Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Merge branch 'fix-os-6770' into 'master'
[iconv] Fix CVE-2020-27618. Contributes to JB#54165

See merge request mer-core/glibc!41
  • Loading branch information
xfade committed May 5, 2021
2 parents 72133ec + 0c7bfe7 commit ba3978a
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 0 deletions.
55 changes: 55 additions & 0 deletions glibc-CVE-2020-27618.patch
@@ -0,0 +1,55 @@
From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun@redhat.com>
Date: Wed, 4 Nov 2020 12:19:38 +0100
Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ
#26224]

The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
share converter logic (iconvdata/ibm1364.c) which would reject
redundant shift sequences when processing input in these character
sets. This led to a hang in the iconv program (CVE-2020-27618).

This commit adjusts the converter to ignore redundant shift sequences
and adds test cases for iconv_prog hangs that would be triggered upon
their rejection. This brings the implementation in line with other
converters that also ignore redundant shift sequences (e.g. IBM930
etc., fixed in commit 692de4b3960d).

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
---
iconvdata/ibm1364.c | 14 ++------------

diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
index 49e7267ab4..521f0825b7 100644
--- a/iconvdata/ibm1364.c
+++ b/iconvdata/ibm1364.c
@@ -158,24 +158,14 @@ enum
\
if (__builtin_expect (ch, 0) == SO) \
{ \
- /* Shift OUT, change to DBCS converter. */ \
- if (curcs == db) \
- { \
- result = __GCONV_ILLEGAL_INPUT; \
- break; \
- } \
+ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \
curcs = db; \
++inptr; \
continue; \
} \
if (__builtin_expect (ch, 0) == SI) \
{ \
- /* Shift IN, change to SBCS converter. */ \
- if (curcs == sb) \
- { \
- result = __GCONV_ILLEGAL_INPUT; \
- break; \
- } \
+ /* Shift IN, change to SBCS converter (redundant escape okay). */ \
curcs = sb; \
++inptr; \
continue; \
--
2.27.0

3 changes: 3 additions & 0 deletions glibc.spec
Expand Up @@ -28,6 +28,8 @@ Patch14: 0002-arm-CVE-2020-6096-fix-memcpy-and-memmove-for-negativ.patch
Patch15: 0003-arm-CVE-2020-6096-Fix-multiarch-memcpy-for-negative-.patch
Patch16: 0001-Fix-array-bounds-violation-in-regex-matcher-bug-2514.patch
Patch17: 0001-posix-Sync-regex-with-gnulib.patch
Patch18: glibc-CVE-2020-27618.patch


Provides: ldconfig
# The dynamic linker supports DT_GNU_HASH
Expand Down Expand Up @@ -231,6 +233,7 @@ cd %{glibcsrcdir}
%patch15 -p1
%patch16 -p1
%patch17 -p1
%patch18 -p1

%build
GCC=gcc
Expand Down

0 comments on commit ba3978a

Please sign in to comment.