca_account (home_len + rest_len + 1, +- alloca_used); ++ if (use_alloca) ++ newp = alloca_account (home_len + rest_len + 1, alloca_used); + else + { +- dirname = malloc (home_len + rest_len + 1); +- if (dirname == NULL) ++ newp = malloc (home_len + rest_len + 1); ++ if (newp == NULL) + { + scratch_buffer_free (&pwtmpbuf); + retval = GLOB_NOSPACE; + goto out; + } +- malloc_dirname = 1; + } +- d = mempcpy (dirname, p->pw_dir, home_len); ++ d = mempcpy (newp, p->pw_dir, home_len); + if (end_name != NULL) + d = mempcpy (d, end_name, rest_len); + *d = '\0'; + ++ if (__glibc_unlikely (malloc_dirname)) ++ free (dirname); ++ dirname = newp; ++ malloc_dirname = !use_alloca; ++ + dirlen = home_len + rest_len; + dirname_modified = 1; + } diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 0429c7295fb8..36b6bea61cd4 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -106,10 +106,10 @@ stdenv.mkDerivation ({ url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff"; sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4"; }) - ] - ++ lib.optionals stdenv.isx86_64 [ + ./fix-x64-abi.patch ./2.27-CVE-2019-19126.patch + ./2.30-cve-2020-1752.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;