Initial import

_attribute

@@ -0,0 +1,5 @@
+<attributes>
+  <attribute namespace="Mer" name="MeeGoUpstreamRev">
+    <value>b5e2e1cba5dc881651114612526e96d6</value>
+  </attribute>
+</attributes>

_meta

@@ -0,0 +1,13 @@
+<package project="Mer:Trunk:Base" name="glibc">
+  <title>The GNU libc libraries</title>
+  <description>The glibc package contains standard libraries which are used by
+multiple programs on the system. In order to save disk space and
+memory, as well as to make upgrading easier, common system code is
+kept in one place and shared between programs. This particular package
+contains the most important sets of shared libraries: the standard C
+library and the standard math library. Without these two libraries, a
+Linux system will not function.
+
+</description>
+  <url>http://sources.redhat.com/glibc/</url>
+</package>

cve-2010-3847.patch

@@ -0,0 +1,82 @@
+2010-10-18  Andreas Schwab  <schwab@redhat.com>
+
+	* elf/dl-load.c (is_dst): Remove last parameter.
+	(_dl_dst_count): Ignore $ORIGIN in privileged programs.
+	(_dl_dst_substitute): Likewise.
+---
+ elf/dl-load.c |   30 +++++++++++++-----------------
+ 1 files changed, 13 insertions(+), 17 deletions(-)
+
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index a7162eb..776f7e4 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -169,8 +169,7 @@ local_strdup (const char *s)
+
+
+ static size_t
+-is_dst (const char *start, const char *name, const char *str,
+-	int is_path, int secure)
++is_dst (const char *start, const char *name, const char *str, int is_path)
+ {
+   size_t len;
+   bool is_curly = false;
+@@ -199,11 +198,6 @@ is_dst (const char *start, const char *name, const char *str,
+ 	   && (!is_path || name[len] != ':'))
+     return 0;
+
+-  if (__builtin_expect (secure, 0)
+-      && ((name[len] != '\0' && (!is_path || name[len] != ':'))
+-	  || (name != start + 1 && (!is_path || name[-2] != ':'))))
+-    return 0;
+-
+   return len;
+ }
+
+@@ -218,13 +212,12 @@ _dl_dst_count (const char *name, int is_path)
+     {
+       size_t len;
+
+-      /* $ORIGIN is not expanded for SUID/GUID programs (except if it
+-	 is $ORIGIN alone) and it must always appear first in path.  */
++      /* $ORIGIN is not expanded for SUID/GUID programs.  */
+       ++name;
+-      if ((len = is_dst (start, name, "ORIGIN", is_path,
+-			 INTUSE(__libc_enable_secure))) != 0
+-	  || (len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0
+-	  || (len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++      if (((len = is_dst (start, name, "ORIGIN", is_path)) != 0
++	   && !INTUSE(__libc_enable_secure))
++	  || (len = is_dst (start, name, "PLATFORM", is_path)) != 0
++	  || (len = is_dst (start, name, "LIB", is_path)) != 0)
+ 	++cnt;
+
+       name = strchr (name + len, '$');
+@@ -256,9 +249,12 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ 	  size_t len;
+
+ 	  ++name;
+-	  if ((len = is_dst (start, name, "ORIGIN", is_path,
+-			     INTUSE(__libc_enable_secure))) != 0)
++	  if ((len = is_dst (start, name, "ORIGIN", is_path)) != 0)
+ 	    {
++	      /* Ignore this path element in SUID/SGID programs.  */
++	      if (INTUSE(__libc_enable_secure))
++		repl = (const char *) -1;
++	      else
+ #ifndef SHARED
+ 	      if (l == NULL)
+ 		repl = _dl_get_origin ();
+@@ -266,9 +262,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ #endif
+ 		repl = l->l_origin;
+ 	    }
+-	  else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0)
++	  else if ((len = is_dst (start, name, "PLATFORM", is_path)) != 0)
+ 	    repl = GLRO(dl_platform);
+-	  else if ((len = is_dst (start, name, "LIB", is_path, 0)) != 0)
++	  else if ((len = is_dst (start, name, "LIB", is_path)) != 0)
+ 	    repl = DL_DST_LIB;
+
+ 	  if (repl != NULL && repl != (const char *) -1)
+

cve-2011-0536.patch

@@ -0,0 +1,186 @@
+From 47c3cd7a74e8c089d60d603afce6d9cf661178d6 Mon Sep 17 00:00:00 2001
+From: Ulrich Drepper <drepper@gmail.com>
+Date: Sat, 7 May 2011 11:44:26 -0400
+Subject: [PATCH] Allow $ORIGIN to reference trusted directoreis in SUID binaries.
+
+2011-05-07  Petr Baudis  <pasky@suse.cz>
+	    Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #12393]
+	* elf/dl-load.c (fillin_rpath): Move trusted path check...
+	(is_trusted_path): ...to here.
+	(is_norm_trusted_path): Add wrapper for /../ and /./ normalization.
+	(_dl_dst_substitute): Verify expanded $ORIGIN path elements
+	using is_norm_trusted_path() in setuid scripts.
+
+diff --git a/elf/dl-load.c b/elf/dl-load.c
+index 00ea465..f2773d5 100644
+--- a/elf/dl-load.c
++++ b/elf/dl-load.c
+@@ -168,6 +168,71 @@ local_strdup (const char *s)
+ }
+
+
++static bool
++is_trusted_path (const char *path, size_t len)
++{
++  /* All trusted directories must be complete names.  */
++  if (path[0] != '/')
++    return false;
++
++  const char *trun = system_dirs;
++
++  for (size_t idx = 0; idx < nsystem_dirs_len; ++idx)
++    {
++      if (len == system_dirs_len[idx] && memcmp (trun, path, len) == 0)
++	/* Found it.  */
++	return true;
++
++      trun += system_dirs_len[idx] + 1;
++    }
++
++  return false;
++}
++
++
++static bool
++is_trusted_path_normalize (const char *path, size_t len)
++{
++  char *npath = (char *) alloca (len + 2);
++  char *wnp = npath;
++
++  while (*path != '\0')
++    {
++      if (path[0] == '/')
++	{
++	  if (path[1] == '.')
++	    {
++	      if (path[2] == '.' && (path[3] == '/' || path[3] == '\0'))
++		{
++		  while (wnp > npath && *--wnp != '/')
++		    ;
++		  path += 3;
++		  continue;
++		}
++	      else if (path[2] == '/' || path[2] == '\0')
++		{
++		  path += 2;
++		  continue;
++		}
++	    }
++
++	  if (wnp > npath && wnp[-1] == '/')
++	    {
++	      ++path;
++	      continue;
++	    }
++	}
++
++      *wnp++ = *path++;
++    }
++  if (wnp > npath && wnp[-1] != '/')
++    *wnp++ = '/';
++  *wnp = '\0';
++
++  return is_trusted_path (npath, wnp - npath);
++}
++
++
+ static size_t
+ is_dst (const char *start, const char *name, const char *str,
+ 	int is_path, int secure)
+@@ -240,13 +305,14 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ 		    int is_path)
+ {
+   const char *const start = name;
+-  char *last_elem, *wp;
+
+   /* Now fill the result path.  While copying over the string we keep
+      track of the start of the last path element.  When we come accross
+      a DST we copy over the value or (if the value is not available)
+      leave the entire path element out.  */
+-  last_elem = wp = result;
++  char *wp = result;
++  char *last_elem = result;
++  bool check_for_trusted = false;
+
+   do
+     {
+@@ -265,6 +331,9 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ 	      else
+ #endif
+ 		repl = l->l_origin;
++
++	      check_for_trusted = (INTUSE(__libc_enable_secure)
++				   && l->l_type == lt_executable);
+ 	    }
+ 	  else if ((len = is_dst (start, name, "PLATFORM", is_path, 0)) != 0)
+ 	    repl = GLRO(dl_platform);
+@@ -297,11 +366,29 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result,
+ 	{
+ 	  *wp++ = *name++;
+ 	  if (is_path && *name == ':')
+-	    last_elem = wp;
++	    {
++	      /* In SUID/SGID programs, after $ORIGIN expansion the
++		 normalized path must be rooted in one of the trusted
++		 directories.  */
++	      if (__builtin_expect (check_for_trusted, false)
++		  && is_trusted_path_normalize (last_elem, wp - last_elem))
++		{
++		  wp = last_elem;
++		  check_for_trusted = false;
++		}
++	      else
++		last_elem = wp;
++	    }
+ 	}
+     }
+   while (*name != '\0');
+
++  /* In SUID/SGID programs, after $ORIGIN expansion the normalized
++     path must be rooted in one of the trusted directories.  */
++  if (__builtin_expect (check_for_trusted, false)
++      && is_trusted_path_normalize (last_elem, wp - last_elem))
++    wp = last_elem;
++
+   *wp = '\0';
+
+   return result;
+@@ -411,33 +498,8 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
+ 	cp[len++] = '/';
+
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+-      if (__builtin_expect (check_trusted, 0))
+-	{
+-	  const char *trun = system_dirs;
+-	  size_t idx;
+-	  int unsecure = 1;
+-
+-	  /* All trusted directories must be complete names.  */
+-	  if (cp[0] == '/')
+-	    {
+-	      for (idx = 0; idx < nsystem_dirs_len; ++idx)
+-		{
+-		  if (len == system_dirs_len[idx]
+-		      && memcmp (trun, cp, len) == 0)
+-		    {
+-		      /* Found it.  */
+-		      unsecure = 0;
+-		      break;
+-		    }
+-
+-		  trun += system_dirs_len[idx] + 1;
+-		}
+-	    }
+-
+-	  if (unsecure)
+-	    /* Simply drop this directory.  */
+-	    continue;
+-	}
++      if (__builtin_expect (check_trusted, 0) && !is_trusted_path (cp, len))
++	continue;
+
+       /* See if this directory is already known.  */
+       for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)
+

cve-2011-1089.patch

@@ -0,0 +1,24 @@
+From e1fb097f447a89aa69a926e45e673a52d86a6c57 Mon Sep 17 00:00:00 2001
+From: Ulrich Drepper <drepper@gmail.com>
+Date: Wed, 11 May 2011 23:37:25 -0400
+Subject: [PATCH] Report write error  in addmnt even for cached streams.
+
+ 2011-05-11  Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #12625]
+	* misc/mntent_r.c (addmntent): Flush the stream after the output
+
+diff --git a/misc/mntent_r.c b/misc/mntent_r.c
+index 9598528..6959f0e 100644
+--- a/misc/mntent_r.c
++++ b/misc/mntent_r.c
+@@ -263,8 +263,8 @@ __addmntent (FILE *stream, const struct mntent *mnt)
+ 		   mntcopy.mnt_type,
+ 		   mntcopy.mnt_opts,
+ 		   mntcopy.mnt_freq,
+-		   mntcopy.mnt_passno)
+-	  < 0 ? 1 : 0);
++		   mntcopy.mnt_passno) < 0
++	  || fflush (stream) != 0);
+ }
+ weak_alias (__addmntent, addmntent)

cve-2011-1659.patch

@@ -0,0 +1,46 @@
+From 8126d90480fa3e0c5c5cd0d02cb1c93174b45485 Mon Sep 17 00:00:00 2001
+From: Ulrich Drepper <drepper@gmail.com>
+Date: Fri, 18 Mar 2011 05:29:20 -0400
+Subject: [PATCH] Check size of pattern in wide character representation in fnmatch.
+
+2011-03-18  Ulrich Drepper  <drepper@gmail.com>
+
+	* posix/fnmatch.c (fnmatch): Check size of pattern in wide
+	character representation.
+	Partly based on a patch by Tomas Hoger <thoger@redhat.com>.
+diff --git a/posix/fnmatch.c b/posix/fnmatch.c
+index 0af5ee6..819a6a7 100644
+--- a/posix/fnmatch.c
++++ b/posix/fnmatch.c
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010
++/* Copyright (C) 1991,1992,1993,1996,1997,1998,1999,2000,2001,2002,2003,2007,2010,2011
+ 	Free Software Foundation, Inc.
+    This file is part of the GNU C Library.
+
+@@ -375,6 +375,11 @@ fnmatch (pattern, string, flags)
+ 	       XXX Do we have to set `errno' to something which mbsrtows hasn't
+ 	       already done?  */
+ 	    return -1;
++	  if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))
++	    {
++	      __set_errno (ENOMEM);
++	      return -2;
++	    }
+ 	  wpattern_malloc = wpattern
+ 	    = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
+ 	  assert (mbsinit (&ps));
+@@ -419,6 +424,12 @@ fnmatch (pattern, string, flags)
+ 	       XXX Do we have to set `errno' to something which mbsrtows hasn't
+ 	       already done?  */
+ 	    goto free_return;
++	  if (__builtin_expect (n >= (size_t) -1 / sizeof (wchar_t), 0))
++	    {
++	      free (wpattern_malloc);
++	      __set_errno (ENOMEM);
++	      return -2;
++	    }
+
+ 	  wstring_malloc = wstring
+ 	    = (wchar_t *) malloc ((n + 1) * sizeof (wchar_t));
+