diff -Nru eglibc-2.17/debian/changelog eglibc-2.17/debian/changelog --- eglibc-2.17/debian/changelog 2013-09-23 05:32:58.000000000 +0000 +++ eglibc-2.17/debian/changelog 2013-10-12 03:43:20.000000000 +0000 @@ -1,3 +1,36 @@ +eglibc (2.17-93ubuntu4) saucy; urgency=low + + * patches/arm64/cvs-setjmp-clobber.diff: __sigsetjmp clobbers register + x1 before making the tail call to __sigjmp_save, which causes the + latter to always save the signal mask. Backport git patch to fix. + * patches/series: Revert the CVE-2013-2207 pt_chown fix until we come + up with a sane plan to avoid users shooting themselves in the foot. + * debhelper.in/libc-bin.install: Install pt_chown again for the above. + + -- Adam Conrad Fri, 11 Oct 2013 21:06:21 -0600 + +eglibc (2.17-93ubuntu3) saucy; urgency=low + + * Revert the CVE-2013-4788 fix, as it causes the ARM testsuite to fail. + + -- Adam Conrad Thu, 10 Oct 2013 01:25:14 -0600 + +eglibc (2.17-93ubuntu2) saucy; urgency=low + + * patches/any/cvs-CVE-2012-44xx.diff: backport overflow fixes in strcoll + addressing CVE-2012-4412 and CVE-2012-4424 (Closes: #687530, #689423) + * patches/any/cvs-CVE-2013-4237.diff: backport git fix to respect the + NAME_MAX constraints in readdir_r: CVE-2013-4237 (Closes: #719558) + * debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff: backpot git patch + to disable building and using pt_chown: CVE-2013-2207 (Closes: #717544) + * debhelper.in/libc-bin.install: Adjust packaging for the above change. + * patches/any/cvs-CVE-2013-4788-static-ptrguard*: backport fix from git + for pointer mangling in static builds: CVE-2013-4788 (Closes: #717178) + * patches/ubuntu/unsubmitted-dlopen-static-crash.diff: New patch from + Maciej Rozycki to fix a dlopen segfault in statically linked programs. + + -- Adam Conrad Wed, 09 Oct 2013 22:29:57 -0600 + eglibc (2.17-93ubuntu1) saucy; urgency=low * Merge with Debian unstable, bringing in testsuite and security fixes. diff -Nru eglibc-2.17/debian/patches/any/cvs-CVE-2012-44xx.diff eglibc-2.17/debian/patches/any/cvs-CVE-2012-44xx.diff --- eglibc-2.17/debian/patches/any/cvs-CVE-2012-44xx.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/any/cvs-CVE-2012-44xx.diff 2013-10-09 21:58:28.000000000 +0000 @@ -0,0 +1,1091 @@ +Description: fix denial of service and possible code execution via strcoll overflows +Origin: backport, https://sourceware.org/git/?p=glibc.git;a=commit;h=1326ba1af22068db9488c2328bdaf852b8a93dcf +Origin: backport, https://sourceware.org/git/?p=glibc.git;a=commit;h=141f3a77fe4f1b59b0afa9bf6909cd2000448883 +Origin: backport, https://sourceware.org/git/?p=glibc.git;a=commit;h=303e567a8062200dc06acde7c76fc34679f08d8f +Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=14547 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=687530 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689423 + +Index: eglibc-2.17/string/Makefile +=================================================================== +--- eglibc-2.17.orig/string/Makefile 2012-10-25 16:09:53.000000000 -0400 ++++ eglibc-2.17/string/Makefile 2013-09-27 08:52:43.931342684 -0400 +@@ -67,6 +67,8 @@ + tests-ifunc := $(strop-tests:%=test-%-ifunc) + tests += $(tests-ifunc) + ++xtests = tst-strcoll-overflow ++ + include ../Rules + + tester-ENV = LANGUAGE=C +Index: eglibc-2.17/string/strcoll_l.c +=================================================================== +--- eglibc-2.17.orig/string/strcoll_l.c 2012-02-17 21:24:59.000000000 -0500 ++++ eglibc-2.17/string/strcoll_l.c 2013-09-27 08:52:43.931342684 -0400 +@@ -42,11 +42,434 @@ + + #include "../locale/localeinfo.h" + ++/* Track status while looking for sequences in a string. */ ++typedef struct ++{ ++ int len; /* Length of the current sequence. */ ++ size_t val; /* Position of the sequence relative to the ++ previous non-ignored sequence. */ ++ size_t idxnow; /* Current index in sequences. */ ++ size_t idxmax; /* Maximum index in sequences. */ ++ size_t idxcnt; /* Current count of indices. */ ++ size_t backw; /* Current Backward sequence index. */ ++ size_t backw_stop; /* Index where the backward sequences stop. */ ++ const USTRING_TYPE *us; /* The string. */ ++ int32_t *idxarr; /* Array to cache weight indices. */ ++ unsigned char *rulearr; /* Array to cache rules. */ ++ unsigned char rule; /* Saved rule for the first sequence. */ ++ int32_t idx; /* Index to weight of the current sequence. */ ++ int32_t save_idx; /* Save looked up index of a forward ++ sequence after the last backward ++ sequence. */ ++ const USTRING_TYPE *back_us; /* Beginning of the backward sequence. */ ++} coll_seq; ++ ++/* Get next sequence. The weight indices are cached, so we don't need to ++ traverse the string. */ ++static void ++get_next_seq_cached (coll_seq *seq, int nrules, int pass, ++ const unsigned char *rulesets, ++ const USTRING_TYPE *weights) ++{ ++ size_t val = seq->val = 0; ++ int len = seq->len; ++ size_t backw_stop = seq->backw_stop; ++ size_t backw = seq->backw; ++ size_t idxcnt = seq->idxcnt; ++ size_t idxmax = seq->idxmax; ++ size_t idxnow = seq->idxnow; ++ unsigned char *rulearr = seq->rulearr; ++ int32_t *idxarr = seq->idxarr; ++ ++ while (len == 0) ++ { ++ ++val; ++ if (backw_stop != ~0ul) ++ { ++ /* There is something pushed. */ ++ if (backw == backw_stop) ++ { ++ /* The last pushed character was handled. Continue ++ with forward characters. */ ++ if (idxcnt < idxmax) ++ { ++ idxnow = idxcnt; ++ backw_stop = ~0ul; ++ } ++ else ++ { ++ /* Nothing any more. The backward sequence ++ ended with the last sequence in the string. */ ++ idxnow = ~0ul; ++ break; ++ } ++ } ++ else ++ idxnow = --backw; ++ } ++ else ++ { ++ backw_stop = idxcnt; ++ ++ while (idxcnt < idxmax) ++ { ++ if ((rulesets[rulearr[idxcnt] * nrules + pass] ++ & sort_backward) == 0) ++ /* No more backward characters to push. */ ++ break; ++ ++idxcnt; ++ } ++ ++ if (backw_stop == idxcnt) ++ { ++ /* No sequence at all or just one. */ ++ if (idxcnt == idxmax) ++ /* Note that LEN is still zero. */ ++ break; ++ ++ backw_stop = ~0ul; ++ idxnow = idxcnt++; ++ } ++ else ++ /* We pushed backward sequences. */ ++ idxnow = backw = idxcnt - 1; ++ } ++ len = weights[idxarr[idxnow]++]; ++ } ++ ++ /* Update the structure. */ ++ seq->val = val; ++ seq->len = len; ++ seq->backw_stop = backw_stop; ++ seq->backw = backw; ++ seq->idxcnt = idxcnt; ++ seq->idxnow = idxnow; ++} ++ ++/* Get next sequence. Traverse the string as required. */ ++static void ++get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets, ++ const USTRING_TYPE *weights, const int32_t *table, ++ const USTRING_TYPE *extra, const int32_t *indirect) ++{ ++#include WEIGHT_H ++ size_t val = seq->val = 0; ++ int len = seq->len; ++ size_t backw_stop = seq->backw_stop; ++ size_t backw = seq->backw; ++ size_t idxcnt = seq->idxcnt; ++ size_t idxmax = seq->idxmax; ++ size_t idxnow = seq->idxnow; ++ unsigned char *rulearr = seq->rulearr; ++ int32_t *idxarr = seq->idxarr; ++ const USTRING_TYPE *us = seq->us; ++ ++ while (len == 0) ++ { ++ ++val; ++ if (backw_stop != ~0ul) ++ { ++ /* There is something pushed. */ ++ if (backw == backw_stop) ++ { ++ /* The last pushed character was handled. Continue ++ with forward characters. */ ++ if (idxcnt < idxmax) ++ { ++ idxnow = idxcnt; ++ backw_stop = ~0ul; ++ } ++ else ++ /* Nothing any more. The backward sequence ended with ++ the last sequence in the string. Note that LEN ++ is still zero. */ ++ break; ++ } ++ else ++ idxnow = --backw; ++ } ++ else ++ { ++ backw_stop = idxmax; ++ ++ while (*us != L('\0')) ++ { ++ int32_t tmp = findidx (&us, -1); ++ rulearr[idxmax] = tmp >> 24; ++ idxarr[idxmax] = tmp & 0xffffff; ++ idxcnt = idxmax++; ++ ++ if ((rulesets[rulearr[idxcnt] * nrules] ++ & sort_backward) == 0) ++ /* No more backward characters to push. */ ++ break; ++ ++idxcnt; ++ } ++ ++ if (backw_stop >= idxcnt) ++ { ++ /* No sequence at all or just one. */ ++ if (idxcnt == idxmax || backw_stop > idxcnt) ++ /* Note that LEN is still zero. */ ++ break; ++ ++ backw_stop = ~0ul; ++ idxnow = idxcnt; ++ } ++ else ++ /* We pushed backward sequences. */ ++ idxnow = backw = idxcnt - 1; ++ } ++ len = weights[idxarr[idxnow]++]; ++ } ++ ++ /* Update the structure. */ ++ seq->val = val; ++ seq->len = len; ++ seq->backw_stop = backw_stop; ++ seq->backw = backw; ++ seq->idxcnt = idxcnt; ++ seq->idxmax = idxmax; ++ seq->idxnow = idxnow; ++ seq->us = us; ++} ++ ++/* Get next sequence. Traverse the string as required. This function does not ++ set or use any index or rule cache. */ ++static void ++get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets, ++ const USTRING_TYPE *weights, const int32_t *table, ++ const USTRING_TYPE *extra, const int32_t *indirect, ++ int pass) ++{ ++#include WEIGHT_H ++ size_t val = seq->val = 0; ++ int len = seq->len; ++ size_t backw_stop = seq->backw_stop; ++ size_t backw = seq->backw; ++ size_t idxcnt = seq->idxcnt; ++ size_t idxmax = seq->idxmax; ++ int32_t idx = seq->idx; ++ const USTRING_TYPE *us = seq->us; ++ ++ while (len == 0) ++ { ++ ++val; ++ if (backw_stop != ~0ul) ++ { ++ /* There is something pushed. */ ++ if (backw == backw_stop) ++ { ++ /* The last pushed character was handled. Continue ++ with forward characters. */ ++ if (idxcnt < idxmax) ++ { ++ idx = seq->save_idx; ++ backw_stop = ~0ul; ++ } ++ else ++ { ++ /* Nothing anymore. The backward sequence ended with ++ the last sequence in the string. Note that len is ++ still zero. */ ++ idx = 0; ++ break; ++ } ++ } ++ else ++ { ++ /* XXX Traverse BACKW sequences from the beginning of ++ BACKW_STOP to get the next sequence. Is ther a quicker way ++ to do this? */ ++ size_t i = backw_stop; ++ us = seq->back_us; ++ while (i < backw) ++ { ++ int32_t tmp = findidx (&us, -1); ++ idx = tmp & 0xffffff; ++ i++; ++ } ++ --backw; ++ us = seq->us; ++ } ++ } ++ else ++ { ++ backw_stop = idxmax; ++ int32_t prev_idx = idx; ++ ++ while (*us != L('\0')) ++ { ++ int32_t tmp = findidx (&us, -1); ++ unsigned char rule = tmp >> 24; ++ prev_idx = idx; ++ idx = tmp & 0xffffff; ++ idxcnt = idxmax++; ++ ++ /* Save the rule for the first sequence. */ ++ if (__glibc_unlikely (idxcnt == 0)) ++ seq->rule = rule; ++ ++ if ((rulesets[rule * nrules + pass] ++ & sort_backward) == 0) ++ /* No more backward characters to push. */ ++ break; ++ ++idxcnt; ++ } ++ ++ if (backw_stop >= idxcnt) ++ { ++ /* No sequence at all or just one. */ ++ if (idxcnt == idxmax || backw_stop > idxcnt) ++ /* Note that len is still zero. */ ++ break; ++ ++ backw_stop = ~0ul; ++ } ++ else ++ { ++ /* We pushed backward sequences. If the stream ended with the ++ backward sequence, then we process the last sequence we ++ found. Otherwise we process the sequence before the last ++ one since the last one was a forward sequence. */ ++ seq->back_us = seq->us; ++ seq->us = us; ++ backw = idxcnt; ++ if (idxmax > idxcnt) ++ { ++ backw--; ++ seq->save_idx = idx; ++ idx = prev_idx; ++ } ++ if (backw > backw_stop) ++ backw--; ++ } ++ } ++ ++ len = weights[idx++]; ++ /* Skip over indices of previous levels. */ ++ for (int i = 0; i < pass; i++) ++ { ++ idx += len; ++ len = weights[idx]; ++ idx++; ++ } ++ } ++ ++ /* Update the structure. */ ++ seq->val = val; ++ seq->len = len; ++ seq->backw_stop = backw_stop; ++ seq->backw = backw; ++ seq->idxcnt = idxcnt; ++ seq->idxmax = idxmax; ++ seq->us = us; ++ seq->idx = idx; ++} ++ ++/* Compare two sequences. This version does not use the index and rules ++ cache. */ ++static int ++do_compare_nocache (coll_seq *seq1, coll_seq *seq2, int position, ++ const USTRING_TYPE *weights) ++{ ++ int seq1len = seq1->len; ++ int seq2len = seq2->len; ++ size_t val1 = seq1->val; ++ size_t val2 = seq2->val; ++ int idx1 = seq1->idx; ++ int idx2 = seq2->idx; ++ int result = 0; ++ ++ /* Test for position if necessary. */ ++ if (position && val1 != val2) ++ { ++ result = val1 > val2 ? 1 : -1; ++ goto out; ++ } ++ ++ /* Compare the two sequences. */ ++ do ++ { ++ if (weights[idx1] != weights[idx2]) ++ { ++ /* The sequences differ. */ ++ result = weights[idx1] - weights[idx2]; ++ goto out; ++ } ++ ++ /* Increment the offsets. */ ++ ++idx1; ++ ++idx2; ++ ++ --seq1len; ++ --seq2len; ++ } ++ while (seq1len > 0 && seq2len > 0); ++ ++ if (position && seq1len != seq2len) ++ result = seq1len - seq2len; ++ ++out: ++ seq1->len = seq1len; ++ seq2->len = seq2len; ++ seq1->idx = idx1; ++ seq2->idx = idx2; ++ return result; ++} ++ ++/* Compare two sequences using the index cache. */ ++static int ++do_compare (coll_seq *seq1, coll_seq *seq2, int position, ++ const USTRING_TYPE *weights) ++{ ++ int seq1len = seq1->len; ++ int seq2len = seq2->len; ++ size_t val1 = seq1->val; ++ size_t val2 = seq2->val; ++ int32_t *idx1arr = seq1->idxarr; ++ int32_t *idx2arr = seq2->idxarr; ++ int idx1now = seq1->idxnow; ++ int idx2now = seq2->idxnow; ++ int result = 0; ++ ++ /* Test for position if necessary. */ ++ if (position && val1 != val2) ++ { ++ result = val1 > val2 ? 1 : -1; ++ goto out; ++ } ++ ++ /* Compare the two sequences. */ ++ do ++ { ++ if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) ++ { ++ /* The sequences differ. */ ++ result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]]; ++ goto out; ++ } ++ ++ /* Increment the offsets. */ ++ ++idx1arr[idx1now]; ++ ++idx2arr[idx2now]; ++ ++ --seq1len; ++ --seq2len; ++ } ++ while (seq1len > 0 && seq2len > 0); ++ ++ if (position && seq1len != seq2len) ++ result = seq1len - seq2len; ++ ++out: ++ seq1->len = seq1len; ++ seq2->len = seq2len; ++ return result; ++} ++ + int +-STRCOLL (s1, s2, l) +- const STRING_TYPE *s1; +- const STRING_TYPE *s2; +- __locale_t l; ++STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l) + { + struct __locale_data *current = l->__locales[LC_COLLATE]; + #if __OPTION_EGLIBC_LOCALE_CODE +@@ -61,34 +484,6 @@ + const USTRING_TYPE *weights; + const USTRING_TYPE *extra; + const int32_t *indirect; +- uint_fast32_t pass; +- int result = 0; +- const USTRING_TYPE *us1; +- const USTRING_TYPE *us2; +- size_t s1len; +- size_t s2len; +- int32_t *idx1arr; +- int32_t *idx2arr; +- unsigned char *rule1arr; +- unsigned char *rule2arr; +- size_t idx1max; +- size_t idx2max; +- size_t idx1cnt; +- size_t idx2cnt; +- size_t idx1now; +- size_t idx2now; +- size_t backw1_stop; +- size_t backw2_stop; +- size_t backw1; +- size_t backw2; +- int val1; +- int val2; +- int position; +- int seq1len; +- int seq2len; +- int use_malloc; +- +-#include WEIGHT_H + + if (nrules == 0) + return STRCMP (s1, s2); +@@ -103,7 +498,6 @@ + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string; + indirect = (const int32_t *) + current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string; +- use_malloc = 0; + + assert (((uintptr_t) table) % __alignof__ (table[0]) == 0); + assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0); +@@ -111,18 +505,13 @@ + assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0); + + /* We need this a few times. */ +- s1len = STRLEN (s1); +- s2len = STRLEN (s2); ++ size_t s1len = STRLEN (s1); ++ size_t s2len = STRLEN (s2); + + /* Catch empty strings. */ +- if (__builtin_expect (s1len == 0, 0) || __builtin_expect (s2len == 0, 0)) ++ if (__glibc_unlikely (s1len == 0) || __glibc_unlikely (s2len == 0)) + return (s1len != 0) - (s2len != 0); + +- /* We need the elements of the strings as unsigned values since they +- are used as indeces. */ +- us1 = (const USTRING_TYPE *) s1; +- us2 = (const USTRING_TYPE *) s2; +- + /* Perform the first pass over the string and while doing this find + and store the weights for each character. Since we want this to + be as fast as possible we are using `alloca' to store the temporary +@@ -132,411 +521,122 @@ + + Please note that the localedef programs makes sure that `position' + is not used at the first level. */ +- if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) +- { +- idx1arr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); +- idx2arr = &idx1arr[s1len]; +- rule1arr = (unsigned char *) &idx2arr[s2len]; +- rule2arr = &rule1arr[s1len]; +- +- if (idx1arr == NULL) +- /* No memory. Well, go with the stack then. +- +- XXX Once this implementation is stable we will handle this +- differently. Instead of precomputing the indeces we will +- do this in time. This means, though, that this happens for +- every pass again. */ +- goto try_stack; +- use_malloc = 1; +- } +- else +- { +- try_stack: +- idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t)); +- idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t)); +- rule1arr = (unsigned char *) alloca (s1len); +- rule2arr = (unsigned char *) alloca (s2len); +- } +- +- idx1cnt = 0; +- idx2cnt = 0; +- idx1max = 0; +- idx2max = 0; +- idx1now = 0; +- idx2now = 0; +- backw1_stop = ~0ul; +- backw2_stop = ~0ul; +- backw1 = ~0ul; +- backw2 = ~0ul; +- seq1len = 0; +- seq2len = 0; +- position = rulesets[0] & sort_position; +- while (1) +- { +- val1 = 0; +- val2 = 0; +- +- /* Get the next non-IGNOREd element for string `s1'. */ +- if (seq1len == 0) +- do +- { +- ++val1; +- +- if (backw1_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw1 == backw1_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx1cnt < idx1max) +- { +- idx1now = idx1cnt; +- backw1_stop = ~0ul; +- } +- else +- /* Nothing anymore. The backward sequence ended with +- the last sequence in the string. Note that seq1len +- is still zero. */ +- break; +- } +- else +- idx1now = --backw1; +- } +- else +- { +- backw1_stop = idx1max; +- +- while (*us1 != L('\0')) +- { +- int32_t tmp = findidx (&us1, -1); +- rule1arr[idx1max] = tmp >> 24; +- idx1arr[idx1max] = tmp & 0xffffff; +- idx1cnt = idx1max++; +- +- if ((rulesets[rule1arr[idx1cnt] * nrules] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx1cnt; +- } +- +- if (backw1_stop >= idx1cnt) +- { +- /* No sequence at all or just one. */ +- if (idx1cnt == idx1max || backw1_stop > idx1cnt) +- /* Note that seq1len is still zero. */ +- break; +- +- backw1_stop = ~0ul; +- idx1now = idx1cnt; +- } +- else +- /* We pushed backward sequences. */ +- idx1now = backw1 = idx1cnt - 1; +- } +- } +- while ((seq1len = weights[idx1arr[idx1now]++]) == 0); +- +- /* And the same for string `s2'. */ +- if (seq2len == 0) +- do +- { +- ++val2; +- +- if (backw2_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw2 == backw2_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx2cnt < idx2max) +- { +- idx2now = idx2cnt; +- backw2_stop = ~0ul; +- } +- else +- /* Nothing anymore. The backward sequence ended with +- the last sequence in the string. Note that seq2len +- is still zero. */ +- break; +- } +- else +- idx2now = --backw2; +- } +- else +- { +- backw2_stop = idx2max; +- +- while (*us2 != L('\0')) +- { +- int32_t tmp = findidx (&us2, -1); +- rule2arr[idx2max] = tmp >> 24; +- idx2arr[idx2max] = tmp & 0xffffff; +- idx2cnt = idx2max++; +- +- if ((rulesets[rule2arr[idx2cnt] * nrules] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx2cnt; +- } +- +- if (backw2_stop >= idx2cnt) +- { +- /* No sequence at all or just one. */ +- if (idx2cnt == idx2max || backw2_stop > idx2cnt) +- /* Note that seq1len is still zero. */ +- break; +- +- backw2_stop = ~0ul; +- idx2now = idx2cnt; +- } +- else +- /* We pushed backward sequences. */ +- idx2now = backw2 = idx2cnt - 1; +- } +- } +- while ((seq2len = weights[idx2arr[idx2now]++]) == 0); +- +- /* See whether any or both strings are empty. */ +- if (seq1len == 0 || seq2len == 0) +- { +- if (seq1len == seq2len) +- /* Both ended. So far so good, both strings are equal at the +- first level. */ +- break; +- +- /* This means one string is shorter than the other. Find out +- which one and return an appropriate value. */ +- result = seq1len == 0 ? -1 : 1; +- goto free_and_return; +- } +- +- /* Test for position if necessary. */ +- if (position && val1 != val2) +- { +- result = val1 - val2; +- goto free_and_return; +- } + +- /* Compare the two sequences. */ +- do +- { +- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) +- { +- /* The sequences differ. */ +- result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]]; +- goto free_and_return; +- } ++ coll_seq seq1, seq2; ++ bool use_malloc = false; ++ int result = 0; + +- /* Increment the offsets. */ +- ++idx1arr[idx1now]; +- ++idx2arr[idx2now]; ++ memset (&seq1, 0, sizeof (seq1)); ++ seq2 = seq1; + +- --seq1len; +- --seq2len; +- } +- while (seq1len > 0 && seq2len > 0); ++ size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1); + +- if (position && seq1len != seq2len) ++ if (MIN (s1len, s2len) > size_max ++ || MAX (s1len, s2len) > size_max - MIN (s1len, s2len)) ++ { ++ /* If the strings are long enough to cause overflow in the size request, ++ then skip the allocation and proceed with the non-cached routines. */ ++ } ++ else if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1))) ++ { ++ seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1)); ++ ++ /* If we failed to allocate memory, we leave everything as NULL so that ++ we use the nocache version of traversal and comparison functions. */ ++ if (seq1.idxarr != NULL) + { +- result = seq1len - seq2len; +- goto free_and_return; ++ seq2.idxarr = &seq1.idxarr[s1len]; ++ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len]; ++ seq2.rulearr = &seq1.rulearr[s1len]; ++ use_malloc = true; + } + } ++ else ++ { ++ seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t)); ++ seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t)); ++ seq1.rulearr = (unsigned char *) alloca (s1len); ++ seq2.rulearr = (unsigned char *) alloca (s2len); ++ } ++ ++ int rule = 0; + +- /* Now the remaining passes over the weights. We now use the +- indeces we found before. */ +- for (pass = 1; pass < nrules; ++pass) ++ /* Cache values in the first pass and if needed, use them in subsequent ++ passes. */ ++ for (int pass = 0; pass < nrules; ++pass) + { ++ seq1.idxcnt = 0; ++ seq1.idx = 0; ++ seq2.idx = 0; ++ seq1.backw_stop = ~0ul; ++ seq1.backw = ~0ul; ++ seq2.idxcnt = 0; ++ seq2.backw_stop = ~0ul; ++ seq2.backw = ~0ul; ++ ++ /* We need the elements of the strings as unsigned values since they ++ are used as indices. */ ++ seq1.us = (const USTRING_TYPE *) s1; ++ seq2.us = (const USTRING_TYPE *) s2; ++ + /* We assume that if a rule has defined `position' in one section + this is true for all of them. */ +- idx1cnt = 0; +- idx2cnt = 0; +- backw1_stop = ~0ul; +- backw2_stop = ~0ul; +- backw1 = ~0ul; +- backw2 = ~0ul; +- position = rulesets[rule1arr[0] * nrules + pass] & sort_position; ++ int position = rulesets[rule * nrules + pass] & sort_position; + + while (1) + { +- val1 = 0; +- val2 = 0; +- +- /* Get the next non-IGNOREd element for string `s1'. */ +- if (seq1len == 0) +- do +- { +- ++val1; +- +- if (backw1_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw1 == backw1_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx1cnt < idx1max) +- { +- idx1now = idx1cnt; +- backw1_stop = ~0ul; +- } +- else +- { +- /* Nothing anymore. The backward sequence +- ended with the last sequence in the string. */ +- idx1now = ~0ul; +- break; +- } +- } +- else +- idx1now = --backw1; +- } +- else +- { +- backw1_stop = idx1cnt; +- +- while (idx1cnt < idx1max) +- { +- if ((rulesets[rule1arr[idx1cnt] * nrules + pass] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx1cnt; +- } +- +- if (backw1_stop == idx1cnt) +- { +- /* No sequence at all or just one. */ +- if (idx1cnt == idx1max) +- /* Note that seq1len is still zero. */ +- break; +- +- backw1_stop = ~0ul; +- idx1now = idx1cnt++; +- } +- else +- /* We pushed backward sequences. */ +- idx1now = backw1 = idx1cnt - 1; +- } +- } +- while ((seq1len = weights[idx1arr[idx1now]++]) == 0); +- +- /* And the same for string `s2'. */ +- if (seq2len == 0) +- do +- { +- ++val2; +- +- if (backw2_stop != ~0ul) +- { +- /* The is something pushed. */ +- if (backw2 == backw2_stop) +- { +- /* The last pushed character was handled. Continue +- with forward characters. */ +- if (idx2cnt < idx2max) +- { +- idx2now = idx2cnt; +- backw2_stop = ~0ul; +- } +- else +- { +- /* Nothing anymore. The backward sequence +- ended with the last sequence in the string. */ +- idx2now = ~0ul; +- break; +- } +- } +- else +- idx2now = --backw2; +- } +- else +- { +- backw2_stop = idx2cnt; +- +- while (idx2cnt < idx2max) +- { +- if ((rulesets[rule2arr[idx2cnt] * nrules + pass] +- & sort_backward) == 0) +- /* No more backward characters to push. */ +- break; +- ++idx2cnt; +- } +- +- if (backw2_stop == idx2cnt) +- { +- /* No sequence at all or just one. */ +- if (idx2cnt == idx2max) +- /* Note that seq2len is still zero. */ +- break; +- +- backw2_stop = ~0ul; +- idx2now = idx2cnt++; +- } +- else +- /* We pushed backward sequences. */ +- idx2now = backw2 = idx2cnt - 1; +- } +- } +- while ((seq2len = weights[idx2arr[idx2now]++]) == 0); ++ if (__glibc_unlikely (seq1.idxarr == NULL)) ++ { ++ get_next_seq_nocache (&seq1, nrules, rulesets, weights, table, ++ extra, indirect, pass); ++ get_next_seq_nocache (&seq2, nrules, rulesets, weights, table, ++ extra, indirect, pass); ++ } ++ else if (pass == 0) ++ { ++ get_next_seq (&seq1, nrules, rulesets, weights, table, extra, ++ indirect); ++ get_next_seq (&seq2, nrules, rulesets, weights, table, extra, ++ indirect); ++ } ++ else ++ { ++ get_next_seq_cached (&seq1, nrules, pass, rulesets, weights); ++ get_next_seq_cached (&seq2, nrules, pass, rulesets, weights); ++ } + + /* See whether any or both strings are empty. */ +- if (seq1len == 0 || seq2len == 0) ++ if (seq1.len == 0 || seq2.len == 0) + { +- if (seq1len == seq2len) ++ if (seq1.len == seq2.len) + /* Both ended. So far so good, both strings are equal + at this level. */ + break; + + /* This means one string is shorter than the other. Find out + which one and return an appropriate value. */ +- result = seq1len == 0 ? -1 : 1; ++ result = seq1.len == 0 ? -1 : 1; + goto free_and_return; + } + +- /* Test for position if necessary. */ +- if (position && val1 != val2) +- { +- result = val1 - val2; +- goto free_and_return; +- } +- +- /* Compare the two sequences. */ +- do +- { +- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]]) +- { +- /* The sequences differ. */ +- result = (weights[idx1arr[idx1now]] +- - weights[idx2arr[idx2now]]); +- goto free_and_return; +- } +- +- /* Increment the offsets. */ +- ++idx1arr[idx1now]; +- ++idx2arr[idx2now]; +- +- --seq1len; +- --seq2len; +- } +- while (seq1len > 0 && seq2len > 0); +- +- if (position && seq1len != seq2len) +- { +- result = seq1len - seq2len; +- goto free_and_return; +- } ++ if (__glibc_unlikely (seq1.idxarr == NULL)) ++ result = do_compare_nocache (&seq1, &seq2, position, weights); ++ else ++ result = do_compare (&seq1, &seq2, position, weights); ++ if (result != 0) ++ goto free_and_return; + } ++ ++ if (__builtin_expect ((seq1.rulearr != NULL), 1)) ++ rule = seq1.rulearr[0]; ++ else ++ rule = seq1.rule; + } + + /* Free the memory if needed. */ + free_and_return: + if (use_malloc) +- free (idx1arr); ++ free (seq1.idxarr); + + return result; + } +Index: eglibc-2.17/string/tst-strcoll-overflow.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ eglibc-2.17/string/tst-strcoll-overflow.c 2013-09-27 08:52:43.931342684 -0400 +@@ -0,0 +1,61 @@ ++/* Copyright (C) 2013 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++/* Verify that strcoll does not crash for large strings for which it cannot ++ cache weight lookup results. The size is large enough to cause integer ++ overflows on 32-bit as well as buffer overflows on 64-bit. The test should ++ work reasonably reliably when overcommit is disabled, but it obviously ++ depends on how much memory the system has. There's a limitation to this ++ test in that it does not run to completion. Actually collating such a ++ large string can take days and we can't have xcheck running that long. For ++ that reason, we run the test for about 5 minutes and then assume that ++ everything is fine if there are no crashes. */ ++#define SIZE 0x40000000ul ++ ++int ++do_test (void) ++{ ++ if (setlocale (LC_COLLATE, "en_GB.UTF-8") == NULL) ++ { ++ puts ("setlocale failed, cannot test for overflow"); ++ return 0; ++ } ++ ++ char *p = malloc (SIZE); ++ ++ if (p == NULL) ++ { ++ puts ("could not allocate memory"); ++ return 1; ++ } ++ ++ memset (p, 'x', SIZE - 1); ++ p[SIZE - 1] = 0; ++ printf ("%d\n", strcoll (p, p)); ++ return 0; ++} ++ ++#define TIMEOUT 300 ++#define EXPECTED_SIGNAL SIGALRM ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" diff -Nru eglibc-2.17/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff eglibc-2.17/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff --- eglibc-2.17/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/any/cvs-CVE-2013-2207-pt_chown.diff 2013-10-09 22:42:59.000000000 +0000 @@ -0,0 +1,244 @@ +commit e4608715e6e1dd2adc91982fd151d5ba4f761d69 +Author: Carlos O'Donell +Date: Fri Jul 19 02:42:03 2013 -0400 + + CVE-2013-2207, BZ #15755: Disable pt_chown. + + The helper binary pt_chown tricked into granting access to another + user's pseudo-terminal. + + Pre-conditions for the attack: + + * Attacker with local user account + * Kernel with FUSE support + * "user_allow_other" in /etc/fuse.conf + * Victim with allocated slave in /dev/pts + + Using the setuid installed pt_chown and a weak check on whether a file + descriptor is a tty, an attacker could fake a pty check using FUSE and + trick pt_chown to grant ownership of a pty descriptor that the current + user does not own. It cannot access /dev/pts/ptmx however. + + In most modern distributions pt_chown is not needed because devpts + is enabled by default. The fix for this CVE is to disable building + and using pt_chown by default. We still provide a configure option + to enable hte use of pt_chown but distributions do so at their own + risk. + +2013-07-21 Siddhesh Poyarekar + Andreas Schwab + Roland McGrath + Joseph Myers + Carlos O'Donell + + [BZ #15755] + * config.h.in: Define HAVE_PT_CHOWN. + * config.make.in (build-pt-chown): New variable. + * configure.in (--enable-pt_chown): New configure option. + * configure: Regenerate. + * login/Makefile: Include Makeconfig. Build pt_chown only if + build-pt-chown is enabled. + * sysdeps/unix/grantpt.c (grantpt) [HAVE_PT_CHOWN]: Spawn + pt_chown to fix pty ownership. + * sysdeps/unix/sysv/linux/grantpt.c [HAVE_PT_CHOWN]: Define + CLOSE_ALL_FDS. + * manual/install.texi (Configuring and compiling): Mention + --enable-pt_chown. Add @findex for grantpt. + * INSTALL: Regenerate. + +diff --git a/INSTALL b/INSTALL +index 721a7fc..2c61704 100644 +--- a/INSTALL ++++ b/INSTALL +@@ -136,6 +136,18 @@ will be used, and CFLAGS sets optimization options for the compiler. + this can be prevented though there generally is no reason since it + creates compatibility problems. + ++`--enable-pt_chown' ++ The file `pt_chown' is a helper binary for `grantpt' (*note ++ Pseudo-Terminals: Allocation.) that is installed setuid root to ++ fix up pseudo-terminal ownership. It is not built by default ++ because systems using the Linux kernel are commonly built with the ++ `devpts' filesystem enabled and mounted at `/dev/pts', which ++ manages pseudo-terminal ownership automatically. By using ++ `--enable-pt_chown', you may build `pt_chown' and install it ++ setuid and owned by `root'. The use of `pt_chown' introduces ++ additional security risks to the system and you should enable it ++ only if you understand and accept those risks. ++ + `--build=BUILD-SYSTEM' + `--host=HOST-SYSTEM' + These options are for cross-compiling. If you specify both +diff --git a/config.h.in b/config.h.in +index 6284e2a..a85f131 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -238,4 +238,7 @@ + /* The ARM hard-float ABI is being used. */ + #undef HAVE_ARM_PCS_VFP + ++/* The pt_chown binary is being built and used by grantpt. */ ++#undef HAVE_PT_CHOWN ++ + #endif +diff --git a/config.make.in b/config.make.in +index b01b70b..7b04568 100644 +--- a/config.make.in ++++ b/config.make.in +@@ -95,6 +95,7 @@ link-obsolete-rpc = @link_obsolete_rpc@ + link-obsolete-rpc = @link_obsolete_rpc@ + build-nscd = @build_nscd@ + use-nscd = @use_nscd@ ++build-pt-chown = @build_pt_chown@ + + # Build tools. + CC = @CC@ +diff --git a/configure b/configure +index 59a69f6..1ee4c42 100755 +--- a/configure ++++ b/configure +@@ -647,6 +647,7 @@ multi_arch + base_machine + add_on_subdirs + add_ons ++build_pt_chown + build_nscd + link_obsolete_rpc + libc_cv_nss_crypt +@@ -756,6 +757,7 @@ enable_obsolete_rpc + enable_systemtap + enable_build_nscd + enable_nscd ++enable_pt_chown + with_cpu + ' + ac_precious_vars='build_alias +@@ -1421,6 +1423,7 @@ Optional Features: + --enable-systemtap enable systemtap static probe points [default=no] + --disable-build-nscd disable building and installing the nscd daemon + --disable-nscd library functions will not contact the nscd daemon ++ --enable-pt_chown Enable building and installing pt_chown + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -3711,6 +3714,19 @@ else + fi + + ++# Check whether --enable-pt_chown was given. ++if test "${enable_pt_chown+set}" = set; then : ++ enableval=$enable_pt_chown; build_pt_chown=$enableval ++else ++ build_pt_chown=no ++fi ++ ++ ++if test $build_pt_chown = yes; then ++ $as_echo "#define HAVE_PT_CHOWN 1" >>confdefs.h ++ ++fi ++ + # The way shlib-versions is used to generate soversions.mk uses a + # fairly simplistic model for name recognition that can't distinguish + # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os +diff --git a/configure.in b/configure.in +index 4db1acf..769e8ef 100644 +--- a/configure.in ++++ b/configure.in +@@ -353,6 +353,16 @@ AC_ARG_ENABLE([nscd], + [use_nscd=$enableval], + [use_nscd=yes]) + ++AC_ARG_ENABLE([pt_chown], ++ [AS_HELP_STRING([--enable-pt_chown], ++ [Enable building and installing pt_chown])], ++ [build_pt_chown=$enableval], ++ [build_pt_chown=no]) ++AC_SUBST(build_pt_chown) ++if test $build_pt_chown = yes; then ++ AC_DEFINE(HAVE_PT_CHOWN) ++fi ++ + # The way shlib-versions is used to generate soversions.mk uses a + # fairly simplistic model for name recognition that can't distinguish + # i486-pc-linux-gnu fully from i486-pc-gnu. So we mutate a $host_os +diff --git a/login/Makefile b/login/Makefile +index 0bfe643..430c6d9 100644 +--- a/login/Makefile ++++ b/login/Makefile +@@ -30,10 +30,16 @@ routines := getlogin getlogin_r setlogin getlogin_r_chk \ + + CFLAGS-grantpt.c = -DLIBEXECDIR='"$(libexecdir)"' + +-others = pt_chown ++others = + others-$(OPTION_EGLIBC_UTMP) += utmpdump ++ ++include ../Makeconfig ++ ++ifeq (yes,$(build-pt-chown)) ++others += pt_chown + others-pie = pt_chown + install-others-programs = $(inst_libexecdir)/pt_chown ++endif + + subdir-dirs = programs + vpath %.c programs +diff --git a/sysdeps/unix/grantpt.c b/sysdeps/unix/grantpt.c +index d37da13..431be85 100644 +--- a/sysdeps/unix/grantpt.c ++++ b/sysdeps/unix/grantpt.c +@@ -173,9 +173,10 @@ grantpt (int fd) + retval = 0; + goto cleanup; + +- /* We have to use the helper program. */ ++ /* We have to use the helper program if it is available. */ + helper:; + ++#ifdef HAVE_PT_CHOWN + pid_t pid = __fork (); + if (pid == -1) + goto cleanup; +@@ -190,9 +191,9 @@ grantpt (int fd) + if (__dup2 (fd, PTY_FILENO) < 0) + _exit (FAIL_EBADF); + +-#ifdef CLOSE_ALL_FDS ++# ifdef CLOSE_ALL_FDS + CLOSE_ALL_FDS (); +-#endif ++# endif + + execle (_PATH_PT_CHOWN, basename (_PATH_PT_CHOWN), NULL, NULL); + _exit (FAIL_EXEC); +@@ -231,6 +232,7 @@ grantpt (int fd) + assert(! "getpt: internal error: invalid exit code from pt_chown"); + } + } ++#endif + + cleanup: + if (buf != _buf) +diff --git a/sysdeps/unix/sysv/linux/grantpt.c b/sysdeps/unix/sysv/linux/grantpt.c +index 0a3cd47..8cebde3 100644 +--- a/sysdeps/unix/sysv/linux/grantpt.c ++++ b/sysdeps/unix/sysv/linux/grantpt.c +@@ -11,7 +11,7 @@ + + #include "pty-private.h" + +- ++#if HAVE_PT_CHOWN + /* Close all file descriptors except the one specified. */ + static void + close_all_fds (void) +@@ -38,6 +38,7 @@ close_all_fds (void) + __dup2 (STDOUT_FILENO, STDERR_FILENO); + } + } +-#define CLOSE_ALL_FDS() close_all_fds() ++# define CLOSE_ALL_FDS() close_all_fds() ++#endif + + #include diff -Nru eglibc-2.17/debian/patches/any/cvs-CVE-2013-4237.diff eglibc-2.17/debian/patches/any/cvs-CVE-2013-4237.diff --- eglibc-2.17/debian/patches/any/cvs-CVE-2013-4237.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/any/cvs-CVE-2013-4237.diff 2013-10-09 21:58:28.000000000 +0000 @@ -0,0 +1,146 @@ +Description: fix denial of service and possible code execution via readdir_r +Origin: backport, https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=91ce40854d0b7f865cf5024ef95a8026b76096f3 +Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=14699 +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719558 + +Index: eglibc-2.17/sysdeps/posix/dirstream.h +=================================================================== +--- eglibc-2.17.orig/sysdeps/posix/dirstream.h 2013-10-02 08:35:10.479670086 -0400 ++++ eglibc-2.17/sysdeps/posix/dirstream.h 2013-10-02 08:35:10.471670085 -0400 +@@ -39,6 +39,8 @@ + + off_t filepos; /* Position of next entry to read. */ + ++ int errcode; /* Delayed error code. */ ++ + /* Directory block. */ + char data[0] __attribute__ ((aligned (__alignof__ (void*)))); + }; +Index: eglibc-2.17/sysdeps/posix/opendir.c +=================================================================== +--- eglibc-2.17.orig/sysdeps/posix/opendir.c 2013-10-02 08:35:10.479670086 -0400 ++++ eglibc-2.17/sysdeps/posix/opendir.c 2013-10-02 08:35:10.471670085 -0400 +@@ -230,6 +230,7 @@ + dirp->size = 0; + dirp->offset = 0; + dirp->filepos = 0; ++ dirp->errcode = 0; + + return dirp; + } +Index: eglibc-2.17/sysdeps/posix/readdir_r.c +=================================================================== +--- eglibc-2.17.orig/sysdeps/posix/readdir_r.c 2013-10-02 08:35:10.479670086 -0400 ++++ eglibc-2.17/sysdeps/posix/readdir_r.c 2013-10-02 08:35:10.471670085 -0400 +@@ -41,6 +41,7 @@ + DIRENT_TYPE *dp; + size_t reclen; + const int saved_errno = errno; ++ int ret; + + __libc_lock_lock (dirp->lock); + +@@ -71,10 +72,10 @@ + bytes = 0; + __set_errno (saved_errno); + } ++ if (bytes < 0) ++ dirp->errcode = errno; + + dp = NULL; +- /* Reclen != 0 signals that an error occurred. */ +- reclen = bytes != 0; + break; + } + dirp->size = (size_t) bytes; +@@ -107,29 +108,46 @@ + dirp->filepos += reclen; + #endif + +- /* Skip deleted files. */ ++#ifdef NAME_MAX ++ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1) ++ { ++ /* The record is very long. It could still fit into the ++ caller-supplied buffer if we can skip padding at the ++ end. */ ++ size_t namelen = _D_EXACT_NAMLEN (dp); ++ if (namelen <= NAME_MAX) ++ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1; ++ else ++ { ++ /* The name is too long. Ignore this file. */ ++ dirp->errcode = ENAMETOOLONG; ++ dp->d_ino = 0; ++ continue; ++ } ++ } ++#endif ++ ++ /* Skip deleted and ignored files. */ + } + while (dp->d_ino == 0); + + if (dp != NULL) + { +-#ifdef GETDENTS_64BIT_ALIGNED +- /* The d_reclen value might include padding which is not part of +- the DIRENT_TYPE data structure. */ +- reclen = MIN (reclen, +- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name)); +-#endif + *result = memcpy (entry, dp, reclen); +-#ifdef GETDENTS_64BIT_ALIGNED ++#ifdef _DIRENT_HAVE_D_RECLEN + entry->d_reclen = reclen; + #endif ++ ret = 0; + } + else +- *result = NULL; ++ { ++ *result = NULL; ++ ret = dirp->errcode; ++ } + + __libc_lock_unlock (dirp->lock); + +- return dp != NULL ? 0 : reclen ? errno : 0; ++ return ret; + } + + #ifdef __READDIR_R_ALIAS +Index: eglibc-2.17/sysdeps/posix/rewinddir.c +=================================================================== +--- eglibc-2.17.orig/sysdeps/posix/rewinddir.c 2013-10-02 08:35:10.479670086 -0400 ++++ eglibc-2.17/sysdeps/posix/rewinddir.c 2013-10-02 08:35:10.471670085 -0400 +@@ -33,6 +33,7 @@ + dirp->filepos = 0; + dirp->offset = 0; + dirp->size = 0; ++ dirp->errcode = 0; + #ifndef NOT_IN_libc + __libc_lock_unlock (dirp->lock); + #endif +Index: eglibc-2.17/sysdeps/unix/sysv/linux/i386/readdir64_r.c +=================================================================== +--- eglibc-2.17.orig/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2013-10-02 08:35:10.479670086 -0400 ++++ eglibc-2.17/sysdeps/unix/sysv/linux/i386/readdir64_r.c 2013-10-02 08:35:10.471670085 -0400 +@@ -18,7 +18,6 @@ + #define __READDIR_R __readdir64_r + #define __GETDENTS __getdents64 + #define DIRENT_TYPE struct dirent64 +-#define GETDENTS_64BIT_ALIGNED 1 + + #include + +Index: eglibc-2.17/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c +=================================================================== +--- eglibc-2.17.orig/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2013-10-02 08:35:10.479670086 -0400 ++++ eglibc-2.17/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c 2013-10-02 08:35:10.475670086 -0400 +@@ -1,5 +1,4 @@ + #define readdir64_r __no_readdir64_r_decl +-#define GETDENTS_64BIT_ALIGNED 1 + #include + #undef readdir64_r + weak_alias (__readdir_r, readdir64_r) diff -Nru eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff --- eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff 2013-10-10 02:34:50.000000000 +0000 @@ -0,0 +1,24 @@ +commit 5ebbff8fd1529aec13ac4d2906c1a36f3e738519 +Author: Adhemerval Zanella +Date: Wed Sep 25 13:43:04 2013 -0500 + + PowerPC: Fix POINTER_CHK_GUARD thread register for PPC64 + +2013-09-25 Adhemerval Zanella + + * sysdeps/powerpc/powerpc64/stackguard-macros.h (POINTER_CHK_GUARD: + Fix thread ID register. + +diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h +index 4620f96..e80a683 100644 +--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h ++++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h +@@ -6,7 +6,7 @@ + #define POINTER_CHK_GUARD \ + ({ \ + uintptr_t x; \ +- asm ("ld %0,%1(2)" \ ++ asm ("ld %0,%1(13)" \ + : "=r" (x) \ + : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ + ); \ diff -Nru eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff --- eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/any/cvs-CVE-2013-4788-static-ptrguard.diff 2013-10-10 02:44:41.000000000 +0000 @@ -0,0 +1,501 @@ +commit c61b4d41c9647a54a329aa021341c0eb032b793e +Author: Carlos O'Donell +Date: Mon Sep 23 00:52:09 2013 -0400 + + BZ #15754: CVE-2013-4788 + + The pointer guard used for pointer mangling was not initialized for + static applications resulting in the security feature being disabled. + The pointer guard is now correctly initialized to a random value for + static applications. Existing static applications need to be + recompiled to take advantage of the fix. + + The test tst-ptrguard1-static and tst-ptrguard1 add regression + coverage to ensure the pointer guards are sufficiently random + and initialized to a default value. + +2013-09-23 Carlos O'Donell + + [BZ #15754] + * elf/Makefile (tests): Add tst-ptrguard1. + (tests-static): Add tst-ptrguard1-static. + (tst-ptrguard1-ARGS): Define. + (tst-ptrguard1-static-ARGS): Define. + * elf/tst-ptrguard1.c: New file. + * elf/tst-ptrguard1-static.c: New file. + * sysdeps/x86_64/stackguard-macros.h: Define POINTER_CHK_GUARD. + * sysdeps/i386/stackguard-macros.h: Likewise. + * sysdeps/powerpc/powerpc32/stackguard-macros.h: Likewise. + * sysdeps/powerpc/powerpc64/stackguard-macros.h: Likewise. + * sysdeps/s390/s390-32/stackguard-macros.h: Likewise. + * sysdeps/s390/s390-64/stackguard-macros.h: Likewise. + * sysdeps/sparc/sparc32/stackguard-macros.h: Likewise. + * sysdeps/sparc/sparc64/stackguard-macros.h: Likewise. + +2013-09-23 Hector Marco + Ismael Ripoll + Carlos O'Donell + + [BZ #15754] + * sysdeps/generic/stackguard-macros.h: Define + __pointer_chk_guard_local and POINTER_CHK_GUARD. + * csu/libc-start.c [!SHARED && !THREAD_SET_POINTER_GUARD]: + Define __pointer_chk_guard_local. + (LIBC_START_MAIN) [!SHARED]: Call _dl_setup_pointer_guard. + Use THREAD_SET_POINTER_GUARD or set __pointer_chk_guard_local. + +diff --git a/csu/libc-start.c b/csu/libc-start.c +index e5da3ef..c898d06 100644 +--- a/csu/libc-start.c ++++ b/csu/libc-start.c +@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void); + in thread local area. */ + uintptr_t __stack_chk_guard attribute_relro; + # endif ++# ifndef THREAD_SET_POINTER_GUARD ++/* Only exported for architectures that don't store the pointer guard ++ value in thread local area. */ ++uintptr_t __pointer_chk_guard_local ++ attribute_relro attribute_hidden __attribute__ ((nocommon)); ++# endif + #endif + + #ifdef HAVE_PTR_NTHREADS +@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), + # else + __stack_chk_guard = stack_chk_guard; + # endif ++ ++ /* Set up the pointer guard value. */ ++ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, ++ stack_chk_guard); ++# ifdef THREAD_SET_POINTER_GUARD ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); ++# else ++ __pointer_chk_guard_local = pointer_chk_guard; ++# endif ++ + #endif + + /* Register the destructor of the dynamic linker if there is any. */ +diff --git a/elf/Makefile b/elf/Makefile +index aaa9534..cb8da93 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -121,7 +121,8 @@ endif + tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \ + tst-array1 tst-array2 tst-array3 tst-array4 tst-array5 + tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \ +- tst-leaks1-static tst-array1-static tst-array5-static ++ tst-leaks1-static tst-array1-static tst-array5-static \ ++ tst-ptrguard1-static + ifeq (yes,$(build-shared)) + tests-static += tst-tls9-static + tst-tls9-static-ENV = \ +@@ -145,7 +146,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \ + tst-audit1 tst-audit2 tst-audit8 \ + tst-stackguard1 tst-addr1 tst-thrlock \ + tst-unique1 tst-unique2 tst-unique3 tst-unique4 \ +- tst-initorder tst-initorder2 tst-relsort1 ++ tst-initorder tst-initorder2 tst-relsort1 \ ++ tst-ptrguard1 + # reldep9 + test-srcs = tst-pathopt + selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null) +@@ -1016,6 +1018,9 @@ LDFLAGS-order2mod2.so = $(no-as-needed) + tst-stackguard1-ARGS = --command "$(host-built-program-cmd) --child" + tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child" + ++tst-ptrguard1-ARGS = --command "$(host-built-program-cmd) --child" ++tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child" ++ + $(objpfx)tst-leaks1: $(libdl) + $(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@ +diff --git a/elf/tst-ptrguard1-static.c b/elf/tst-ptrguard1-static.c +new file mode 100644 +index 0000000..7aff3b7 +--- /dev/null ++++ b/elf/tst-ptrguard1-static.c +@@ -0,0 +1 @@ ++#include "tst-ptrguard1.c" +diff --git a/elf/tst-ptrguard1.c b/elf/tst-ptrguard1.c +new file mode 100644 +index 0000000..c344a04 +--- /dev/null ++++ b/elf/tst-ptrguard1.c +@@ -0,0 +1,202 @@ ++/* Copyright (C) 2013 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifndef POINTER_CHK_GUARD ++extern uintptr_t __pointer_chk_guard; ++# define POINTER_CHK_GUARD __pointer_chk_guard ++#endif ++ ++static const char *command; ++static bool child; ++static uintptr_t ptr_chk_guard_copy; ++static bool ptr_chk_guard_copy_set; ++static int fds[2]; ++ ++static void __attribute__ ((constructor)) ++con (void) ++{ ++ ptr_chk_guard_copy = POINTER_CHK_GUARD; ++ ptr_chk_guard_copy_set = true; ++} ++ ++static int ++uintptr_t_cmp (const void *a, const void *b) ++{ ++ if (*(uintptr_t *) a < *(uintptr_t *) b) ++ return 1; ++ if (*(uintptr_t *) a > *(uintptr_t *) b) ++ return -1; ++ return 0; ++} ++ ++static int ++do_test (void) ++{ ++ if (!ptr_chk_guard_copy_set) ++ { ++ puts ("constructor has not been run"); ++ return 1; ++ } ++ ++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD) ++ { ++ puts ("POINTER_CHK_GUARD changed between constructor and do_test"); ++ return 1; ++ } ++ ++ if (child) ++ { ++ write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy)); ++ return 0; ++ } ++ ++ if (command == NULL) ++ { ++ puts ("missing --command or --child argument"); ++ return 1; ++ } ++ ++#define N 16 ++ uintptr_t child_ptr_chk_guards[N + 1]; ++ child_ptr_chk_guards[N] = ptr_chk_guard_copy; ++ int i; ++ for (i = 0; i < N; ++i) ++ { ++ if (pipe (fds) < 0) ++ { ++ printf ("couldn't create pipe: %m\n"); ++ return 1; ++ } ++ ++ pid_t pid = fork (); ++ if (pid < 0) ++ { ++ printf ("fork failed: %m\n"); ++ return 1; ++ } ++ ++ if (!pid) ++ { ++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD) ++ { ++ puts ("POINTER_CHK_GUARD changed after fork"); ++ exit (1); ++ } ++ ++ close (fds[0]); ++ close (2); ++ dup2 (fds[1], 2); ++ close (fds[1]); ++ ++ system (command); ++ exit (0); ++ } ++ ++ close (fds[1]); ++ ++ if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i], ++ sizeof (uintptr_t))) != sizeof (uintptr_t)) ++ { ++ puts ("could not read ptr_chk_guard value from child"); ++ return 1; ++ } ++ ++ close (fds[0]); ++ ++ pid_t termpid; ++ int status; ++ termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)); ++ if (termpid == -1) ++ { ++ printf ("waitpid failed: %m\n"); ++ return 1; ++ } ++ else if (termpid != pid) ++ { ++ printf ("waitpid returned %ld != %ld\n", ++ (long int) termpid, (long int) pid); ++ return 1; ++ } ++ else if (!WIFEXITED (status) || WEXITSTATUS (status)) ++ { ++ puts ("child hasn't exited with exit status 0"); ++ return 1; ++ } ++ } ++ ++ qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp); ++ ++ /* The default pointer guard is the same as the default stack guard. ++ They are only set to default if dl_random is NULL. */ ++ uintptr_t default_guard = 0; ++ unsigned char *p = (unsigned char *) &default_guard; ++ p[sizeof (uintptr_t) - 1] = 255; ++ p[sizeof (uintptr_t) - 2] = '\n'; ++ p[0] = 0; ++ ++ /* Test if the pointer guard canaries are either randomized, ++ or equal to the default pointer guard value. ++ Even with randomized pointer guards it might happen ++ that the random number generator generates the same ++ values, but if that happens in more than half from ++ the 16 runs, something is very wrong. */ ++ int ndifferences = 0; ++ int ndefaults = 0; ++ for (i = 0; i < N; ++i) ++ { ++ if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1]) ++ ndifferences++; ++ else if (child_ptr_chk_guards[i] == default_guard) ++ ndefaults++; ++ } ++ ++ printf ("differences %d defaults %d\n", ndifferences, ndefaults); ++ ++ if (ndifferences < N / 2 && ndefaults < N / 2) ++ { ++ puts ("pointer guard values are not randomized enough"); ++ puts ("nor equal to the default value"); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++#define OPT_COMMAND 10000 ++#define OPT_CHILD 10001 ++#define CMDLINE_OPTIONS \ ++ { "command", required_argument, NULL, OPT_COMMAND }, \ ++ { "child", no_argument, NULL, OPT_CHILD }, ++#define CMDLINE_PROCESS \ ++ case OPT_COMMAND: \ ++ command = optarg; \ ++ break; \ ++ case OPT_CHILD: \ ++ child = true; \ ++ break; ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" +diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h +index dc683c2..3907293 100644 +--- a/ports/sysdeps/ia64/stackguard-macros.h ++++ b/ports/sysdeps/ia64/stackguard-macros.h +@@ -2,3 +2,6 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) +diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h +index 589ea2b..f2e041b 100644 +--- a/ports/sysdeps/tile/stackguard-macros.h ++++ b/ports/sysdeps/tile/stackguard-macros.h +@@ -4,11 +4,17 @@ + # if __WORDSIZE == 64 + # define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; }) ++# define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; }) + # else + # define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; }) ++# define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; }) + # endif + #else + # define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; }) ++# define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; }) + #endif +diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h +index ababf65..4fa3d96 100644 +--- a/sysdeps/generic/stackguard-macros.h ++++ b/sysdeps/generic/stackguard-macros.h +@@ -2,3 +2,6 @@ + + extern uintptr_t __stack_chk_guard; + #define STACK_CHK_GUARD __stack_chk_guard ++ ++extern uintptr_t __pointer_chk_guard_local; ++#define POINTER_CHK_GUARD __pointer_chk_guard_local +diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h +index 8c31e19..0397629 100644 +--- a/sysdeps/i386/stackguard-macros.h ++++ b/sysdeps/i386/stackguard-macros.h +@@ -2,3 +2,11 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("movl %%gs:%c1, %0" : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard))); \ ++ x; \ ++ }) +diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h +index 839f6a4..b3d0af8 100644 +--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h ++++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h +@@ -2,3 +2,13 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("lwz %0,%1(2)" \ ++ : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ ++ ); \ ++ x; \ ++ }) +diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h +index 9da879c..4620f96 100644 +--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h ++++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h +@@ -2,3 +2,13 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("ld %0,%1(2)" \ ++ : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ ++ ); \ ++ x; \ ++ }) +diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h +index b74c579..449e8d4 100644 +--- a/sysdeps/s390/s390-32/stackguard-macros.h ++++ b/sysdeps/s390/s390-32/stackguard-macros.h +@@ -2,3 +2,14 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; }) ++ ++/* On s390/s390x there is no unique pointer guard, instead we use the ++ same value as the stack guard. */ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("ear %0,%%a0; l %0,%1(%0)" \ ++ : "=a" (x) \ ++ : "i" (offsetof (tcbhead_t, stack_guard))); \ ++ x; \ ++ }) +diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h +index 0cebb5f..c8270fb 100644 +--- a/sysdeps/s390/s390-64/stackguard-macros.h ++++ b/sysdeps/s390/s390-64/stackguard-macros.h +@@ -2,3 +2,17 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; }) ++ ++/* On s390/s390x there is no unique pointer guard, instead we use the ++ same value as the stack guard. */ ++#define POINTER_CHK_GUARD \ ++ ({ \ ++ uintptr_t x; \ ++ asm ("ear %0,%%a0;" \ ++ "sllg %0,%0,32;" \ ++ "ear %0,%%a1;" \ ++ "lg %0,%1(%0)" \ ++ : "=a" (x) \ ++ : "i" (offsetof (tcbhead_t, stack_guard))); \ ++ x; \ ++ }) +diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h +index c0b02b0..1eef0f1 100644 +--- a/sysdeps/sparc/sparc32/stackguard-macros.h ++++ b/sysdeps/sparc/sparc32/stackguard-macros.h +@@ -2,3 +2,6 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; }) +diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h +index 80f0635..cc0c12c 100644 +--- a/sysdeps/sparc/sparc64/stackguard-macros.h ++++ b/sysdeps/sparc/sparc64/stackguard-macros.h +@@ -2,3 +2,6 @@ + + #define STACK_CHK_GUARD \ + ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; }) +diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h +index d7fedb3..1948800 100644 +--- a/sysdeps/x86_64/stackguard-macros.h ++++ b/sysdeps/x86_64/stackguard-macros.h +@@ -4,3 +4,8 @@ + ({ uintptr_t x; \ + asm ("mov %%fs:%c1, %0" : "=r" (x) \ + : "i" (offsetof (tcbhead_t, stack_guard))); x; }) ++ ++#define POINTER_CHK_GUARD \ ++ ({ uintptr_t x; \ ++ asm ("mov %%fs:%c1, %0" : "=r" (x) \ ++ : "i" (offsetof (tcbhead_t, pointer_guard))); x; }) diff -Nru eglibc-2.17/debian/patches/arm64/cvs-setjmp-clobber.diff eglibc-2.17/debian/patches/arm64/cvs-setjmp-clobber.diff --- eglibc-2.17/debian/patches/arm64/cvs-setjmp-clobber.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/arm64/cvs-setjmp-clobber.diff 2013-10-12 03:35:36.000000000 +0000 @@ -0,0 +1,97 @@ +commit e39adf43c7d1979884dd304ed1250baf1f78fadc +Author: Andreas Schwab +Date: Mon May 20 10:19:31 2013 +0200 + + AArch64: Don't clobber argument for tail call to __sigjmp_save in sigsetjmp + +2013-05-21 Andreas Schwab + + [BZ #15493] + * setjmp/Makefile (tests): Add tst-sigsetjmp. + * setjmp/tst-sigsetjmp.c: New test. + +diff --git a/ports/sysdeps/aarch64/setjmp.S b/ports/sysdeps/aarch64/setjmp.S +index cff81c7..10e0709 100644 +--- a/ports/sysdeps/aarch64/setjmp.S ++++ b/ports/sysdeps/aarch64/setjmp.S +@@ -44,8 +44,14 @@ ENTRY (__sigsetjmp) + stp d10, d11, [x0, #JB_D10<<3] + stp d12, d13, [x0, #JB_D12<<3] + stp d14, d15, [x0, #JB_D14<<3] +- mov x1, sp +- str x1, [x0, #JB_SP<<3] ++ mov x2, sp ++ str x2, [x0, #JB_SP<<3] ++#if defined NOT_IN_libc && defined IS_IN_rtld ++ /* In ld.so we never save the signal mask */ ++ mov w0, #0 ++ RET ++#else + b C_SYMBOL_NAME(__sigjmp_save) ++#endif + END (__sigsetjmp) + hidden_def (__sigsetjmp) +diff --git a/setjmp/Makefile b/setjmp/Makefile +index 6124333..913359c 100644 +--- a/setjmp/Makefile ++++ b/setjmp/Makefile +@@ -25,7 +25,8 @@ headers := setjmp.h bits/setjmp.h bits/setjmp2.h + routines := setjmp sigjmp bsd-setjmp bsd-_setjmp \ + longjmp __longjmp jmp-unwind + +-tests := tst-setjmp jmpbug bug269-setjmp ++tests := tst-setjmp jmpbug bug269-setjmp \ ++ tst-sigsetjmp + + + include ../Rules +diff --git a/setjmp/tst-sigsetjmp.c b/setjmp/tst-sigsetjmp.c +new file mode 100644 +index 0000000..467c26a +--- /dev/null ++++ b/setjmp/tst-sigsetjmp.c +@@ -0,0 +1,44 @@ ++/* Copyright (C) 2013 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Test case for BZ #15493 */ ++ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ sigjmp_buf sj; ++ sigset_t m; ++ ++ sigemptyset (&m); ++ sigprocmask (SIG_SETMASK, &m, NULL); ++ if (sigsetjmp (sj, 0) == 0) ++ { ++ sigaddset (&m, SIGUSR1); ++ sigprocmask (SIG_SETMASK, &m, NULL); ++ siglongjmp (sj, 1); ++ return EXIT_FAILURE; ++ } ++ sigprocmask (SIG_SETMASK, NULL, &m); ++ return sigismember (&m, SIGUSR1) ? EXIT_SUCCESS : EXIT_FAILURE; ++} ++ ++#define TEST_FUNCTION do_test () ++#include "../test-skeleton.c" diff -Nru eglibc-2.17/debian/patches/series eglibc-2.17/debian/patches/series --- eglibc-2.17/debian/patches/series 2013-09-23 05:29:44.000000000 +0000 +++ eglibc-2.17/debian/patches/series 2013-10-12 03:31:00.000000000 +0000 @@ -56,6 +56,8 @@ arm/local-vfp-sysdeps.diff arm/unsubmitted-ldso-multilib.diff +arm64/cvs-setjmp-clobber.diff + hppa/local-inlining.diff hppa/submitted-fadvise64_64.diff hppa/submitted-nptl-carlos.diff @@ -256,6 +258,11 @@ any/cvs-CVE-2013-4332-memalign.diff any/cvs-CVE-2013-4332-pvalloc.diff any/cvs-CVE-2013-4332-valloc.diff +any/cvs-CVE-2012-44xx.diff +any/cvs-CVE-2013-4237.diff +#any/cvs-CVE-2013-2207-pt_chown.diff +#any/cvs-CVE-2013-4788-static-ptrguard.diff +#any/cvs-CVE-2013-4788-static-ptrguard-ppc64.diff # Ubuntu patches live in their own little world, to maintain sanity ubuntu/delete-header-pot.diff @@ -267,3 +274,4 @@ ubuntu/local-linaro-cortex-strings.diff ubuntu/submitted-no-sprintf-pre-truncate.diff ubuntu/submitted-no-stack-backtrace.diff +ubuntu/unsubmitted-dlopen-static-crash.diff diff -Nru eglibc-2.17/debian/patches/ubuntu/unsubmitted-dlopen-static-crash.diff eglibc-2.17/debian/patches/ubuntu/unsubmitted-dlopen-static-crash.diff --- eglibc-2.17/debian/patches/ubuntu/unsubmitted-dlopen-static-crash.diff 1970-01-01 00:00:00.000000000 +0000 +++ eglibc-2.17/debian/patches/ubuntu/unsubmitted-dlopen-static-crash.diff 2013-10-09 22:00:20.000000000 +0000 @@ -0,0 +1,33 @@ +Description: Fix dlopen segfault in statically linked programs +Author: Maciej Rozycki +Origin: http://www.eglibc.org/archives/issues/msg00084.html +Last-Update: 2013-10-09 + +Index: b/elf/dl-open.c +=================================================================== +--- a/elf/dl-open.c ++++ b/elf/dl-open.c +@@ -92,11 +92,22 @@ + anymore. Instead the malloc() implementation of the libc is + used. But this means the block from the main map cannot be used + in an realloc() call. Therefore we allocate a completely new +- array the first time we have to add something to the locale scope. */ ++ array the first time we have to add something to the locale scope. ++ ++ Also the list may be missing altogether if we are called via ++ dlopen() from a statically linked executable as in this case ld.so ++ has not been called and no dynamic symbols have been pulled yet. ++ Start a new list in this case. */ + + struct link_namespaces *ns = &GL(dl_ns)[new->l_ns]; + if (ns->_ns_global_scope_alloc == 0) + { ++ /* See if we've got a list at all. */ ++ if (ns->_ns_main_searchlist == NULL) ++ ns->_ns_main_searchlist = calloc (1, sizeof (struct r_scope_elem)); ++ if (ns->_ns_main_searchlist == NULL) ++ goto nomem; ++ + /* This is the first dynamic object given global scope. */ + ns->_ns_global_scope_alloc + = ns->_ns_main_searchlist->r_nlist + to_add + 8;