diff --git a/Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch b/Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch new file mode 100644 index 0000000000000000000000000000000000000000..c26139f12fc95d99bf9bec65bd55ab237449124c --- /dev/null +++ b/Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch @@ -0,0 +1,56 @@ +From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar +Date: Wed, 4 Nov 2020 12:19:38 +0100 +Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ + #26224] + +The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets +share converter logic (iconvdata/ibm1364.c) which would reject +redundant shift sequences when processing input in these character +sets. This led to a hang in the iconv program (CVE-2020-27618). + +This commit adjusts the converter to ignore redundant shift sequences +and adds test cases for iconv_prog hangs that would be triggered upon +their rejection. This brings the implementation in line with other +converters that also ignore redundant shift sequences (e.g. IBM930 +etc., fixed in commit 692de4b3960d). + +Reviewed-by: Carlos O'Donell +--- + iconvdata/ibm1364.c | 14 ++------------ + 1 files changed, 2 insertions(+), 12 deletions(-) + +diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c +index 49e7267ab45..521f0825b7f 100644 +--- a/iconvdata/ibm1364.c ++++ b/iconvdata/ibm1364.c +@@ -158,24 +158,14 @@ enum + \ + if (__builtin_expect (ch, 0) == SO) \ + { \ +- /* Shift OUT, change to DBCS converter. */ \ +- if (curcs == db) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift OUT, change to DBCS converter (redundant escape okay). */ \ + curcs = db; \ + ++inptr; \ + continue; \ + } \ + if (__builtin_expect (ch, 0) == SI) \ + { \ +- /* Shift IN, change to SBCS converter. */ \ +- if (curcs == sb) \ +- { \ +- result = __GCONV_ILLEGAL_INPUT; \ +- break; \ +- } \ ++ /* Shift IN, change to SBCS converter (redundant escape okay). */ \ + curcs = sb; \ + ++inptr; \ + continue; \ +-- +2.25.1 + diff --git a/glibc.spec b/glibc.spec index c430cddfe49decbf0573feb02e68a7de1a77d7bb..048db7ce208371619f46484f37b25d96c1a2b4ec 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 46 +Release: 47 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -96,6 +96,7 @@ Patch19: Workaround-deprecation-warnings-introduced-in-libselinux-3.1.patch Patch20: backport-0001-Fix-handling-of-collating-symbols-in-fnmatch-bug-266.patch Patch21: backport-sysvipc-Fix-SEM_STAT_ANY-kernel-argument-pass-BZ-26637.patch Patch22: backport-i686-tst-strftime3-fix-printf-warning.patch +Patch23: Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1091,6 +1092,10 @@ fi %doc hesiod/README.hesiod %changelog +* Tue Nov 10 2020 liusirui - 2.28-47 +- Fix CVE-2020-27618, iconv accept redundant shift sequences in IBM1364 [BZ #26224] + https://sourceware.org/bugzilla/show_bug.cgi?id=26224 + * Tue Oct 27 2020 Qingqing Li - 2.28-46 - fix handling of collating symbols in fnmatch. upstream link is: https://sourceware.org/bugzilla/show_bug.cgi?id=26620