Import Debian changes 2.31-13+deb11u3

33c53a93 · Aurelien Jarno · Dylan Aïssi · 7bcb1c21 · 33c53a93 · 33c53a93
Commit 33c53a93 authored 3 years ago by Aurelien Jarno Committed by Dylan Aïssi 2 years ago
--- a/debian/changelog
+++ b/debian/changelog
+glibc (2.31-13+deb11u3) bullseye; urgency=medium
+
+  [ Aurelien Jarno ]
+  * debian/patches/git-updates.diff: update from upstream stable branch:
+    - Fix bad conversion from ISO-2022-JP-3 with iconv (CVE-2021-43396).
+      Closes: #998622.
+    - Remove PIE check on amd64 to fix FTBFS with binutils 2.37.
+    - Fix a buffer overflow in sunrpc svcunix_create (CVE-2022-23218).
+    - Fix a buffer overflow in sunrpc clnt_create (CVE-2022-23219).
+  * debian/debhelper.in/libc-bin.postinst: stop replacing older versions from
+    /etc/nsswitch.conf.  Closes: #998008.
+  * debian/debhelper.in/libc.preinst: simplify the version comparison by only
+    comparing the two first parts, now that kernel 2.X are not supported
+    anymore.  Closes: #1004861.
+  * debian/debhelper.in/libc.preinst: drop the check for kernel release > 255
+    now that glibc and preinstall script are fixed.  Closes: #987266.
+  * debian/patches/local-CVE-2021-33574-mq_notify-use-after-free.diff:
+    fix a possible use-after-free in mq_notify (CVE-2021-33574).  Closes:
+    #989147.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Thu, 17 Mar 2022 22:37:00 +0100
+
 glibc (2.31-13+deb11u2) bullseye; urgency=medium
  
  [ Aurelien Jarno ]

--- a/debian/debhelper.in/libc-bin.postinst
+++ b/debian/debhelper.in/libc-bin.postinst
@@ -12,21 +12,6 @@ update_to_current_default() {
  if [ -f $2 ]; then
    md5=`md5sum $2 | cut -f 1 -d " "`
    case "$md5" in
-      # base-files 3.0.0 to 3.1.15
-      109e33e2c91d1853b5bc56078a96aa18)
-        ;;
-      # base-files 3.1.8 and 3.1.9
-      3114ea9cf2f3bd8d120b4da96e3832d5)
-        ;;
-      # base-files 3.1.16 to 7.2 and libc-bin 2.19-18 to 2.22-11
-      295c15c4bdac80e50b37689ef08f359c)
-        ;;
-      # base-files 6.6
-      30b82cb1ce20d480703da2208a4607b4)
-        ;;
-      # base-files 7.3 and libc-bin 2.22-12
-      f8e97bf611374634c7cb3a6085503ab5)
-        ;;
      # modified file
      *)
        return

--- a/debian/debhelper.in/libc.preinst
+++ b/debian/debhelper.in/libc.preinst
@@ -5,14 +5,7 @@ export LC_ALL=C
 type=$1
 preversion=$2

-linux_compare_versions () {
-    verA=$(($(echo "$1" | sed 's/^\([0-9]*\.[0-9]*\)\([^.0-9]\|$\)/\1.0\2/; s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\1 \* 10000 + \2 \* 100 + \3/')))
-    verB=$(($(echo "$3" | sed 's/^\([0-9]*\.[0-9]*\)\([^.0-9]\|$\)/\1.0\2/; s/\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\).*/\1 \* 10000 + \2 \* 100 + \3/')))
-
-    test $verA -$2 $verB
-}
-
-kfreebsd_compare_versions () {
+kernel_compare_versions () {
    verA=$(($(echo "$1" | sed 's/\([0-9]*\)\.\([0-9]*\).*/\1 \* 100 + \2/')))
    verB=$(($(echo "$3" | sed 's/\([0-9]*\)\.\([0-9]*\).*/\1 \* 100 + \2/')))

@@ -99,21 +92,6 @@ then
    system=`uname -s`
    if [ "$system" = "Linux" ]
    then
-        # Test to make sure z < 255, in x.y.z-n form of kernel version
-        # Also make sure we don't trip on x.y.zFOO-n form
-        kernel_rev=$(uname -r | sed 's/\([0-9]*\.\)\{1,2\}\([0-9]*\)\(.*\)/\2/')
-        if [ "$kernel_rev" -ge 255 ]
-        then
-            echo "ERROR: Your kernel version indicates a revision number"
-            echo "of 255 or greater.  Glibc has a number of built in"
-            echo "assumptions that this revision number is less than 255."
-            echo "If you\'ve built your own kernel, please make sure that any"
-            echo "custom version numbers are appended to the upstream"
-            echo "kernel number with a dash or some other delimiter."
-            echo
-            exit 1
-        fi
-
        # sanity checking for the appropriate kernel on each architecture.
        kernel_ver=`uname -r`
        case ${DPKG_MAINTSCRIPT_ARCH} in
@@ -124,7 +102,7 @@ then
                ;;
        esac

-        if linux_compare_versions "$kernel_ver" lt $kernel_ver_min
+        if kernel_compare_versions "$kernel_ver" lt $kernel_ver_min
        then
            if [ "$USE_DEBCONF" ]
            then
@@ -144,7 +122,7 @@ then
            exit 1
        fi

-        if linux_compare_versions "$kernel_ver" lt $kernel_ver_rec
+        if kernel_compare_versions "$kernel_ver" lt $kernel_ver_rec
        then
            if [ "$USE_DEBCONF" ]
            then
@@ -167,7 +145,7 @@ then
    then
        kernel_ver=`uname -r`
        kernel_ver_min=8.3
-        if kfreebsd_compare_versions "$kernel_ver" lt $kernel_ver_min
+        if kernel_compare_versions "$kernel_ver" lt $kernel_ver_min
        then
            if [ "$USE_DEBCONF" ]
            then

--- a/debian/patches/any/local-CVE-2021-33574-mq_notify-use-after-free.diff
+++ b/debian/patches/any/local-CVE-2021-33574-mq_notify-use-after-free.diff
+This is basically a backport of the following upstream commits below with
+__pthread_attr_copy implemented as a static function in mq_notify.c Indeed it
+has been added upstream in glibc 2.32 and is exported as a GLIBC_PRIVATE symbol
+from libpthread.so while __mq_notify is exported by librt.so. As Debian
+supports online upgrades, We need to support the case where 1) a process is
+started loading libpthread.so, 2) the glibc libraries are upgraded 3) librt.so
+is dlopened.  This scenario might happens for instance with OpenJDK.
+
+commit 331c6e8a184167dd21a9f0b3fc165aeefea6eeca
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Tue May 19 12:32:39 2020 +0200
+
+    nptl: Add __pthread_attr_copy for copying pthread_attr_t objects
+
+commit 79474303223c5665bec75ffbdb2a86ee04a2514b
+Author: Nikita Popov <npv1310@gmail.com>
+Date:   Mon Aug 9 20:17:34 2021 +0530
+
+    librt: fix NULL pointer dereference (bug 28213)
+
+    Helper thread frees copied attribute on NOTIFY_REMOVED message
+    received from the OS kernel.  Unfortunately, it fails to check whether
+    copied attribute actually exists (data.attr != NULL).  This worked
+    earlier because free() checks passed pointer before actually
+    attempting to release corresponding memory.  But
+    __pthread_attr_destroy assumes pointer is not NULL.
+
+    So passing NULL pointer to __pthread_attr_destroy will result in
+    segmentation fault.  This scenario is possible if
+    notification->sigev_notify_attributes == NULL (which means default
+    thread attributes should be used).
+
+    Signed-off-by: Nikita Popov <npv1310@gmail.com>
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+    (cherry picked from commit b805aebd42364fe696e417808a700fdb9800c9e8)
+
+commit 42d359350510506b87101cf77202fefcbfc790cb
+Author: Andreas Schwab <schwab@linux-m68k.org>
+Date:   Thu May 27 12:49:47 2021 +0200
+
+    Use __pthread_attr_copy in mq_notify (bug 27896)
+
+    Make a deep copy of the pthread attribute object to remove a potential
+    use-after-free issue.
+
+commit 217b6dc298156bdb0d6aea9ea93e7e394a5ff091
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Tue Jun 1 17:51:41 2021 +0200
+
+    Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+    __pthread_attr_copy can fail and does not initialize the attribute
+    structure in that case.
+
+    If __pthread_attr_copy is never called and there is no allocated
+    attribute, pthread_attr_destroy should not be called, otherwise
+    there is a null pointer dereference in rt/tst-mqueue6.
+
+    Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+    ("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index f288bac477..e78ae74f0b 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -134,9 +134,12 @@ helper_thread (void *arg)
+ 	       to wait until it is done with it.  */
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-	/* The only state we keep is the copy of the thread attributes.  */
+-	free (data.attr);
+      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+	{
+	  /* The only state we keep is the copy of the thread attributes.  */
+	  pthread_attr_destroy (data.attr);
+	  free (data.attr);
+	}
+     }
+   return NULL;
+ }
+@@ -214,6 +217,42 @@ init_mq_netlink (void)
+     }
+ }
+ 
+static int
+__pthread_attr_copy (pthread_attr_t *target, const pthread_attr_t *source)
+{
+  /* Avoid overwriting *TARGET until all allocations have
+     succeeded.  */
+  union
+  {
+    pthread_attr_t external;
+    struct pthread_attr internal;
+  } temp;
+
+
+  temp.external = *source;
+
+  /* Force new allocation.  This function has full ownership of temp.  */
+  temp.internal.cpuset = NULL;
+  temp.internal.cpusetsize = 0;
+
+  struct pthread_attr *isource = (struct pthread_attr *) source;
+
+  /* Propagate affinity mask information.  */
+  if (isource->cpuset != NULL && isource->cpusetsize > 0)
+    {
+      temp.internal.cpuset = (cpu_set_t *) malloc (isource->cpusetsize);
+      if (temp.internal.cpuset == NULL)
+        return ENOMEM;
+
+      temp.internal.cpusetsize = isource->cpusetsize;
+      memcpy (temp.internal.cpuset, isource->cpuset, isource->cpusetsize);
+    }
+
+  /* Transfer ownership.  *target is not assumed to have been
+     initialized.  */
+  *target = temp.external;
+  return 0;
+}
+ 
+ /* Register notification upon message arrival to an empty message queue
+    MQDES.  */
+@@ -257,8 +296,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-	      sizeof (pthread_attr_t));
+      int ret = __pthread_attr_copy (data.attr,
+				     notification->sigev_notify_attributes);
+      if (ret != 0)
+	{
+	  free (data.attr);
+	  __set_errno (ret);
+	  return -1;
+	}
+     }
+ 
+   /* Construct the new request.  */
+@@ -271,8 +316,11 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
+  if (retval != 0 && data.attr != NULL)
+    {
+      pthread_attr_destroy (data.attr);
+      free (data.attr);
+    }
+ 
+   return retval;
+ }
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -168,3 +168,4 @@ any/submitted-ld.so-cache-new-format.diff
 any/local-test-install.diff
 any/git-surplus-tls-accounting.diff
 any/git-ld.so-cache-endianness-markup.diff
+any/local-CVE-2021-33574-mq_notify-use-after-free.diff