summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNaohiro Aota <naota@gentoo.org>2013-03-10 14:01:51 +0000
committerNaohiro Aota <naota@gentoo.org>2013-03-10 14:01:51 +0000
commit1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea (patch)
tree3f22734240965d714fef3cfe94c2c64884aaee65
parentAdded a system-ffmpeg to =media-video/avidemux-2.6.1, currently it is disable... (diff)
downloadgentoo-2-1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea.tar.gz
gentoo-2-1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea.tar.bz2
gentoo-2-1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea.zip
Apply patch for CVE-2010-2632. #458718
(Portage version: 2.2.0_alpha166/cvs/Linux x86_64, signed Manifest commit with key F8551514)
-rw-r--r--sys-freebsd/freebsd-lib/ChangeLog9
-rw-r--r--sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch215
-rw-r--r--sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild (renamed from sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild)3
3 files changed, 225 insertions, 2 deletions
diff --git a/sys-freebsd/freebsd-lib/ChangeLog b/sys-freebsd/freebsd-lib/ChangeLog
index cac9e1bc84d3..003b3e2d98d0 100644
--- a/sys-freebsd/freebsd-lib/ChangeLog
+++ b/sys-freebsd/freebsd-lib/ChangeLog
@@ -1,6 +1,13 @@
# ChangeLog for sys-freebsd/freebsd-lib
# Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/ChangeLog,v 1.170 2013/02/12 11:08:17 naota Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/ChangeLog,v 1.171 2013/03/10 14:01:51 naota Exp $
+
+*freebsd-lib-9.0-r4 (10 Mar 2013)
+
+ 10 Mar 2013; Naohiro Aota <naota@gentoo.org>
+ +files/freebsd-lib-9.0-cve-2010-2632.patch, +freebsd-lib-9.0-r4.ebuild,
+ -freebsd-lib-9.0-r3.ebuild:
+ Apply patch for CVE-2010-2632. #458718
12 Feb 2013; Naohiro Aota <naota@gentoo.org>
+files/freebsd-lib-9.0-bluetooth.patch, +files/freebsd-lib-9.0-netware.patch,
diff --git a/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch b/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch
new file mode 100644
index 000000000000..ad9b9608f42c
--- /dev/null
+++ b/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch
@@ -0,0 +1,215 @@
+Index: lib/libc/gen/glob.c
+===================================================================
+--- lib/libc/gen/glob.c (revision 246357)
++++ lib/libc/gen/glob.c (working copy)
+@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$");
+
+ #include "collate.h"
+
++/*
++ * glob(3) expansion limits. Stop the expansion if any of these limits
++ * is reached. This caps the runtime in the face of DoS attacks. See
++ * also CVE-2010-2632
++ */
++#define GLOB_LIMIT_BRACE 128 /* number of brace calls */
++#define GLOB_LIMIT_PATH 65536 /* number of path elements */
++#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */
++#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */
++#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */
++
++struct glob_limit {
++ size_t l_brace_cnt;
++ size_t l_path_lim;
++ size_t l_readdir_cnt;
++ size_t l_stat_cnt;
++ size_t l_string_cnt;
++};
++
+ #define DOLLAR '$'
+ #define DOT '.'
+ #define EOS '\0'
+@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t)
+ static Char *g_strcat(Char *, const Char *);
+ #endif
+ static int g_stat(Char *, struct stat *, glob_t *);
+-static int glob0(const Char *, glob_t *, size_t *);
+-static int glob1(Char *, glob_t *, size_t *);
+-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int globextend(const Char *, glob_t *, size_t *);
+-static const Char *
++static int glob0(const Char *, glob_t *, struct glob_limit *);
++static int glob1(Char *, glob_t *, struct glob_limit *);
++static int glob2(Char *, Char *, Char *, Char *, glob_t *,
++ struct glob_limit *);
++static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
++ struct glob_limit *);
++static int globextend(const Char *, glob_t *, struct glob_limit *);
++static const Char *
+ globtilde(const Char *, Char *, size_t, glob_t *);
+-static int globexp1(const Char *, glob_t *, size_t *);
+-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
++static int globexp1(const Char *, glob_t *, struct glob_limit *);
++static int globexp2(const Char *, const Char *, glob_t *, int *,
++ struct glob_limit *);
+ static int match(Char *, Char *, Char *);
+ #ifdef DEBUG
+ static void qprintf(const char *, Char *);
+@@ -171,8 +193,8 @@ int
+ glob(const char * __restrict pattern, int flags,
+ int (*errfunc)(const char *, int), glob_t * __restrict pglob)
+ {
++ struct glob_limit limit = { 0, 0, 0, 0, 0 };
+ const char *patnext;
+- size_t limit;
+ Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
+ mbstate_t mbs;
+ wchar_t wc;
+@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags,
+ pglob->gl_offs = 0;
+ }
+ if (flags & GLOB_LIMIT) {
+- limit = pglob->gl_matchc;
+- if (limit == 0)
+- limit = ARG_MAX;
+- } else
+- limit = 0;
++ limit.l_path_lim = pglob->gl_matchc;
++ if (limit.l_path_lim == 0)
++ limit.l_path_lim = GLOB_LIMIT_PATH;
++ }
+ pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+ pglob->gl_errfunc = errfunc;
+ pglob->gl_matchc = 0;
+@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags,
+ * characters
+ */
+ static int
+-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
++globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ const Char* ptr = pattern;
+ int rv;
+
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
++ errno = 0;
++ return (GLOB_NOSPACE);
++ }
++
+ /* Protect a single {}, for find(1), like csh */
+ if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
+ return glob0(pattern, pglob, limit);
+@@ -266,7 +293,8 @@ static int
+ * If it fails then it tries to glob the rest of the pattern and returns.
+ */
+ static int
+-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
++globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
++ struct glob_limit *limit)
+ {
+ int i;
+ Char *lm, *ls;
+@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_
+ * if things went well, nonzero if errors occurred.
+ */
+ static int
+-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
++glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ const Char *qpatnext;
+ int err;
+@@ -529,7 +557,7 @@ compare(const void *p, const void *q)
+ }
+
+ static int
+-glob1(Char *pattern, glob_t *pglob, size_t *limit)
++glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ Char pathbuf[MAXPATHLEN];
+
+@@ -547,7 +575,7 @@ static int
+ */
+ static int
+ glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
+- glob_t *pglob, size_t *limit)
++ glob_t *pglob, struct glob_limit *limit)
+ {
+ struct stat sb;
+ Char *p, *q;
+@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ if (g_lstat(pathbuf, &sb, pglob))
+ return(0);
+
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
++ errno = 0;
++ if (pathend + 1 > pathend_last)
++ return (GLOB_ABORTED);
++ *pathend++ = SEP;
++ *pathend = EOS;
++ return (GLOB_NOSPACE);
++ }
+ if (((pglob->gl_flags & GLOB_MARK) &&
+ pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
+ || (S_ISLNK(sb.st_mode) &&
+@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ static int
+ glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
+ Char *pattern, Char *restpattern,
+- glob_t *pglob, size_t *limit)
++ glob_t *pglob, struct glob_limit *limit)
+ {
+ struct dirent *dp;
+ DIR *dirp;
+@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+ size_t clen;
+ mbstate_t mbs;
+
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
++ errno = 0;
++ if (pathend + 1 > pathend_last)
++ err = GLOB_ABORTED;
++ else {
++ *pathend++ = SEP;
++ *pathend = EOS;
++ err = GLOB_NOSPACE;
++ }
++ break;
++ }
++
+ /* Initial DOT must be matched literally. */
+ if (dp->d_name[0] == DOT && *pattern != DOT)
+ continue;
+@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+ * gl_pathv points to (gl_offs + gl_pathc + 1) items.
+ */
+ static int
+-globextend(const Char *path, glob_t *pglob, size_t *limit)
++globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
+ {
+ char **pathv;
+ size_t i, newsize, len;
+ char *copy;
+ const Char *p;
+
+- if (*limit && pglob->gl_pathc > *limit) {
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ pglob->gl_matchc > limit->l_path_lim) {
+ errno = 0;
+ return (GLOB_NOSPACE);
+ }
+@@ -737,6 +788,12 @@ static int
+ for (p = path; *p++;)
+ continue;
+ len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */
++ limit->l_string_cnt += len;
++ if ((pglob->gl_flags & GLOB_LIMIT) &&
++ limit->l_string_cnt >= GLOB_LIMIT_STRING) {
++ errno = 0;
++ return (GLOB_NOSPACE);
++ }
+ if ((copy = malloc(len)) != NULL) {
+ if (g_Ctoc(path, copy, len)) {
+ free(copy);
diff --git a/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild b/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild
index 4295da798ef4..82c6a8ef4869 100644
--- a/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild
+++ b/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2013 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild,v 1.9 2013/02/12 11:08:17 naota Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild,v 1.1 2013/03/10 14:01:51 naota Exp $
EAPI=2
@@ -94,6 +94,7 @@ PATCHES=(
"${FILESDIR}/${PN}-bsdxml2expat.patch"
"${FILESDIR}/${PN}-9.0-trylock-adaptive.patch"
"${FILESDIR}/${PN}-9.0-netware.patch"
+ "${FILESDIR}/${PN}-9.0-cve-2010-2632.patch"
"${FILESDIR}/${PN}-9.0-bluetooth.patch" )
# Here we disable and remove source which we don't need or want