diff options
Diffstat (limited to 'source')
-rwxr-xr-x | source/a/aaa_libraries/aaa_libraries.SlackBuild | 2 | ||||
-rw-r--r-- | source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch | 23 | ||||
-rwxr-xr-x | source/a/mkinitrd/mkinitrd.SlackBuild | 5 | ||||
-rwxr-xr-x | source/a/util-linux/util-linux.SlackBuild | 2 | ||||
-rwxr-xr-x | source/k/build-all-kernels.sh | 2 | ||||
-rw-r--r-- | source/k/kernel-configs/config-huge-5.15.16 | 3 | ||||
-rw-r--r-- | source/k/kernel-configs/config-huge-5.15.16.x64 | 3 | ||||
-rw-r--r-- | source/k/kernel-configs/config-huge-smp-5.15.16-smp | 3 | ||||
-rw-r--r-- | source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch | 115 | ||||
-rw-r--r-- | source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch | 45 | ||||
-rwxr-xr-x | source/l/expat/expat.SlackBuild | 6 | ||||
-rwxr-xr-x | source/l/glibc/glibc.SlackBuild | 2 | ||||
-rw-r--r-- | source/l/glibc/patches/glibc.CVE-2021-3998.patch | 123 | ||||
-rw-r--r-- | source/l/glibc/patches/glibc.CVE-2021-3999.patch | 356 | ||||
-rwxr-xr-x | source/l/tdb/tdb.SlackBuild | 2 |
15 files changed, 679 insertions, 13 deletions
diff --git a/source/a/aaa_libraries/aaa_libraries.SlackBuild b/source/a/aaa_libraries/aaa_libraries.SlackBuild index da891fca..16f2505c 100755 --- a/source/a/aaa_libraries/aaa_libraries.SlackBuild +++ b/source/a/aaa_libraries/aaa_libraries.SlackBuild @@ -23,7 +23,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=aaa_libraries VERSION=${VERSION:-15.0} -BUILD=${BUILD:-15} +BUILD=${BUILD:-16} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then diff --git a/source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch b/source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch new file mode 100644 index 00000000..e24b7c7c --- /dev/null +++ b/source/a/mkinitrd/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch @@ -0,0 +1,23 @@ +--- ./mkinitrd_command_generator.sh.orig 2021-03-28 13:22:55.628927615 -0500 ++++ ./mkinitrd_command_generator.sh 2022-01-24 21:29:00.382517371 -0600 +@@ -302,12 +302,19 @@ + fi + + # Finally, we should check if base device is +- # a real block device or a RAID volume: ++ # a real block device or a RAID volume: + for MD in $(cat /proc/mdstat | grep -w active | cut -d' ' -f1) ; do + if [ "$BASEDEV" = "/dev/$MD" ]; then + USING_RAID=1 + break + fi ++ done ++ # Additional check in case $BASEDEV is a partition of /dev/$MD: ++ for BLK in $(sfdisk -ld /dev/$MD 2> /dev/null | grep "^/dev" | cut -d " " -f 1); do ++ if [ "$BASEDEV" = "$BLK" ]; then ++ USING_RAID=1 ++ break ++ fi + done + } + diff --git a/source/a/mkinitrd/mkinitrd.SlackBuild b/source/a/mkinitrd/mkinitrd.SlackBuild index 6b507039..500b919a 100755 --- a/source/a/mkinitrd/mkinitrd.SlackBuild +++ b/source/a/mkinitrd/mkinitrd.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=mkinitrd VERSION=${VERSION:-1.4.11} BB=1.32.1 -BUILD=${BUILD:-26} +BUILD=${BUILD:-27} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -125,6 +125,9 @@ chmod 755 $PKG/sbin/mkinitrd # Don't include 40-usb_modeswitch.rules on the initrd: ( cd $PKG/sbin ; zcat $CWD/0003-blacklist.40-usb_modeswitch.rules.patch.gz | patch -p1 --verbose || exit 1) || exit 1 rm -f $PKG/sbin/mkinitrd.orig +# Use -R if we detect the root partition is a partition of a RAID device: +( cd $PKG/usr/share/mkinitrd ; zcat $CWD/0004-check-if-BASEDEV-is-a-partition-of-a-RAID-volume.patch.gz | patch -p1 --verbose || exit 1) || exit 1 +rm -f $PKG/usr/share/mkinitrd/mkinitrd_command_generator.sh.orig mkdir -p $PKG/usr/man/man{5,8} cat $CWD/mkinitrd.conf.5 | gzip -9c > $PKG/usr/man/man5/mkinitrd.conf.5.gz diff --git a/source/a/util-linux/util-linux.SlackBuild b/source/a/util-linux/util-linux.SlackBuild index b99088da..fd08893f 100755 --- a/source/a/util-linux/util-linux.SlackBuild +++ b/source/a/util-linux/util-linux.SlackBuild @@ -26,7 +26,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=util-linux VERSION=${VERSION:-$(echo util-linux*.tar.xz | cut -d - -f 3 | rev | cut -f 3- -d . | rev)} -BUILD=${BUILD:-6} +BUILD=${BUILD:-1} ADJTIMEXVERS=1.29 SETSERIALVERS=2.17 diff --git a/source/k/build-all-kernels.sh b/source/k/build-all-kernels.sh index 09e684b1..1fddd02c 100755 --- a/source/k/build-all-kernels.sh +++ b/source/k/build-all-kernels.sh @@ -27,7 +27,7 @@ cd $(dirname $0) ; CWD=$(pwd) -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} if [ -z "$VERSION" ]; then # Get the filename of the newest kernel tarball: KERNEL_SOURCE_FILE="$(/bin/ls -t linux-*.tar.?z | head -n 1 )" diff --git a/source/k/kernel-configs/config-huge-5.15.16 b/source/k/kernel-configs/config-huge-5.15.16 index bc008e64..531eee49 100644 --- a/source/k/kernel-configs/config-huge-5.15.16 +++ b/source/k/kernel-configs/config-huge-5.15.16 @@ -9340,8 +9340,7 @@ CONFIG_AFS_FS=m # CONFIG_AFS_DEBUG is not set # CONFIG_AFS_FSCACHE is not set # CONFIG_AFS_DEBUG_CURSOR is not set -CONFIG_9P_FS=m -# CONFIG_9P_FSCACHE is not set +CONFIG_9P_FS=y CONFIG_9P_FS_POSIX_ACL=y # CONFIG_9P_FS_SECURITY is not set CONFIG_NLS=y diff --git a/source/k/kernel-configs/config-huge-5.15.16.x64 b/source/k/kernel-configs/config-huge-5.15.16.x64 index 0d5b67fb..f3014b56 100644 --- a/source/k/kernel-configs/config-huge-5.15.16.x64 +++ b/source/k/kernel-configs/config-huge-5.15.16.x64 @@ -9362,8 +9362,7 @@ CONFIG_AFS_FS=m # CONFIG_AFS_DEBUG is not set # CONFIG_AFS_FSCACHE is not set # CONFIG_AFS_DEBUG_CURSOR is not set -CONFIG_9P_FS=m -# CONFIG_9P_FSCACHE is not set +CONFIG_9P_FS=y CONFIG_9P_FS_POSIX_ACL=y # CONFIG_9P_FS_SECURITY is not set CONFIG_NLS=y diff --git a/source/k/kernel-configs/config-huge-smp-5.15.16-smp b/source/k/kernel-configs/config-huge-smp-5.15.16-smp index 489c923a..239c5123 100644 --- a/source/k/kernel-configs/config-huge-smp-5.15.16-smp +++ b/source/k/kernel-configs/config-huge-smp-5.15.16-smp @@ -9407,8 +9407,7 @@ CONFIG_AFS_FS=m # CONFIG_AFS_DEBUG is not set # CONFIG_AFS_FSCACHE is not set # CONFIG_AFS_DEBUG_CURSOR is not set -CONFIG_9P_FS=m -# CONFIG_9P_FSCACHE is not set +CONFIG_9P_FS=y CONFIG_9P_FS_POSIX_ACL=y # CONFIG_9P_FS_SECURITY is not set CONFIG_NLS=y diff --git a/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch b/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch new file mode 100644 index 00000000..c2b55ca8 --- /dev/null +++ b/source/l/expat/178d26f50af21ec23d6e43814b9b602590b5865c.patch @@ -0,0 +1,115 @@ +From 847a645152f5ebc10ac63b74b604d0c1a79fae40 Mon Sep 17 00:00:00 2001 +From: Samanta Navarro <ferivoz@riseup.net> +Date: Sat, 22 Jan 2022 17:48:00 +0100 +Subject: [PATCH 1/3] lib: Detect and prevent integer overflow in XML_GetBuffer + (CVE-2022-23852) + +--- + expat/lib/xmlparse.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/expat/lib/xmlparse.c b/expat/lib/xmlparse.c +index d54af683..5ce31402 100644 +--- a/expat/lib/xmlparse.c ++++ b/expat/lib/xmlparse.c +@@ -2067,6 +2067,11 @@ XML_GetBuffer(XML_Parser parser, int len) { + keep = (int)EXPAT_SAFE_PTR_DIFF(parser->m_bufferPtr, parser->m_buffer); + if (keep > XML_CONTEXT_BYTES) + keep = XML_CONTEXT_BYTES; ++ /* Detect and prevent integer overflow */ ++ if (keep > INT_MAX - neededSize) { ++ parser->m_errorCode = XML_ERROR_NO_MEMORY; ++ return NULL; ++ } + neededSize += keep; + #endif /* defined XML_CONTEXT_BYTES */ + if (neededSize + +From acf956f14bf79a5e6383a969aaffec98bfbc2e44 Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sun, 23 Jan 2022 18:17:04 +0100 +Subject: [PATCH 2/3] tests: Cover integer overflow in XML_GetBuffer + (CVE-2022-23852) + +--- + expat/tests/runtests.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/expat/tests/runtests.c b/expat/tests/runtests.c +index e89e8220..579dad1a 100644 +--- a/expat/tests/runtests.c ++++ b/expat/tests/runtests.c +@@ -3847,6 +3847,30 @@ START_TEST(test_get_buffer_2) { + } + END_TEST + ++/* Test for signed integer overflow CVE-2022-23852 */ ++#if defined(XML_CONTEXT_BYTES) ++START_TEST(test_get_buffer_3_overflow) { ++ XML_Parser parser = XML_ParserCreate(NULL); ++ assert(parser != NULL); ++ ++ const char *const text = "\n"; ++ const int expectedKeepValue = (int)strlen(text); ++ ++ // After this call, variable "keep" in XML_GetBuffer will ++ // have value expectedKeepValue ++ if (XML_Parse(parser, text, (int)strlen(text), XML_FALSE /* isFinal */) ++ == XML_STATUS_ERROR) ++ xml_failure(parser); ++ ++ assert(expectedKeepValue > 0); ++ if (XML_GetBuffer(parser, INT_MAX - expectedKeepValue + 1) != NULL) ++ fail("enlarging buffer not failed"); ++ ++ XML_ParserFree(parser); ++} ++END_TEST ++#endif // defined(XML_CONTEXT_BYTES) ++ + /* Test position information macros */ + START_TEST(test_byte_info_at_end) { + const char *text = "<doc></doc>"; +@@ -11731,6 +11755,9 @@ make_suite(void) { + tcase_add_test(tc_basic, test_empty_parse); + tcase_add_test(tc_basic, test_get_buffer_1); + tcase_add_test(tc_basic, test_get_buffer_2); ++#if defined(XML_CONTEXT_BYTES) ++ tcase_add_test(tc_basic, test_get_buffer_3_overflow); ++#endif + tcase_add_test(tc_basic, test_byte_info_at_end); + tcase_add_test(tc_basic, test_byte_info_at_error); + tcase_add_test(tc_basic, test_byte_info_at_cdata); + +From 99cec436fbd9444f57ee74ca8ae4c0a13e561a4f Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Sat, 22 Jan 2022 17:49:17 +0100 +Subject: [PATCH 3/3] Changes: Document CVE-2022-23852 + +--- + expat/Changes | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/expat/Changes b/expat/Changes +index 7540d38c..64d75d05 100644 +--- a/expat/Changes ++++ b/expat/Changes +@@ -2,6 +2,18 @@ NOTE: We are looking for help with a few things: + https://github.com/libexpat/libexpat/labels/help%20wanted + If you can help, please get in touch. Thanks! + ++Release x.x.x xxx xxxxxxx xx xxxx ++ Security fixes: ++ #550 CVE-2022-23852 -- Fix signed integer overflow ++ (undefined behavior) in function XML_GetBuffer ++ (that is also called by function XML_Parse internally) ++ for when XML_CONTEXT_BYTES is defined to >0 (which is both ++ common and default). ++ Impact is denial of service or more. ++ ++ Special thanks to: ++ Samanta Navarro ++ + Release 2.4.3 Sun January 16 2022 + Security fixes: + #531 #534 CVE-2021-45960 -- Fix issues with left shifts by >=29 places diff --git a/source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch b/source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch new file mode 100644 index 00000000..59404f30 --- /dev/null +++ b/source/l/expat/5f100ffa78b74da8020b71d1582a8979193c1359.patch @@ -0,0 +1,45 @@ +From 85a6f8fcdb2bc1530934f8cf684bdab86f1f2a1c Mon Sep 17 00:00:00 2001 +From: Sebastian Pipping <sebastian@pipping.org> +Date: Thu, 20 Jan 2022 04:41:47 +0100 +Subject: [PATCH] xmlwf: Fix a memory leak on output file opening error + +--- + expat/Changes | 6 ++++++ + expat/xmlwf/xmlwf.c | 4 ++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/expat/Changes b/expat/Changes +index 64d75d05..5ff5da5e 100644 +--- a/expat/Changes ++++ b/expat/Changes +@@ -11,8 +11,14 @@ Release x.x.x xxx xxxxxxx xx xxxx + common and default). + Impact is denial of service or more. + ++ Bug fixes: ++ #544 #545 xmlwf: Fix a memory leak on output file opening error ++ + Special thanks to: ++ hwt0415 + Samanta Navarro ++ and ++ Clang LeakSan and the Clang team + + Release 2.4.3 Sun January 16 2022 + Security fixes: +diff --git a/expat/xmlwf/xmlwf.c b/expat/xmlwf/xmlwf.c +index 29118bb6..b6f300b0 100644 +--- a/expat/xmlwf/xmlwf.c ++++ b/expat/xmlwf/xmlwf.c +@@ -1175,9 +1175,9 @@ tmain(int argc, XML_Char **argv) { + if (! userData.fp) { + tperror(outName); + exitCode = XMLWF_EXIT_OUTPUT_ERROR; ++ free(outName); ++ XML_ParserFree(parser); + if (continueOnError) { +- free(outName); +- cleanupUserData(&userData); + continue; + } else { + break; diff --git a/source/l/expat/expat.SlackBuild b/source/l/expat/expat.SlackBuild index ac9926fa..e0ec9085 100755 --- a/source/l/expat/expat.SlackBuild +++ b/source/l/expat/expat.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=expat VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then @@ -73,6 +73,10 @@ cd expat-$VERSION || exit 1 chown -R root:root . find . -perm 777 -exec chmod 755 {} \+ find . -perm 664 -exec chmod 644 {} \+ + +zcat $CWD/178d26f50af21ec23d6e43814b9b602590b5865c.patch.gz | patch -p2 --verbose || exit 1 +zcat $CWD/5f100ffa78b74da8020b71d1582a8979193c1359.patch.gz | patch -p2 --verbose || exit 1 + CFLAGS="$SLKCFLAGS" \ ./configure \ --prefix=/usr \ diff --git a/source/l/glibc/glibc.SlackBuild b/source/l/glibc/glibc.SlackBuild index d0f49b5c..7a1a5d5d 100755 --- a/source/l/glibc/glibc.SlackBuild +++ b/source/l/glibc/glibc.SlackBuild @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=glibc VERSION=${VERSION:-$(echo glibc-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} CHECKOUT=${CHECKOUT:-""} -BUILD=${BUILD:-4} +BUILD=${BUILD:-5} # I was considering disabling NSCD, but MoZes talked me out of it. :) #DISABLE_NSCD=" --disable-nscd " diff --git a/source/l/glibc/patches/glibc.CVE-2021-3998.patch b/source/l/glibc/patches/glibc.CVE-2021-3998.patch new file mode 100644 index 00000000..45602d05 --- /dev/null +++ b/source/l/glibc/patches/glibc.CVE-2021-3998.patch @@ -0,0 +1,123 @@ +From f7a79879c0b2bef0dadd6caaaeeb0d26423e04e5 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Thu, 13 Jan 2022 11:28:36 +0530 +Subject: [PATCH] realpath: Set errno to ENAMETOOLONG for result larger than + PATH_MAX [BZ #28770] + +realpath returns an allocated string when the result exceeds PATH_MAX, +which is unexpected when its second argument is not NULL. This results +in the second argument (resolved) being uninitialized and also results +in a memory leak since the caller expects resolved to be the same as the +returned value. + +Return NULL and set errno to ENAMETOOLONG if the result exceeds +PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. + +Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) +--- + NEWS | 4 +++ + stdlib/Makefile | 1 + + stdlib/canonicalize.c | 12 +++++++-- + stdlib/tst-realpath-toolong.c | 49 +++++++++++++++++++++++++++++++++++ + 4 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 stdlib/tst-realpath-toolong.c + +--- ./NEWS.orig 2021-02-01 11:15:33.000000000 -0600 ++++ ./NEWS 2022-01-24 13:32:24.268678228 -0600 +@@ -118,6 +118,10 @@ + CVE-2019-25013: A buffer overflow has been fixed in the iconv function when + invoked with EUC-KR input containing invalid multibyte input sequences. + ++ CVE-2021-3998: Passing a path longer than PATH_MAX to the realpath ++ function could result in a memory leak and potential access of ++ uninitialized memory. Reported by Qualys. ++ + The following bugs are resolved with this release: + + [10635] libc: realpath portability patches +--- ./stdlib/canonicalize.c.orig 2021-02-01 11:15:33.000000000 -0600 ++++ ./stdlib/canonicalize.c 2022-01-24 13:32:24.268678228 -0600 +@@ -400,8 +400,16 @@ + + error: + *dest++ = '\0'; +- if (resolved != NULL && dest - rname <= get_path_max ()) +- rname = strcpy (resolved, rname); ++ if (resolved != NULL) ++ { ++ if (dest - rname <= get_path_max ()) ++ rname = strcpy (resolved, rname); ++ else ++ { ++ failed = true; ++ __set_errno (ENAMETOOLONG); ++ } ++ } + + error_nomem: + scratch_buffer_free (&extra_buffer); +--- ./stdlib/Makefile.orig 2022-01-24 13:32:24.268678228 -0600 ++++ ./stdlib/Makefile 2022-01-24 13:32:59.968676254 -0600 +@@ -86,7 +86,7 @@ + tst-makecontext-align test-bz22786 tst-strtod-nan-sign \ + tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ + tst-setcontext6 tst-setcontext7 tst-setcontext8 \ +- tst-setcontext9 tst-bz20544 tst-canon-bz26341 ++ tst-setcontext9 tst-bz20544 tst-canon-bz26341 tst-realpath-toolong + + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst-strtod5i \ + tst-tls-atexit tst-tls-atexit-nodelete +--- ./stdlib/tst-realpath-toolong.c.orig 2022-01-24 13:32:24.268678228 -0600 ++++ ./stdlib/tst-realpath-toolong.c 2022-01-24 13:32:24.268678228 -0600 +@@ -0,0 +1,49 @@ ++/* Verify that realpath returns NULL with ENAMETOOLONG if the result exceeds ++ NAME_MAX. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <limits.h> ++#include <stdlib.h> ++#include <string.h> ++#include <unistd.h> ++#include <support/check.h> ++#include <support/temp_file.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++ ++#define BASENAME "tst-realpath-toolong." ++ ++int ++do_test (void) ++{ ++ char *base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ char buf[PATH_MAX + 1]; ++ const char *res = realpath (".", buf); ++ ++ /* canonicalize.c states that if the real path is >= PATH_MAX, then ++ realpath returns NULL and sets ENAMETOOLONG. */ ++ TEST_VERIFY (res == NULL); ++ TEST_VERIFY (errno == ENAMETOOLONG); ++ ++ free (base); ++ return 0; ++} ++ ++#include <support/test-driver.c> diff --git a/source/l/glibc/patches/glibc.CVE-2021-3999.patch b/source/l/glibc/patches/glibc.CVE-2021-3999.patch new file mode 100644 index 00000000..0644f798 --- /dev/null +++ b/source/l/glibc/patches/glibc.CVE-2021-3999.patch @@ -0,0 +1,356 @@ +From 472e799a5f2102bc0c3206dbd5a801765fceb39c Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Fri, 21 Jan 2022 23:32:56 +0530 +Subject: [PATCH] getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999) + +No valid path returned by getcwd would fit into 1 byte, so reject the +size early and return NULL with errno set to ERANGE. This change is +prompted by CVE-2021-3999, which describes a single byte buffer +underflow and overflow when all of the following conditions are met: + +- The buffer size (i.e. the second argument of getcwd) is 1 byte +- The current working directory is too long +- '/' is also mounted on the current working directory + +Sequence of events: + +- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG + because the linux kernel checks for name length before it checks + buffer size + +- The code falls back to the generic getcwd in sysdeps/posix + +- In the generic func, the buf[0] is set to '\0' on line 250 + +- this while loop on line 262 is bypassed: + + while (!(thisdev == rootdev && thisino == rootino)) + + since the rootfs (/) is bind mounted onto the directory and the flow + goes on to line 449, where it puts a '/' in the byte before the + buffer. + +- Finally on line 458, it moves 2 bytes (the underflowed byte and the + '\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow. + +- buf is returned on line 469 and errno is not set. + +This resolves BZ #28769. + +Reviewed-by: Andreas Schwab <schwab@linux-m68k.org> +Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Signed-off-by: Qualys Security Advisory <qsa@qualys.com> +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e) +--- + NEWS | 6 + + sysdeps/posix/getcwd.c | 7 + + sysdeps/unix/sysv/linux/Makefile | 7 +- + .../unix/sysv/linux/tst-getcwd-smallbuff.c | 241 ++++++++++++++++++ + 4 files changed, 260 insertions(+), 1 deletion(-) + create mode 100644 sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c + +diff --git a/NEWS b/NEWS +index b4f81c2668..8d7467d2c1 100644 +--- a/NEWS ++++ b/NEWS +@@ -20,6 +20,12 @@ Security related changes: + function could result in a memory leak and potential access of + uninitialized memory. Reported by Qualys. + ++ CVE-2021-3999: Passing a buffer of size exactly 1 byte to the getcwd ++ function may result in an off-by-one buffer underflow and overflow ++ when the current working directory is longer than PATH_MAX and also ++ corresponds to the / directory through an unprivileged mount ++ namespace. Reported by Qualys. ++ + The following bugs are resolved with this release: + + [12889] nptl: Fix race between pthread_kill and thread exit +diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c +index 13680026ff..b6984a382c 100644 +--- a/sysdeps/posix/getcwd.c ++++ b/sysdeps/posix/getcwd.c +@@ -187,6 +187,13 @@ __getcwd_generic (char *buf, size_t size) + size_t allocated = size; + size_t used; + ++ /* A size of 1 byte is never useful. */ ++ if (allocated == 1) ++ { ++ __set_errno (ERANGE); ++ return NULL; ++ } ++ + #if HAVE_MINIMALLY_WORKING_GETCWD + /* If AT_FDCWD is not defined, the algorithm below is O(N**2) and + this is much slower than the system getcwd (at least on +diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile +index 76ad06361c..9380d3848d 100644 +--- a/sysdeps/unix/sysv/linux/Makefile ++++ b/sysdeps/unix/sysv/linux/Makefile +@@ -331,7 +331,12 @@ sysdep_routines += xstatconv internal_statvfs \ + + sysdep_headers += bits/fcntl-linux.h + +-tests += tst-fallocate tst-fallocate64 tst-o_path-locks ++tests += \ ++ tst-fallocate \ ++ tst-fallocate64 \ ++ tst-getcwd-smallbuff \ ++ tst-o_path-locks \ ++# tests + endif + + ifeq ($(subdir),elf) +diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +new file mode 100644 +index 0000000000..d460d6e766 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c +@@ -0,0 +1,241 @@ ++/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow ++ buffer when the CWD is too long and is also a mount target of /. See bug ++ #28769 or CVE-2021-3999 for more context. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <fcntl.h> ++#include <intprops.h> ++#include <limits.h> ++#include <stdio.h> ++#include <stdlib.h> ++#include <string.h> ++#include <sys/mount.h> ++#include <sys/stat.h> ++#include <sys/types.h> ++#include <sys/wait.h> ++ ++#include <sys/socket.h> ++#include <sys/un.h> ++#include <support/check.h> ++#include <support/temp_file.h> ++#include <support/xsched.h> ++#include <support/xunistd.h> ++ ++static char *base; ++#define BASENAME "tst-getcwd-smallbuff" ++#define MOUNT_NAME "mpoint" ++static int sockfd[2]; ++ ++static void ++do_cleanup (void) ++{ ++ support_chdir_toolong_temp_directory (base); ++ TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0); ++ free (base); ++} ++ ++static void ++send_fd (const int sock, const int fd) ++{ ++ struct msghdr msg = {0}; ++ union ++ { ++ struct cmsghdr hdr; ++ char buf[CMSG_SPACE (sizeof (int))]; ++ } cmsgbuf = {0}; ++ struct cmsghdr *cmsg; ++ struct iovec vec; ++ char ch = 'A'; ++ ssize_t n; ++ ++ msg.msg_control = &cmsgbuf.buf; ++ msg.msg_controllen = sizeof (cmsgbuf.buf); ++ ++ cmsg = CMSG_FIRSTHDR (&msg); ++ cmsg->cmsg_len = CMSG_LEN (sizeof (int)); ++ cmsg->cmsg_level = SOL_SOCKET; ++ cmsg->cmsg_type = SCM_RIGHTS; ++ memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd)); ++ ++ vec.iov_base = &ch; ++ vec.iov_len = 1; ++ msg.msg_iov = &vec; ++ msg.msg_iovlen = 1; ++ ++ while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR); ++ ++ TEST_VERIFY_EXIT (n == 1); ++} ++ ++static int ++recv_fd (const int sock) ++{ ++ struct msghdr msg = {0}; ++ union ++ { ++ struct cmsghdr hdr; ++ char buf[CMSG_SPACE(sizeof(int))]; ++ } cmsgbuf = {0}; ++ struct cmsghdr *cmsg; ++ struct iovec vec; ++ ssize_t n; ++ char ch = '\0'; ++ int fd = -1; ++ ++ vec.iov_base = &ch; ++ vec.iov_len = 1; ++ msg.msg_iov = &vec; ++ msg.msg_iovlen = 1; ++ ++ msg.msg_control = &cmsgbuf.buf; ++ msg.msg_controllen = sizeof (cmsgbuf.buf); ++ ++ while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR); ++ if (n != 1 || ch != 'A') ++ return -1; ++ ++ cmsg = CMSG_FIRSTHDR (&msg); ++ if (cmsg == NULL) ++ return -1; ++ if (cmsg->cmsg_type != SCM_RIGHTS) ++ return -1; ++ memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd)); ++ if (fd < 0) ++ return -1; ++ return fd; ++} ++ ++static int ++child_func (void * const arg) ++{ ++ xclose (sockfd[0]); ++ const int sock = sockfd[1]; ++ char ch; ++ ++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); ++ TEST_VERIFY_EXIT (ch == '1'); ++ ++ if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL)) ++ FAIL_EXIT1 ("mount failed: %m\n"); ++ const int fd = xopen ("mpoint", ++ O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0); ++ ++ send_fd (sock, fd); ++ xclose (fd); ++ ++ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1); ++ TEST_VERIFY_EXIT (ch == 'a'); ++ ++ xclose (sock); ++ return 0; ++} ++ ++static void ++update_map (char * const mapping, const char * const map_file) ++{ ++ const size_t map_len = strlen (mapping); ++ ++ const int fd = xopen (map_file, O_WRONLY, 0); ++ xwrite (fd, mapping, map_len); ++ xclose (fd); ++} ++ ++static void ++proc_setgroups_write (const long child_pid, const char * const str) ++{ ++ const size_t str_len = strlen(str); ++ ++ char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)]; ++ ++ snprintf (setgroups_path, sizeof (setgroups_path), ++ "/proc/%ld/setgroups", child_pid); ++ ++ const int fd = open (setgroups_path, O_WRONLY); ++ ++ if (fd < 0) ++ { ++ TEST_VERIFY_EXIT (errno == ENOENT); ++ FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid); ++ } ++ ++ xwrite (fd, str, str_len); ++ xclose(fd); ++} ++ ++static char child_stack[1024 * 1024]; ++ ++int ++do_test (void) ++{ ++ base = support_create_and_chdir_toolong_temp_directory (BASENAME); ++ ++ xmkdir (MOUNT_NAME, S_IRWXU); ++ atexit (do_cleanup); ++ ++ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0); ++ pid_t child_pid = xclone (child_func, NULL, child_stack, ++ sizeof (child_stack), ++ CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD); ++ ++ xclose (sockfd[1]); ++ const int sock = sockfd[0]; ++ ++ char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)]; ++ char map_buf[sizeof ("0 1") + INT_STRLEN_BOUND (long)]; ++ ++ snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map", ++ (long) child_pid); ++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid()); ++ update_map (map_buf, map_path); ++ ++ proc_setgroups_write ((long) child_pid, "deny"); ++ snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map", ++ (long) child_pid); ++ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid()); ++ update_map (map_buf, map_path); ++ ++ TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1); ++ const int fd = recv_fd (sock); ++ TEST_VERIFY_EXIT (fd >= 0); ++ TEST_VERIFY_EXIT (fchdir (fd) == 0); ++ ++ static char buf[2 * 10 + 1]; ++ memset (buf, 'A', sizeof (buf)); ++ ++ /* Finally, call getcwd and check if it resulted in a buffer underflow. */ ++ char * cwd = getcwd (buf + sizeof (buf) / 2, 1); ++ TEST_VERIFY (cwd == NULL); ++ TEST_VERIFY (errno == ERANGE); ++ ++ for (int i = 0; i < sizeof (buf); i++) ++ if (buf[i] != 'A') ++ { ++ printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]); ++ support_record_failure (); ++ } ++ ++ TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1); ++ xclose (sock); ++ TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid); ++ ++ return 0; ++} ++ ++#define CLEANUP_HANDLER do_cleanup ++#include <support/test-driver.c> +-- +2.27.0 + + diff --git a/source/l/tdb/tdb.SlackBuild b/source/l/tdb/tdb.SlackBuild index c903a9a5..2a1ec9ac 100755 --- a/source/l/tdb/tdb.SlackBuild +++ b/source/l/tdb/tdb.SlackBuild @@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=tdb VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} -BUILD=${BUILD:-3} +BUILD=${BUILD:-1} # Automatically determine the architecture we're building on: if [ -z "$ARCH" ]; then |