glibc: patch CVE-2020-1752

/cc roundup #88306; the issue seems quite serious to me. I also made two other patches non-conditional, as we rebuild all platforms anyway.
4 years ago · 3f08d642fe
parent c2039e1901
commit 3f08d642fe
2 changed files with 64 additions and 2 deletions
--- a/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch
+++ b/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch
@ -0,0 +1,62 @@
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 19 Feb 2020 16:21:46 +0000 (+0100)
+Subject: Fix use-after-free in glob when expanding ~user (bug 25414)
+X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63;hp=dd34bce38c822b67fcc42e73969bf6699d6874b6
+
+Fix use-after-free in glob when expanding ~user (bug 25414)
+
+The value of `end_name' points into the value of `dirname', thus don't
+deallocate the latter before the last use of the former.
+
+(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
+---
+
+diff --git a/posix/glob.c b/posix/glob.c
+index e73e35c510..c6cbd0eb43 100644
+--- a/posix/glob.c
+++ b/posix/glob.c
+@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
+ 	      {
+ 		size_t home_len = strlen (p->pw_dir);
+ 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+-		char *d;
+		char *d, *newp;
+		bool use_alloca = glob_use_alloca (alloca_used,
+						   home_len + rest_len + 1);
+ 
+-		if (__glibc_unlikely (malloc_dirname))
+-		  free (dirname);
+-		malloc_dirname = 0;
+-
+-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
+-		  dirname = alloca_account (home_len + rest_len + 1,
+-					    alloca_used);
+		if (use_alloca)
+		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
+ 		else
+ 		  {
+-		    dirname = malloc (home_len + rest_len + 1);
+-		    if (dirname == NULL)
+		    newp = malloc (home_len + rest_len + 1);
+		    if (newp == NULL)
+ 		      {
+ 			scratch_buffer_free (&pwtmpbuf);
+ 			retval = GLOB_NOSPACE;
+ 			goto out;
+ 		      }
+-		    malloc_dirname = 1;
+ 		  }
+-		d = mempcpy (dirname, p->pw_dir, home_len);
+		d = mempcpy (newp, p->pw_dir, home_len);
+ 		if (end_name != NULL)
+ 		  d = mempcpy (d, end_name, rest_len);
+ 		*d = '\0';
+ 
+		if (__glibc_unlikely (malloc_dirname))
+		  free (dirname);
+		dirname = newp;
+		malloc_dirname = !use_alloca;
+
+ 		dirlen = home_len + rest_len;
+ 		dirname_modified = 1;
+ 	      }
--- a/pkgs/development/libraries/glibc/common.nix
+++ b/pkgs/development/libraries/glibc/common.nix
@ -106,10 +106,10 @@ stdenv.mkDerivation ({
        url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff";
        sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4";
      })
-    ]
-    ++ lib.optionals stdenv.isx86_64 [
+
      ./fix-x64-abi.patch
      ./2.27-CVE-2019-19126.patch
+      ./2.30-cve-2020-1752.patch
    ]
    ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
    ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;