diff --git a/backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch b/backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch new file mode 100644 index 0000000000000000000000000000000000000000..1c5cb79ebf77a8164e9a84102df39d11368be7e5 --- /dev/null +++ b/backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch @@ -0,0 +1,43 @@ +From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Fri, 25 Jun 2021 15:02:47 +0200 +Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug + 28011) + +Use strtoul instead of atoi so that overflow can be detected. + +Conflict:NA +Reference:https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c +--- + posix/wordexp-test.c | 1 + + posix/wordexp.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c +index f93a546d7e..9df02dbbb3 100644 +--- a/posix/wordexp-test.c ++++ b/posix/wordexp-test.c +@@ -183,6 +183,7 @@ struct test_case_struct + { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, + { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, + { 0, NULL, "", 0, 0, { NULL, }, IFS }, ++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, + + /* Flags not already covered (testit() has special handling for these) */ + { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, +diff --git a/posix/wordexp.c b/posix/wordexp.c +index bcbe96e48d..1f3b09f721 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -1399,7 +1399,7 @@ envsubst: + /* Is it a numeric parameter? */ + else if (isdigit (env[0])) + { +- int n = atoi (env); ++ unsigned long n = strtoul (env, NULL, 10); + + if (n >= __libc_argc) + /* Substitute NULL. */ +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index 5d639ff8e8e074361f48a4d974b45b42bc35f7c9..a7b42219b4db4e0bd4a3e7ed4f9d97d8ac220300 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 71 +Release: 72 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -129,6 +129,7 @@ Patch45: backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch Patch46: backport-aarch64-align-stack-in-clone-BZ-27939.patch Patch47: backport-x86-64-Align-child-stack-to-16-bytes-BZ-27902.patch Patch48: backport-ldconfig-handle-.dynstr-located-in-separate-segment-.patch +Patch49: backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1153,6 +1154,10 @@ fi %doc hesiod/README.hesiod %changelog +* Thu Jul 1 2021 QingqingLi - 2.28-72 +- wordexp: Use strtoul instead of atoi so that overflow can be detected. (bug 28011) + https://sourceware.org/bugzilla/show_bug.cgi?id=28011 + * Wed Jun 30 2021 lvying - 2.28-71 - ldconfig: handle .dynstr located in separate segment (bug 25087) https://sourceware.org/git/?p=glibc.git;a=commit;h=58e8f5fd2ba47b6dc47fd4d0a35e4175c7c87aaa