← Back to branch summary

~ubuntu-branches/ubuntu/trusty/eglibc/trusty-security

« back to all changes in this revision

Viewing changes to catgets/open_catalog.c

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2016-04-08 23:26:02 UTC
  • Revision ID: package-import@ubuntu.com-20160408232602-694337pzn1m5xgc3
Tags: 2.19-0ubuntu6.8
https://launchpad.net/bugs/1546457
* SECURITY UPDATE: buffer overflow in gethostbyname_r and related
  functions
  - debian/patches/any/CVE-2015-1781.diff: take alignment padding
    into account when computing if buffer is too small.
  - CVE-2015-1781
* SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
  - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
    database during iteration.
  - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
    between getXXent and getXXbyYY NSS calls.
  - CVE-2014-8121
* SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
  conversion
  - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
    of NaN payloads.
  - debian/patches/any/CVE-2014-9761-1.diff:  Fix nan functions
    handling of payload strings
  - CVE-2014-9761
* SECURITY UPDATE: NSS files long line buffer overflow
  - debian/patches/any/CVE-2015-5277.diff: Don't ignore too long
    lines in nss_files
  - CVE-2015-5277
* SECURITY UPDATE: out of range data to strftime() causes segfault
  (denial of service)
  - debian/patches/any/CVE-2015-8776.diff: add range checks to
    strftime() processing
  - CVE-2015-8776
* SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
  AT_SECURE programs (e.g. setuid), allowing disabling of pointer
  mangling
  - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
    guard
  - CVE-2015-8777
* SECURITY UPDATE: integer overflow in hcreate and hcreate_r
  - debian/patches/any/CVE-2015-8778.diff: check for large inputs
  - CVE-2015-8778
* SECURITY UPDATE: unbounded stack allocation in catopen()
  - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
    alloca()
  - CVE-2015-8779
* SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
  - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
    memory copy on the stack.
  - CVE-2016-3075
* SECURITY UPDATE: pt_chown privilege escalation
  - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
    about pty group and permission mode
  - debian/sysdeps/linux.mk: don't build pt_chown
  - debian/rules.d/debhelper.mk: only install pt_chown when built.
  - CVE-2016-2856, CVE-2013-2207
* debian/debhelper.in/libc.postinst: add reboot notifications for
  security updates (LP: #1546457)
* debian/patches/ubuntu/submitted-no-stack-backtrace.diff: update
  patch to eliminate compiler warning.

Show diffs side-by-side

added added

removed removed

Lines of Context:
catgets/open_catalog.c
47
47
  size_t tab_size;
48
48
  const char *lastp;
49
49
  int result = -1;
 
50
  char *buf = NULL;
50
51
 
51
52
  if (strchr (cat_name, '/') != NULL || nlspath == NULL)
52
53
    fd = open_not_cancel_2 (cat_name, O_RDONLY);
57
58
  if (__builtin_expect (bufact + (n) >= bufmax, 0))                           \
58
59
    {                                                                         \
59
60
      char *old_buf = buf;                                                    \
60
 
      bufmax += 256 + (n);                                                    \
61
 
      buf = (char *) alloca (bufmax);                                         \
62
 
      memcpy (buf, old_buf, bufact);                                          \
 
61
      bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax;                    \
 
62
      buf = realloc (buf, bufmax);                                            \
 
63
      if (__glibc_unlikely (buf == NULL))                                     \
 
64
        {                                                                     \
 
65
          free (old_buf);                                                     \
 
66
          return -1;                                                          \
 
67
        }                                                                     \
63
68
    }
64
69
 
65
70
      /* The RUN_NLSPATH variable contains a colon separated list of
66
71
         descriptions where we expect to find catalogs.  We have to
67
72
         recognize certain % substitutions and stop when we found the
68
73
         first existing file.  */
69
 
      char *buf;
70
74
      size_t bufact;
71
 
      size_t bufmax;
 
75
      size_t bufmax = 0;
72
76
      size_t len;
73
77
 
74
 
      buf = NULL;
75
 
      bufmax = 0;
76
 
 
77
78
      fd = -1;
78
79
      while (*run_nlspath != '\0')
79
80
        {
188
189
 
189
190
  /* Avoid dealing with directories and block devices */
190
191
  if (__builtin_expect (fd, 0) < 0)
191
 
    return -1;
 
192
    {
 
193
      free (buf);
 
194
      return -1;
 
195
    }
192
196
 
193
197
  if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
194
198
    goto close_unlock_return;
325
329
  /* Release the lock again.  */
326
330
 close_unlock_return:
327
331
  close_not_cancel_no_status (fd);
 
332
  free (buf);
328
333
 
329
334
  return result;
330
335
}