From c4279fb077d934a92ac6353818f7e207ef1596a1 Mon Sep 17 00:00:00 2001 From: liqingqing_1229 Date: Thu, 1 Jul 2021 14:26:02 +0800 Subject: [PATCH] fix CVE-2021-35942. wordexp: Use strtoul instead of atoi so that overflow can be detected. --- ...verflow-in-positional-parameter-numb.patch | 43 +++++++++++++++++++ glibc.spec | 7 ++- 2 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch diff --git a/backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch b/backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch new file mode 100644 index 0000000..1c5cb79 --- /dev/null +++ b/backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch @@ -0,0 +1,43 @@ +From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Fri, 25 Jun 2021 15:02:47 +0200 +Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug + 28011) + +Use strtoul instead of atoi so that overflow can be detected. + +Conflict:NA +Reference:https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c +--- + posix/wordexp-test.c | 1 + + posix/wordexp.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c +index f93a546d7e..9df02dbbb3 100644 +--- a/posix/wordexp-test.c ++++ b/posix/wordexp-test.c +@@ -183,6 +183,7 @@ struct test_case_struct + { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, + { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, + { 0, NULL, "", 0, 0, { NULL, }, IFS }, ++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, + + /* Flags not already covered (testit() has special handling for these) */ + { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, +diff --git a/posix/wordexp.c b/posix/wordexp.c +index bcbe96e48d..1f3b09f721 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -1399,7 +1399,7 @@ envsubst: + /* Is it a numeric parameter? */ + else if (isdigit (env[0])) + { +- int n = atoi (env); ++ unsigned long n = strtoul (env, NULL, 10); + + if (n >= __libc_argc) + /* Substitute NULL. */ +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index d075be3..aafaf75 100644 --- a/glibc.spec +++ b/glibc.spec @@ -60,7 +60,7 @@ ############################################################################## Name: glibc Version: 2.33 -Release: 4 +Release: 5 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -81,6 +81,7 @@ Patch2: Fix-the-inaccuracy-of-j0f-j1f-y0f-y1f-BZ.patch Patch6000: backport-posix-tst-rfc3484-Fix-compile-failure-linking-to-loc.patch Patch6001: backport-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch Patch6002: backport-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch +Patch6003: backport-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.patch Patch9000: turn-REP_STOSB_THRESHOLD-from-2k-to-1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1172,6 +1173,10 @@ fi %doc hesiod/README.hesiod %changelog +* Thu Jul 1 2021 QingqingLi - 2.33-5 +- wordexp: Use strtoul instead of atoi so that overflow can be detected. (bug 28011) + https://sourceware.org/bugzilla/show_bug.cgi?id=28011 + * Fri Jun 18 2021 Qingqing Li - 2.33-4 - fix CVE-2021-33574(bug 27896) https://sourceware.org/bugzilla/show_bug.cgi?id=27896 -- Gitee