Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[security] Upgrade to eglibc_2.19-0ubuntu6.9 and apply Debian/Ubuntu …
…patches

before Mer specific ones. MER#1633

Fixes CVE-2015-1781, CVE-2014-8121, CVE-2015-5277, CVE-2015-8776,
CVE-2015-8777, CVE-2015-8778, CVE-2015-8779, CVE-2016-3075, CVE-2016-2856,
CVE-2013-2207.

Signed-off-by: Pasi Sjöholm <pasi.sjoholm@siirappi.com>
  • Loading branch information
tigeli committed Aug 28, 2016
1 parent 75de86f commit 90a189d
Show file tree
Hide file tree
Showing 5 changed files with 47 additions and 40 deletions.
Binary file removed eglibc_2.19-0ubuntu6.7.debian.tar.xz
Binary file not shown.
Binary file added eglibc_2.19-0ubuntu6.9.debian.tar.xz
Binary file not shown.
54 changes: 27 additions & 27 deletions glibc-2.19-ldso-rpath-prefix-option.2.diff
@@ -1,7 +1,7 @@
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 1be7a3c..49f070f 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
Index: eglibc-2.19/elf/dl-load.c
===================================================================
--- eglibc-2.19.orig/elf/dl-load.c
+++ eglibc-2.19/elf/dl-load.c
@@ -482,7 +482,7 @@ static size_t max_dirnamelen;
static struct r_search_path_elem **
fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
Expand All @@ -11,7 +11,7 @@ index 1be7a3c..49f070f 100644
{
char *cp;
size_t nelems = 0;
@@ -520,9 +520,23 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
@@ -520,9 +520,23 @@ fillin_rpath (char *rpath, struct r_sear
}

/* See if this directory is already known. */
Expand All @@ -38,7 +38,7 @@ index 1be7a3c..49f070f 100644

if (dirp != NULL)
{
@@ -540,22 +554,43 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
@@ -540,22 +554,43 @@ fillin_rpath (char *rpath, struct r_sear
size_t cnt;
enum r_dir_status init_val;
size_t where_len = where ? strlen (where) + 1 : 0;
Expand Down Expand Up @@ -87,7 +87,7 @@ index 1be7a3c..49f070f 100644

/* We have to make sure all the relative directories are
never ignored. The current directory might change and
@@ -566,7 +601,8 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
@@ -566,7 +601,8 @@ fillin_rpath (char *rpath, struct r_sear

dirp->what = what;
if (__builtin_expect (where != NULL, 1))
Expand All @@ -97,7 +97,7 @@ index 1be7a3c..49f070f 100644
+ (ncapstr * sizeof (enum r_dir_status)),
where, where_len);
else
@@ -668,7 +704,7 @@ decompose_rpath (struct r_search_path_struct *sps,
@@ -668,7 +704,7 @@ decompose_rpath (struct r_search_path_st
_dl_signal_error (ENOMEM, NULL, NULL, errstring);
}

Expand All @@ -115,11 +115,11 @@ index 1be7a3c..49f070f 100644

if (env_path_list.dirs[0] == NULL)
{
diff --git a/elf/dl-support.c b/elf/dl-support.c
index e435436..723814a 100644
--- a/elf/dl-support.c
+++ b/elf/dl-support.c
@@ -58,6 +58,9 @@ const char *_dl_profile_output;
Index: eglibc-2.19/elf/dl-support.c
===================================================================
--- eglibc-2.19.orig/elf/dl-support.c
+++ eglibc-2.19/elf/dl-support.c
@@ -61,6 +61,9 @@ const char *_dl_profile_output;
ignored. */
const char *_dl_inhibit_rpath;

Expand All @@ -129,11 +129,11 @@ index e435436..723814a 100644
/* The map for the object we will profile. */
struct link_map *_dl_profile_map;

diff --git a/elf/rtld.c b/elf/rtld.c
index 6dcbabc..ea3af55 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -994,6 +994,15 @@ dl_main (const ElfW(Phdr) *phdr,
Index: eglibc-2.19/elf/rtld.c
===================================================================
--- eglibc-2.19.orig/elf/rtld.c
+++ eglibc-2.19/elf/rtld.c
@@ -991,6 +991,15 @@ dl_main (const ElfW(Phdr) *phdr,
_dl_argc -= 2;
INTUSE(_dl_argv) += 2;
}
Expand All @@ -149,22 +149,22 @@ index 6dcbabc..ea3af55 100644
else if (! strcmp (INTUSE(_dl_argv)[1], "--audit") && _dl_argc > 2)
{
process_dl_audit (INTUSE(_dl_argv)[2]);
@@ -1028,6 +1037,7 @@ of this helper program; chances are you did not intend to run this program.\n\
@@ -1025,6 +1034,7 @@ of this helper program; chances are you
--inhibit-cache Do not use " LD_SO_CACHE "\n\
--library-path PATH use given PATH instead of content of the environment\n\
variable LD_LIBRARY_PATH\n\
+ --rpath-prefix PREFIX add PREFIX to every RUNPATH and RPATH component\n\
--inhibit-rpath LIST ignore RUNPATH and RPATH information in object names\n\
in LIST\n\
--audit LIST use objects named in LIST as auditors\n");
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index ffeb093..3116188 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -593,6 +593,12 @@ struct rtld_global_ro

/* 0 if internal pointer values should not be guarded, 1 if they should. */
EXTERN int _dl_pointer_guard;
Index: eglibc-2.19/sysdeps/generic/ldsodefs.h
===================================================================
--- eglibc-2.19.orig/sysdeps/generic/ldsodefs.h
+++ eglibc-2.19/sysdeps/generic/ldsodefs.h
@@ -600,6 +600,12 @@ struct rtld_global_ro
/* List of auditing interfaces. */
struct audit_ifaces *_dl_audit;
unsigned int _dl_naudit;
+#endif
+
+ /* prefix for RPATH + RUNPATH components. */
Expand Down
7 changes: 7 additions & 0 deletions glibc.changes
@@ -1,3 +1,10 @@
* Sun Aug 28 2016 Pasi Sjöholm <pasi.sjoholm@siirappi.com> - 2.19+6.9
- Upgrade to eglibc_2.19-0ubuntu6.9 and apply Debian/Ubuntu patches
before Mer specific ones.
- Fixes CVE-2015-1781, CVE-2014-8121, CVE-2015-5277, CVE-2015-8776,
CVE-2015-8777, CVE-2015-8778, CVE-2015-8779, CVE-2016-3075, CVE-2016-2856,
CVE-2013-2207. MER#1633

* Fri Feb 26 2016 Niels Breet <niels.breet@jolla.com> - 2.19+6.7
- Packaging fix. Contributes MER#1515

Expand Down
26 changes: 13 additions & 13 deletions glibc.spec
Expand Up @@ -8,7 +8,7 @@

Summary: Embedded GLIBC (EGLIBC) is a variant of the GNU C Library (GLIBC)
Name: glibc
Version: 2.19+6.7
Version: 2.19+6.9
Release: 1

# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
Expand All @@ -20,7 +20,7 @@ License: LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
Group: System/Libraries
URL: http://www.eglibc.org/
Source0: https://launchpad.net/ubuntu/+archive/primary/+files/eglibc_2.19.orig.tar.xz
Source1: http://archive.ubuntu.com/ubuntu/pool/main/e/eglibc/eglibc_2.19-0ubuntu6.7.debian.tar.xz
Source1: http://archive.ubuntu.com/ubuntu/pool/main/e/eglibc/eglibc_2.19-0ubuntu6.9.debian.tar.xz
Source11: build-locale-archive.c

# glibc-arm-alignment-fix.patch: safe but probably not needed anymore
Expand Down Expand Up @@ -198,6 +198,17 @@ If unsure if you need this, don't install this package.
%setup -q -n %{glibcsrcdir} %{?glibc_release_unpack}
xz -dc %SOURCE1 | tar xf -

# Not well formatted locales --cvm
sed -i "s|^localedata/locale-eo_EO.diff$||g" debian/patches/series
sed -i "s|^localedata/locale-ia.diff$||g" debian/patches/series
# This screws up armv6, as it doesn't have ARMv7 instructions/Thumb2
%ifarch armv6l
sed -i "s|^arm/local-linaro-cortex-strings.diff$||g" debian/patches/series
%endif
sed -i "s|^kfreebsd.*$||g" debian/patches/series

QUILT_PATCHES=debian/patches quilt push -a

# glibc-arm-alignment-fix.patch
%patch1 -p1
%ifarch %{arm}
Expand Down Expand Up @@ -229,17 +240,6 @@ xz -dc %SOURCE1 | tar xf -
# eglibc-2.19-sb2-workaround.patch
%patch13 -p1

# Not well formatted locales --cvm
sed -i "s|^localedata/locale-eo_EO.diff$||g" debian/patches/series
sed -i "s|^localedata/locale-ia.diff$||g" debian/patches/series
# This screws up armv6, as it doesn't have ARMv7 instructions/Thumb2
%ifarch armv6l
sed -i "s|^arm/local-linaro-cortex-strings.diff$||g" debian/patches/series
%endif
sed -i "s|^kfreebsd.*$||g" debian/patches/series

QUILT_PATCHES=debian/patches quilt push -a

cat > find_provides.sh <<EOF
#!/bin/sh
/usr/lib/rpm/find-provides | grep -v GLIBC_PRIVATE
Expand Down

0 comments on commit 90a189d

Please sign in to comment.