diff options
author | Naohiro Aota <naota@gentoo.org> | 2013-03-10 14:01:51 +0000 |
---|---|---|
committer | Naohiro Aota <naota@gentoo.org> | 2013-03-10 14:01:51 +0000 |
commit | 1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea (patch) | |
tree | 3f22734240965d714fef3cfe94c2c64884aaee65 | |
parent | Added a system-ffmpeg to =media-video/avidemux-2.6.1, currently it is disable... (diff) | |
download | gentoo-2-1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea.tar.gz gentoo-2-1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea.tar.bz2 gentoo-2-1efda02f2ee0f4fb1a30d10a7cf0b3661bd573ea.zip |
Apply patch for CVE-2010-2632. #458718
(Portage version: 2.2.0_alpha166/cvs/Linux x86_64, signed Manifest commit with key F8551514)
-rw-r--r-- | sys-freebsd/freebsd-lib/ChangeLog | 9 | ||||
-rw-r--r-- | sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch | 215 | ||||
-rw-r--r-- | sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild (renamed from sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild) | 3 |
3 files changed, 225 insertions, 2 deletions
diff --git a/sys-freebsd/freebsd-lib/ChangeLog b/sys-freebsd/freebsd-lib/ChangeLog index cac9e1bc84d3..003b3e2d98d0 100644 --- a/sys-freebsd/freebsd-lib/ChangeLog +++ b/sys-freebsd/freebsd-lib/ChangeLog @@ -1,6 +1,13 @@ # ChangeLog for sys-freebsd/freebsd-lib # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/ChangeLog,v 1.170 2013/02/12 11:08:17 naota Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/ChangeLog,v 1.171 2013/03/10 14:01:51 naota Exp $ + +*freebsd-lib-9.0-r4 (10 Mar 2013) + + 10 Mar 2013; Naohiro Aota <naota@gentoo.org> + +files/freebsd-lib-9.0-cve-2010-2632.patch, +freebsd-lib-9.0-r4.ebuild, + -freebsd-lib-9.0-r3.ebuild: + Apply patch for CVE-2010-2632. #458718 12 Feb 2013; Naohiro Aota <naota@gentoo.org> +files/freebsd-lib-9.0-bluetooth.patch, +files/freebsd-lib-9.0-netware.patch, diff --git a/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch b/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch new file mode 100644 index 000000000000..ad9b9608f42c --- /dev/null +++ b/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch @@ -0,0 +1,215 @@ +Index: lib/libc/gen/glob.c +=================================================================== +--- lib/libc/gen/glob.c (revision 246357) ++++ lib/libc/gen/glob.c (working copy) +@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$"); + + #include "collate.h" + ++/* ++ * glob(3) expansion limits. Stop the expansion if any of these limits ++ * is reached. This caps the runtime in the face of DoS attacks. See ++ * also CVE-2010-2632 ++ */ ++#define GLOB_LIMIT_BRACE 128 /* number of brace calls */ ++#define GLOB_LIMIT_PATH 65536 /* number of path elements */ ++#define GLOB_LIMIT_READDIR 16384 /* number of readdirs */ ++#define GLOB_LIMIT_STAT 1024 /* number of stat system calls */ ++#define GLOB_LIMIT_STRING ARG_MAX /* maximum total size for paths */ ++ ++struct glob_limit { ++ size_t l_brace_cnt; ++ size_t l_path_lim; ++ size_t l_readdir_cnt; ++ size_t l_stat_cnt; ++ size_t l_string_cnt; ++}; ++ + #define DOLLAR '$' + #define DOT '.' + #define EOS '\0' +@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t) + static Char *g_strcat(Char *, const Char *); + #endif + static int g_stat(Char *, struct stat *, glob_t *); +-static int glob0(const Char *, glob_t *, size_t *); +-static int glob1(Char *, glob_t *, size_t *); +-static int glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *); +-static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *); +-static int globextend(const Char *, glob_t *, size_t *); +-static const Char * ++static int glob0(const Char *, glob_t *, struct glob_limit *); ++static int glob1(Char *, glob_t *, struct glob_limit *); ++static int glob2(Char *, Char *, Char *, Char *, glob_t *, ++ struct glob_limit *); ++static int glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, ++ struct glob_limit *); ++static int globextend(const Char *, glob_t *, struct glob_limit *); ++static const Char * + globtilde(const Char *, Char *, size_t, glob_t *); +-static int globexp1(const Char *, glob_t *, size_t *); +-static int globexp2(const Char *, const Char *, glob_t *, int *, size_t *); ++static int globexp1(const Char *, glob_t *, struct glob_limit *); ++static int globexp2(const Char *, const Char *, glob_t *, int *, ++ struct glob_limit *); + static int match(Char *, Char *, Char *); + #ifdef DEBUG + static void qprintf(const char *, Char *); +@@ -171,8 +193,8 @@ int + glob(const char * __restrict pattern, int flags, + int (*errfunc)(const char *, int), glob_t * __restrict pglob) + { ++ struct glob_limit limit = { 0, 0, 0, 0, 0 }; + const char *patnext; +- size_t limit; + Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot; + mbstate_t mbs; + wchar_t wc; +@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags, + pglob->gl_offs = 0; + } + if (flags & GLOB_LIMIT) { +- limit = pglob->gl_matchc; +- if (limit == 0) +- limit = ARG_MAX; +- } else +- limit = 0; ++ limit.l_path_lim = pglob->gl_matchc; ++ if (limit.l_path_lim == 0) ++ limit.l_path_lim = GLOB_LIMIT_PATH; ++ } + pglob->gl_flags = flags & ~GLOB_MAGCHAR; + pglob->gl_errfunc = errfunc; + pglob->gl_matchc = 0; +@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags, + * characters + */ + static int +-globexp1(const Char *pattern, glob_t *pglob, size_t *limit) ++globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit) + { + const Char* ptr = pattern; + int rv; + ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) { ++ errno = 0; ++ return (GLOB_NOSPACE); ++ } ++ + /* Protect a single {}, for find(1), like csh */ + if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS) + return glob0(pattern, pglob, limit); +@@ -266,7 +293,8 @@ static int + * If it fails then it tries to glob the rest of the pattern and returns. + */ + static int +-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit) ++globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, ++ struct glob_limit *limit) + { + int i; + Char *lm, *ls; +@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_ + * if things went well, nonzero if errors occurred. + */ + static int +-glob0(const Char *pattern, glob_t *pglob, size_t *limit) ++glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit) + { + const Char *qpatnext; + int err; +@@ -529,7 +557,7 @@ compare(const void *p, const void *q) + } + + static int +-glob1(Char *pattern, glob_t *pglob, size_t *limit) ++glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit) + { + Char pathbuf[MAXPATHLEN]; + +@@ -547,7 +575,7 @@ static int + */ + static int + glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern, +- glob_t *pglob, size_t *limit) ++ glob_t *pglob, struct glob_limit *limit) + { + struct stat sb; + Char *p, *q; +@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_ + if (g_lstat(pathbuf, &sb, pglob)) + return(0); + ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) { ++ errno = 0; ++ if (pathend + 1 > pathend_last) ++ return (GLOB_ABORTED); ++ *pathend++ = SEP; ++ *pathend = EOS; ++ return (GLOB_NOSPACE); ++ } + if (((pglob->gl_flags & GLOB_MARK) && + pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) + || (S_ISLNK(sb.st_mode) && +@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_ + static int + glob3(Char *pathbuf, Char *pathend, Char *pathend_last, + Char *pattern, Char *restpattern, +- glob_t *pglob, size_t *limit) ++ glob_t *pglob, struct glob_limit *limit) + { + struct dirent *dp; + DIR *dirp; +@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_ + size_t clen; + mbstate_t mbs; + ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) { ++ errno = 0; ++ if (pathend + 1 > pathend_last) ++ err = GLOB_ABORTED; ++ else { ++ *pathend++ = SEP; ++ *pathend = EOS; ++ err = GLOB_NOSPACE; ++ } ++ break; ++ } ++ + /* Initial DOT must be matched literally. */ + if (dp->d_name[0] == DOT && *pattern != DOT) + continue; +@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_ + * gl_pathv points to (gl_offs + gl_pathc + 1) items. + */ + static int +-globextend(const Char *path, glob_t *pglob, size_t *limit) ++globextend(const Char *path, glob_t *pglob, struct glob_limit *limit) + { + char **pathv; + size_t i, newsize, len; + char *copy; + const Char *p; + +- if (*limit && pglob->gl_pathc > *limit) { ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ pglob->gl_matchc > limit->l_path_lim) { + errno = 0; + return (GLOB_NOSPACE); + } +@@ -737,6 +788,12 @@ static int + for (p = path; *p++;) + continue; + len = MB_CUR_MAX * (size_t)(p - path); /* XXX overallocation */ ++ limit->l_string_cnt += len; ++ if ((pglob->gl_flags & GLOB_LIMIT) && ++ limit->l_string_cnt >= GLOB_LIMIT_STRING) { ++ errno = 0; ++ return (GLOB_NOSPACE); ++ } + if ((copy = malloc(len)) != NULL) { + if (g_Ctoc(path, copy, len)) { + free(copy); diff --git a/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild b/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild index 4295da798ef4..82c6a8ef4869 100644 --- a/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild +++ b/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2013 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild,v 1.9 2013/02/12 11:08:17 naota Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild,v 1.1 2013/03/10 14:01:51 naota Exp $ EAPI=2 @@ -94,6 +94,7 @@ PATCHES=( "${FILESDIR}/${PN}-bsdxml2expat.patch" "${FILESDIR}/${PN}-9.0-trylock-adaptive.patch" "${FILESDIR}/${PN}-9.0-netware.patch" + "${FILESDIR}/${PN}-9.0-cve-2010-2632.patch" "${FILESDIR}/${PN}-9.0-bluetooth.patch" ) # Here we disable and remove source which we don't need or want |