* [PATCH 0/4][fido] Glibc security fixes
@ 2016-01-25 19:34 Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
noticed this did not hit the patchwork. resending.
Please consider these for the next fido update.
The following changes since commit 9845a542a76156adb5aef6fd33ad5bc5777acf64:
openssh: CVE-2016-077x (2016-01-20 17:08:30 +0000)
are available in the git repository at:
git://git.yoctoproject.org/poky-contrib akuster/fido_glibc_cve_fixes
http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/fido_glibc_cve_fixes
Armin Kuster (4):
glibc: CVE-2015-8777
glibc: CVE-2015-8779
glibc: CVE-2015-9761
glibc: CVE_2015-8776
meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 176 +++
meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++
meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 282 ++++
meta/recipes-core/glibc/glibc/CVE-2015-9761.patch | 1452 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 4 +
5 files changed, 2057 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
--
2.3.5
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/4] glibc: CVE-2015-8777
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 19:34 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 144 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000..4041af6
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,143 @@
+From fd3a7f229e52be32414d889977fef245da6055d4 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:13:00 -0800
+Subject: [PATCH 1/4] glibc: CVE-2015-8777.patch
+
+The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
+libc6) before 2.23 allows local users to bypass a pointer-guarding protection
+mechanism via a zero value of the LD_POINTER_GUARD environment variable.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 123 ++++++++++++++++++++++
+ 2 files changed, 124 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
+@@ -0,0 +1,123 @@
++From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
++From: Florian Weimer <fweimer@redhat.com>
++Date: Thu, 15 Oct 2015 09:23:07 +0200
++Subject: [PATCH] Always enable pointer guard [BZ #18928]
++
++Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
++has security implications. This commit enables pointer guard
++unconditionally, and the environment variable is now ignored.
++
++ [BZ #18928]
++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
++ _dl_pointer_guard member.
++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
++ initializer.
++ (security_init): Always set up pointer guard.
++ (process_envvars): Do not process LD_POINTER_GUARD.
++
++Upstream-Status: Backport
++CVE: CVE-2015-8777
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 10 ++++++++++
++ NEWS | 13 ++++++++-----
++ elf/rtld.c | 15 ++++-----------
++ sysdeps/generic/ldsodefs.h | 3 ---
++ 4 files changed, 22 insertions(+), 19 deletions(-)
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,14 @@
+++2015-10-15 Florian Weimer <fweimer@redhat.com>
+++
+++ [BZ #18928]
+++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+++ _dl_pointer_guard member.
+++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+++ initializer.
+++ (security_init): Always set up pointer guard.
+++ (process_envvars): Do not process LD_POINTER_GUARD.
+++
+++
++ 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
++
++ [BZ #18778]
++Index: git/NEWS
++===================================================================
++--- git.orig/NEWS
+++++ git/NEWS
++@@ -34,7 +34,10 @@ Version 2.22
++ 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
++ 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
++ 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
++- 18657, 18676, 18694, 18696.
+++ 18657, 18676, 18694, 18696, 18928.
+++
+++* The LD_POINTER_GUARD environment variable can no longer be used to
+++ disable the pointer guard feature. It is always enabled.
++
++ * Cache information can be queried via sysconf() function on s390 e.g. with
++ _SC_LEVEL1_ICACHE_SIZE as argument.
++Index: git/elf/rtld.c
++===================================================================
++--- git.orig/elf/rtld.c
+++++ git/elf/rtld.c
++@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
++ ._dl_hwcap_mask = HWCAP_IMPORTANT,
++ ._dl_lazy = 1,
++ ._dl_fpu_control = _FPU_DEFAULT,
++- ._dl_pointer_guard = 1,
++ ._dl_pagesize = EXEC_PAGESIZE,
++ ._dl_inhibit_cache = 0,
++
++@@ -710,15 +709,12 @@ security_init (void)
++ #endif
++
++ /* Set up the pointer guard as well, if necessary. */
++- if (GLRO(dl_pointer_guard))
++- {
++- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
++- stack_chk_guard);
+++ uintptr_t pointer_chk_guard
+++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
++ #ifdef THREAD_SET_POINTER_GUARD
++- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++ #endif
++- __pointer_chk_guard_local = pointer_chk_guard;
++- }
+++ __pointer_chk_guard_local = pointer_chk_guard;
++
++ /* We do not need the _dl_random value anymore. The less
++ information we leave behind, the better, so clear the
++@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
++ GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
++ break;
++ }
++-
++- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
++- GLRO(dl_pointer_guard) = envline[14] != '0';
++ break;
++
++ case 14:
++Index: git/sysdeps/generic/ldsodefs.h
++===================================================================
++--- git.orig/sysdeps/generic/ldsodefs.h
+++++ git/sysdeps/generic/ldsodefs.h
++@@ -600,9 +600,6 @@ struct rtld_global_ro
++ /* List of auditing interfaces. */
++ struct audit_ifaces *_dl_audit;
++ unsigned int _dl_naudit;
++-
++- /* 0 if internal pointer values should not be guarded, 1 if they should. */
++- EXTERN int _dl_pointer_guard;
++ };
++ # define __rtld_global_attribute__
++ # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index 3bba734..efbcc9c 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -48,6 +48,7 @@ EGLIBCPATCHES = "\
#
CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
+ file://CVE-2015-8777.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/4] glibc: CVE-2015-8779
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 19:34 ` [PATCH 3/4] glibc: CVE-2015-9761 Armin Kuster
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 282 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 283 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
new file mode 100644
index 0000000..78268c3
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
@@ -0,0 +1,282 @@
+From fb410c22544dfd6cc82f59523ac9824d88880325 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:19:24 -0800
+Subject: [PATCH 2/4] glibc: CVE-2015-8779
+
+A stack overflow vulnerability in the catopen function was found, causing
+applications which pass long strings to the catopen function to crash or,
+potentially execute arbitrary code.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 262 ++++++++++++++++++++++
+ 2 files changed, 263 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
+@@ -0,0 +1,262 @@
++From 0f58539030e436449f79189b6edab17d7479796e Mon Sep 17 00:00:00 2001
++From: Paul Pluzhnikov <ppluzhnikov@google.com>
++Date: Sat, 8 Aug 2015 15:53:03 -0700
++Subject: [PATCH] Fix BZ #17905
++
++Upstream-Status: Backport
++CVE: CVE-2015-8779
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0f58539030e436449f79189b6edab17d7479796e
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 8 ++++++++
++ NEWS | 2 +-
++ catgets/Makefile | 9 ++++++++-
++ catgets/catgets.c | 19 ++++++++++++-------
++ catgets/open_catalog.c | 23 ++++++++++++++---------
++ catgets/tst-catgets.c | 31 +++++++++++++++++++++++++++++++
++ 6 files changed, 74 insertions(+), 18 deletions(-)
++
++Index: git/catgets/Makefile
++===================================================================
++--- git.orig/catgets/Makefile
+++++ git/catgets/Makefile
++@@ -37,6 +37,7 @@ ifeq (y,$(OPTION_EGLIBC_CATGETS))
++ ifeq ($(run-built-tests),yes)
++ tests-special += $(objpfx)de/libc.cat $(objpfx)test1.cat $(objpfx)test2.cat \
++ $(objpfx)sample.SJIS.cat $(objpfx)test-gencat.out
+++tests-special += $(objpfx)tst-catgets-mem.out
++ endif
++ endif
++ gencat-modules = xmalloc
++@@ -53,9 +54,11 @@ catgets-CPPFLAGS := -DNLSPATH='"$(msgcat
++
++ generated += de.msg test1.cat test1.h test2.cat test2.h sample.SJIS.cat \
++ test-gencat.h
+++generated += tst-catgets.mtrace tst-catgets-mem.out
+++
++ generated-dirs += de
++
++-tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de
+++tst-catgets-ENV = NLSPATH="$(objpfx)%l/%N.cat" LANG=de MALLOC_TRACE=$(objpfx)tst-catgets.mtrace
++
++ ifeq ($(run-built-tests),yes)
++ # This test just checks whether the program produces any error or not.
++@@ -89,4 +92,8 @@ $(objpfx)test-gencat.out: test-gencat.sh
++ $(objpfx)sample.SJIS.cat: sample.SJIS $(objpfx)gencat
++ $(built-program-cmd) -H $(objpfx)test-gencat.h < $(word 1,$^) > $@; \
++ $(evaluate-test)
+++
+++$(objpfx)tst-catgets-mem.out: $(objpfx)tst-catgets.out
+++ $(common-objpfx)malloc/mtrace $(objpfx)tst-catgets.mtrace > $@; \
+++ $(evaluate-test)
++ endif
++Index: git/catgets/catgets.c
++===================================================================
++--- git.orig/catgets/catgets.c
+++++ git/catgets/catgets.c
++@@ -16,7 +16,6 @@
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++-#include <alloca.h>
++ #include <errno.h>
++ #include <locale.h>
++ #include <nl_types.h>
++@@ -35,6 +34,7 @@ catopen (const char *cat_name, int flag)
++ __nl_catd result;
++ const char *env_var = NULL;
++ const char *nlspath = NULL;
+++ char *tmp = NULL;
++
++ if (strchr (cat_name, '/') == NULL)
++ {
++@@ -54,7 +54,10 @@ catopen (const char *cat_name, int flag)
++ {
++ /* Append the system dependent directory. */
++ size_t len = strlen (nlspath) + 1 + sizeof NLSPATH;
++- char *tmp = alloca (len);
+++ tmp = malloc (len);
+++
+++ if (__glibc_unlikely (tmp == NULL))
+++ return (nl_catd) -1;
++
++ __stpcpy (__stpcpy (__stpcpy (tmp, nlspath), ":"), NLSPATH);
++ nlspath = tmp;
++@@ -65,16 +68,18 @@ catopen (const char *cat_name, int flag)
++
++ result = (__nl_catd) malloc (sizeof (*result));
++ if (result == NULL)
++- /* We cannot get enough memory. */
++- return (nl_catd) -1;
++-
++- if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
+++ {
+++ /* We cannot get enough memory. */
+++ result = (nl_catd) -1;
+++ }
+++ else if (__open_catalog (cat_name, nlspath, env_var, result) != 0)
++ {
++ /* Couldn't open the file. */
++ free ((void *) result);
++- return (nl_catd) -1;
+++ result = (nl_catd) -1;
++ }
++
+++ free (tmp);
++ return (nl_catd) result;
++ }
++
++Index: git/catgets/open_catalog.c
++===================================================================
++--- git.orig/catgets/open_catalog.c
+++++ git/catgets/open_catalog.c
++@@ -47,6 +47,7 @@ __open_catalog (const char *cat_name, co
++ size_t tab_size;
++ const char *lastp;
++ int result = -1;
+++ char *buf = NULL;
++
++ if (strchr (cat_name, '/') != NULL || nlspath == NULL)
++ fd = open_not_cancel_2 (cat_name, O_RDONLY);
++@@ -57,23 +58,23 @@ __open_catalog (const char *cat_name, co
++ if (__glibc_unlikely (bufact + (n) >= bufmax)) \
++ { \
++ char *old_buf = buf; \
++- bufmax += 256 + (n); \
++- buf = (char *) alloca (bufmax); \
++- memcpy (buf, old_buf, bufact); \
+++ bufmax += (bufmax < 256 + (n)) ? 256 + (n) : bufmax; \
+++ buf = realloc (buf, bufmax); \
+++ if (__glibc_unlikely (buf == NULL)) \
+++ { \
+++ free (old_buf); \
+++ return -1; \
+++ } \
++ }
++
++ /* The RUN_NLSPATH variable contains a colon separated list of
++ descriptions where we expect to find catalogs. We have to
++ recognize certain % substitutions and stop when we found the
++ first existing file. */
++- char *buf;
++ size_t bufact;
++- size_t bufmax;
+++ size_t bufmax = 0;
++ size_t len;
++
++- buf = NULL;
++- bufmax = 0;
++-
++ fd = -1;
++ while (*run_nlspath != '\0')
++ {
++@@ -188,7 +189,10 @@ __open_catalog (const char *cat_name, co
++
++ /* Avoid dealing with directories and block devices */
++ if (__builtin_expect (fd, 0) < 0)
++- return -1;
+++ {
+++ free (buf);
+++ return -1;
+++ }
++
++ if (__builtin_expect (__fxstat64 (_STAT_VER, fd, &st), 0) < 0)
++ goto close_unlock_return;
++@@ -325,6 +329,7 @@ __open_catalog (const char *cat_name, co
++ /* Release the lock again. */
++ close_unlock_return:
++ close_not_cancel_no_status (fd);
+++ free (buf);
++
++ return result;
++ }
++Index: git/catgets/tst-catgets.c
++===================================================================
++--- git.orig/catgets/tst-catgets.c
+++++ git/catgets/tst-catgets.c
++@@ -1,7 +1,10 @@
+++#include <assert.h>
++ #include <mcheck.h>
++ #include <nl_types.h>
++ #include <stdio.h>
+++#include <stdlib.h>
++ #include <string.h>
+++#include <sys/resource.h>
++
++
++ static const char *msgs[] =
++@@ -12,6 +15,33 @@ static const char *msgs[] =
++ };
++ #define nmsgs (sizeof (msgs) / sizeof (msgs[0]))
++
+++
+++/* Test for unbounded alloca. */
+++static int
+++do_bz17905 (void)
+++{
+++ char *buf;
+++ struct rlimit rl;
+++ nl_catd result;
+++
+++ const int sz = 1024 * 1024;
+++
+++ getrlimit (RLIMIT_STACK, &rl);
+++ rl.rlim_cur = sz;
+++ setrlimit (RLIMIT_STACK, &rl);
+++
+++ buf = malloc (sz + 1);
+++ memset (buf, 'A', sz);
+++ buf[sz] = '\0';
+++ setenv ("NLSPATH", buf, 1);
+++
+++ result = catopen (buf, NL_CAT_LOCALE);
+++ assert (result == (nl_catd) -1);
+++
+++ free (buf);
+++ return 0;
+++}
+++
++ #define ROUNDS 5
++
++ static int
++@@ -62,6 +92,7 @@ do_test (void)
++ }
++ }
++
+++ result += do_bz17905 ();
++ return result;
++ }
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,11 @@
+++2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
+++
+++ [BZ #17905]
+++ * catgets/Makefile (tst-catgets-mem): New test.
+++ * catgets/catgets.c (catopen): Don't use unbounded alloca.
+++ * catgets/open_catalog.c (__open_catalog): Likewise.
+++ * catgets/tst-catgets.c (do_bz17905): Test unbounded alloca.
+++
++ 2015-10-15 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #18928]
++Index: git/NEWS
++===================================================================
++--- git.orig/NEWS
+++++ git/NEWS
++@@ -9,7 +9,7 @@ Version 2.22.1
++
++ * The following bugs are resolved with this release:
++
++- 18778, 18781, 18787.
+++ 18778, 18781, 18787, 17905.
++ \f
++ Version 2.22
++
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index efbcc9c..afe32d5 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -49,6 +49,7 @@ EGLIBCPATCHES = "\
CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
file://CVE-2015-8777.patch \
+ file://CVE-2015-8779.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 3/4] glibc: CVE-2015-9761
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
2016-01-25 19:34 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 19:34 ` [PATCH 4/4] glibc: CVE_2015-8776 Armin Kuster
2016-01-25 20:00 ` [PATCH 0/4][fido] Glibc security fixes Khem Raj
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-9761.patch | 1452 +++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 1453 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-9761.patch b/meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
new file mode 100644
index 0000000..262820e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
@@ -0,0 +1,1452 @@
+From 9b9738e57a358e30ca4d7731f99928715482737c Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:23:04 -0800
+Subject: [PATCH 3/4] glibc: CVE-2015-9761
+
+A stack overflow vulnerability was found in nan* functions that could cause
+applications which process long strings with the nan function to crash or,
+potentially, execute arbitrary code.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ .../recipes-core/glibc/glibc/CVE-2015-9761_1.patch | 1039 ++++++++++++++++++++
+ .../recipes-core/glibc/glibc/CVE-2015-9761_2.patch | 385 ++++++++
+ meta/recipes-core/glibc/glibc_2.22.bb | 2 +
+ 3 files changed, 1426 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch
+@@ -0,0 +1,1039 @@
++From e02cabecf0d025ec4f4ddee290bdf7aadb873bb3 Mon Sep 17 00:00:00 2001
++From: Joseph Myers <joseph@codesourcery.com>
++Date: Tue, 24 Nov 2015 22:24:52 +0000
++Subject: [PATCH] Refactor strtod parsing of NaN payloads.
++
++The nan* functions handle their string argument by constructing a
++NAN(...) string on the stack as a VLA and passing it to strtod
++functions.
++
++This approach has problems discussed in bug 16961 and bug 16962: the
++stack usage is unbounded, and it gives incorrect results in certain
++cases where the argument is not a valid n-char-sequence.
++
++The natural fix for both issues is to refactor the NaN payload parsing
++out of strtod into a separate function that the nan* functions can
++call directly, so that no temporary string needs constructing on the
++stack at all. This patch does that refactoring in preparation for
++fixing those bugs (but without actually using the new functions from
++nan* - which will also require exporting them from libc at version
++GLIBC_PRIVATE). This patch is not intended to change any user-visible
++behavior, so no tests are added (fixes for the above bugs will of
++course add tests for them).
++
++This patch builds on my recent fixes for strtol and strtod issues in
++Turkish locales. Given those fixes, the parsing of NaN payloads is
++locale-independent; thus, the new functions do not need to take a
++locale_t argument.
++
++Tested for x86_64, x86, mips64 and powerpc.
++
++ * stdlib/strtod_nan.c: New file.
++ * stdlib/strtod_nan_double.h: Likewise.
++ * stdlib/strtod_nan_float.h: Likewise.
++ * stdlib/strtod_nan_main.c: Likewise.
++ * stdlib/strtod_nan_narrow.h: Likewise.
++ * stdlib/strtod_nan_wide.h: Likewise.
++ * stdlib/strtof_nan.c: Likewise.
++ * stdlib/strtold_nan.c: Likewise.
++ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
++ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
++ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
++ * wcsmbs/wcstod_nan.c: Likewise.
++ * wcsmbs/wcstof_nan.c: Likewise.
++ * wcsmbs/wcstold_nan.c: Likewise.
++ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
++ strtold_nan.
++ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
++ wcstof_nan.
++ * include/stdlib.h (__strtof_nan): Declare and use
++ libc_hidden_proto.
++ (__strtod_nan): Likewise.
++ (__strtold_nan): Likewise.
++ (__wcstof_nan): Likewise.
++ (__wcstod_nan): Likewise.
++ (__wcstold_nan): Likewise.
++ * include/wchar.h (____wcstoull_l_internal): Declare.
++ * stdlib/strtod_l.c: Do not include <ieee754.h>.
++ (____strtoull_l_internal): Remove declaration.
++ (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ (STRTOULL): Likewise.
++ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
++ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
++ (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
++ macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
++ macro.
++ (SET_MANTISSA): Remove macro.
++ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
++ (SET_MANTISSA): Remove macro.
++ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
++ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
++ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
++
++Upstream-Status: Backport
++CVE: CVE-2015-9761 patch #1
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e02cabecf0d025ec4f4ddee290bdf7aadb873bb3
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 49 ++++++++++++++++++
++ include/stdlib.h | 18 +++++++
++ include/wchar.h | 3 ++
++ stdlib/Makefile | 1 +
++ stdlib/strtod_l.c | 48 ++++--------------
++ stdlib/strtod_nan.c | 24 +++++++++
++ stdlib/strtod_nan_double.h | 30 +++++++++++
++ stdlib/strtod_nan_float.h | 29 +++++++++++
++ stdlib/strtod_nan_main.c | 63 ++++++++++++++++++++++++
++ stdlib/strtod_nan_narrow.h | 22 +++++++++
++ stdlib/strtod_nan_wide.h | 22 +++++++++
++ stdlib/strtof_l.c | 11 +----
++ stdlib/strtof_nan.c | 24 +++++++++
++ stdlib/strtold_nan.c | 30 +++++++++++
++ sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h | 33 +++++++++++++
++ sysdeps/ieee754/ldbl-128/strtold_l.c | 13 +----
++ sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h | 30 +++++++++++
++ sysdeps/ieee754/ldbl-128ibm/strtold_l.c | 10 +---
++ sysdeps/ieee754/ldbl-64-128/strtold_l.c | 13 +----
++ sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h | 30 +++++++++++
++ sysdeps/ieee754/ldbl-96/strtold_l.c | 10 +---
++ wcsmbs/Makefile | 1 +
++ wcsmbs/wcstod_l.c | 3 --
++ wcsmbs/wcstod_nan.c | 23 +++++++++
++ wcsmbs/wcstof_l.c | 3 --
++ wcsmbs/wcstof_nan.c | 23 +++++++++
++ wcsmbs/wcstold_l.c | 3 --
++ wcsmbs/wcstold_nan.c | 30 +++++++++++
++ 28 files changed, 504 insertions(+), 95 deletions(-)
++ create mode 100644 stdlib/strtod_nan.c
++ create mode 100644 stdlib/strtod_nan_double.h
++ create mode 100644 stdlib/strtod_nan_float.h
++ create mode 100644 stdlib/strtod_nan_main.c
++ create mode 100644 stdlib/strtod_nan_narrow.h
++ create mode 100644 stdlib/strtod_nan_wide.h
++ create mode 100644 stdlib/strtof_nan.c
++ create mode 100644 stdlib/strtold_nan.c
++ create mode 100644 sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
++ create mode 100644 sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
++ create mode 100644 sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
++ create mode 100644 wcsmbs/wcstod_nan.c
++ create mode 100644 wcsmbs/wcstof_nan.c
++ create mode 100644 wcsmbs/wcstold_nan.c
++
++Index: git/include/stdlib.h
++===================================================================
++--- git.orig/include/stdlib.h
+++++ git/include/stdlib.h
++@@ -203,6 +203,24 @@ libc_hidden_proto (strtoll)
++ libc_hidden_proto (strtoul)
++ libc_hidden_proto (strtoull)
++
+++extern float __strtof_nan (const char *, char **, char) internal_function;
+++extern double __strtod_nan (const char *, char **, char) internal_function;
+++extern long double __strtold_nan (const char *, char **, char)
+++ internal_function;
+++extern float __wcstof_nan (const wchar_t *, wchar_t **, wchar_t)
+++ internal_function;
+++extern double __wcstod_nan (const wchar_t *, wchar_t **, wchar_t)
+++ internal_function;
+++extern long double __wcstold_nan (const wchar_t *, wchar_t **, wchar_t)
+++ internal_function;
+++
+++libc_hidden_proto (__strtof_nan)
+++libc_hidden_proto (__strtod_nan)
+++libc_hidden_proto (__strtold_nan)
+++libc_hidden_proto (__wcstof_nan)
+++libc_hidden_proto (__wcstod_nan)
+++libc_hidden_proto (__wcstold_nan)
+++
++ extern char *__ecvt (double __value, int __ndigit, int *__restrict __decpt,
++ int *__restrict __sign);
++ extern char *__fcvt (double __value, int __ndigit, int *__restrict __decpt,
++Index: git/include/wchar.h
++===================================================================
++--- git.orig/include/wchar.h
+++++ git/include/wchar.h
++@@ -52,6 +52,9 @@ extern unsigned long long int __wcstoull
++ __restrict __endptr,
++ int __base,
++ int __group) __THROW;
+++extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
+++ wchar_t **, int, int,
+++ __locale_t);
++ libc_hidden_proto (__wcstof_internal)
++ libc_hidden_proto (__wcstod_internal)
++ libc_hidden_proto (__wcstold_internal)
++Index: git/stdlib/Makefile
++===================================================================
++--- git.orig/stdlib/Makefile
+++++ git/stdlib/Makefile
++@@ -51,6 +51,7 @@ routines-y := \
++ strtol_l strtoul_l strtoll_l strtoull_l \
++ strtof strtod strtold \
++ strtof_l strtod_l strtold_l \
+++ strtof_nan strtod_nan strtold_nan \
++ system canonicalize \
++ a64l l64a \
++ getsubopt xpg_basename \
++Index: git/stdlib/strtod_l.c
++===================================================================
++--- git.orig/stdlib/strtod_l.c
+++++ git/stdlib/strtod_l.c
++@@ -21,8 +21,6 @@
++ #include <xlocale.h>
++
++ extern double ____strtod_l_internal (const char *, char **, int, __locale_t);
++-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
++- int, int, __locale_t);
++
++ /* Configuration part. These macros are defined by `strtold.c',
++ `strtof.c', `wcstod.c', `wcstold.c', and `wcstof.c' to produce the
++@@ -34,27 +32,20 @@ extern unsigned long long int ____strtou
++ # ifdef USE_WIDE_CHAR
++ # define STRTOF wcstod_l
++ # define __STRTOF __wcstod_l
+++# define STRTOF_NAN __wcstod_nan
++ # else
++ # define STRTOF strtod_l
++ # define __STRTOF __strtod_l
+++# define STRTOF_NAN __strtod_nan
++ # endif
++ # define MPN2FLOAT __mpn_construct_double
++ # define FLOAT_HUGE_VAL HUGE_VAL
++-# define SET_MANTISSA(flt, mant) \
++- do { union ieee754_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = (mant) >> 32; \
++- u.ieee_nan.mantissa1 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
++- (flt) = u.d; \
++- } while (0)
++ #endif
++ /* End of configuration part. */
++ \f
++ #include <ctype.h>
++ #include <errno.h>
++ #include <float.h>
++-#include <ieee754.h>
++ #include "../locale/localeinfo.h"
++ #include <locale.h>
++ #include <math.h>
++@@ -105,7 +96,6 @@ extern unsigned long long int ____strtou
++ # define TOLOWER_C(Ch) __towlower_l ((Ch), _nl_C_locobj_ptr)
++ # define STRNCASECMP(S1, S2, N) \
++ __wcsncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
++-# define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, loc)
++ #else
++ # define STRING_TYPE char
++ # define CHAR_TYPE char
++@@ -117,7 +107,6 @@ extern unsigned long long int ____strtou
++ # define TOLOWER_C(Ch) __tolower_l ((Ch), _nl_C_locobj_ptr)
++ # define STRNCASECMP(S1, S2, N) \
++ __strncasecmp_l ((S1), (S2), (N), _nl_C_locobj_ptr)
++-# define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, loc)
++ #endif
++
++
++@@ -668,33 +657,14 @@ ____STRTOF_INTERNAL (nptr, endptr, group
++ if (*cp == L_('('))
++ {
++ const STRING_TYPE *startp = cp;
++- do
++- ++cp;
++- while ((*cp >= L_('0') && *cp <= L_('9'))
++- || ({ CHAR_TYPE lo = TOLOWER (*cp);
++- lo >= L_('a') && lo <= L_('z'); })
++- || *cp == L_('_'));
++-
++- if (*cp != L_(')'))
++- /* The closing brace is missing. Only match the NAN
++- part. */
++- cp = startp;
+++ STRING_TYPE *endp;
+++ retval = STRTOF_NAN (cp + 1, &endp, L_(')'));
+++ if (*endp == L_(')'))
+++ /* Consume the closing parenthesis. */
+++ cp = endp + 1;
++ else
++- {
++- /* This is a system-dependent way to specify the
++- bitmask used for the NaN. We expect it to be
++- a number which is put in the mantissa of the
++- number. */
++- STRING_TYPE *endp;
++- unsigned long long int mant;
++-
++- mant = STRTOULL (startp + 1, &endp, 0);
++- if (endp == cp)
++- SET_MANTISSA (retval, mant);
++-
++- /* Consume the closing brace. */
++- ++cp;
++- }
+++ /* Only match the NAN part. */
+++ cp = startp;
++ }
++
++ if (endptr != NULL)
++Index: git/stdlib/strtod_nan.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan.c
++@@ -0,0 +1,24 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow
+++ strings, double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <strtod_nan_narrow.h>
+++#include <strtod_nan_double.h>
+++
+++#define STRTOD_NAN __strtod_nan
+++#include <strtod_nan_main.c>
++Index: git/stdlib/strtod_nan_double.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_double.h
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. For double.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee754_double u; \
+++ u.d = (flt); \
+++ u.ieee_nan.mantissa0 = (mant) >> 32; \
+++ u.ieee_nan.mantissa1 = (mant); \
+++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
+++ (flt) = u.d; \
+++ } \
+++ while (0)
++Index: git/stdlib/strtod_nan_float.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_float.h
++@@ -0,0 +1,29 @@
+++/* Convert string for NaN payload to corresponding NaN. For float.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT float
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee754_float u; \
+++ u.f = (flt); \
+++ u.ieee_nan.mantissa = (mant); \
+++ if (u.ieee.mantissa != 0) \
+++ (flt) = u.f; \
+++ } \
+++ while (0)
++Index: git/stdlib/strtod_nan_main.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_main.c
++@@ -0,0 +1,63 @@
+++/* Convert string for NaN payload to corresponding NaN.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <ieee754.h>
+++#include <locale.h>
+++#include <math.h>
+++#include <stdlib.h>
+++#include <wchar.h>
+++
+++
+++/* If STR starts with an optional n-char-sequence as defined by ISO C
+++ (a sequence of ASCII letters, digits and underscores), followed by
+++ ENDC, return a NaN whose payload is set based on STR. Otherwise,
+++ return a default NAN. If ENDPTR is not NULL, set *ENDPTR to point
+++ to the character after the initial n-char-sequence. */
+++
+++internal_function
+++FLOAT
+++STRTOD_NAN (const STRING_TYPE *str, STRING_TYPE **endptr, STRING_TYPE endc)
+++{
+++ const STRING_TYPE *cp = str;
+++
+++ while ((*cp >= L_('0') && *cp <= L_('9'))
+++ || (*cp >= L_('A') && *cp <= L_('Z'))
+++ || (*cp >= L_('a') && *cp <= L_('z'))
+++ || *cp == L_('_'))
+++ ++cp;
+++
+++ FLOAT retval = NAN;
+++ if (*cp != endc)
+++ goto out;
+++
+++ /* This is a system-dependent way to specify the bitmask used for
+++ the NaN. We expect it to be a number which is put in the
+++ mantissa of the number. */
+++ STRING_TYPE *endp;
+++ unsigned long long int mant;
+++
+++ mant = STRTOULL (str, &endp, 0);
+++ if (endp == cp)
+++ SET_MANTISSA (retval, mant);
+++
+++ out:
+++ if (endptr != NULL)
+++ *endptr = (STRING_TYPE *) cp;
+++ return retval;
+++}
+++libc_hidden_def (STRTOD_NAN)
++Index: git/stdlib/strtod_nan_narrow.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_narrow.h
++@@ -0,0 +1,22 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow strings.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define STRING_TYPE char
+++#define L_(Ch) Ch
+++#define STRTOULL(S, E, B) ____strtoull_l_internal ((S), (E), (B), 0, \
+++ _nl_C_locobj_ptr)
++Index: git/stdlib/strtod_nan_wide.h
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtod_nan_wide.h
++@@ -0,0 +1,22 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define STRING_TYPE wchar_t
+++#define L_(Ch) L##Ch
+++#define STRTOULL(S, E, B) ____wcstoull_l_internal ((S), (E), (B), 0, \
+++ _nl_C_locobj_ptr)
++Index: git/stdlib/strtof_l.c
++===================================================================
++--- git.orig/stdlib/strtof_l.c
+++++ git/stdlib/strtof_l.c
++@@ -20,26 +20,19 @@
++ #include <xlocale.h>
++
++ extern float ____strtof_l_internal (const char *, char **, int, __locale_t);
++-extern unsigned long long int ____strtoull_l_internal (const char *, char **,
++- int, int, __locale_t);
++
++ #define FLOAT float
++ #define FLT FLT
++ #ifdef USE_WIDE_CHAR
++ # define STRTOF wcstof_l
++ # define __STRTOF __wcstof_l
+++# define STRTOF_NAN __wcstof_nan
++ #else
++ # define STRTOF strtof_l
++ # define __STRTOF __strtof_l
+++# define STRTOF_NAN __strtof_nan
++ #endif
++ #define MPN2FLOAT __mpn_construct_float
++ #define FLOAT_HUGE_VAL HUGE_VALF
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee754_float u; \
++- u.f = (flt); \
++- u.ieee_nan.mantissa = (mant); \
++- if (u.ieee.mantissa != 0) \
++- (flt) = u.f; \
++- } while (0)
++
++ #include "strtod_l.c"
++Index: git/stdlib/strtof_nan.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtof_nan.c
++@@ -0,0 +1,24 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow
+++ strings, float.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <strtod_nan_narrow.h>
+++#include <strtod_nan_float.h>
+++
+++#define STRTOD_NAN __strtof_nan
+++#include <strtod_nan_main.c>
++Index: git/stdlib/strtold_nan.c
++===================================================================
++--- /dev/null
+++++ git/stdlib/strtold_nan.c
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. Narrow
+++ strings, long double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <math.h>
+++
+++/* This function is unused if long double and double have the same
+++ representation. */
+++#ifndef __NO_LONG_DOUBLE_MATH
+++# include <strtod_nan_narrow.h>
+++# include <strtod_nan_ldouble.h>
+++
+++# define STRTOD_NAN __strtold_nan
+++# include <strtod_nan_main.c>
+++#endif
++Index: git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
++===================================================================
++--- /dev/null
+++++ git/sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h
++@@ -0,0 +1,33 @@
+++/* Convert string for NaN payload to corresponding NaN. For ldbl-128.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT long double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee854_long_double u; \
+++ u.d = (flt); \
+++ u.ieee_nan.mantissa0 = 0; \
+++ u.ieee_nan.mantissa1 = 0; \
+++ u.ieee_nan.mantissa2 = (mant) >> 32; \
+++ u.ieee_nan.mantissa3 = (mant); \
+++ if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
+++ | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
+++ (flt) = u.d; \
+++ } \
+++ while (0)
++Index: git/sysdeps/ieee754/ldbl-128/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-128/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-128/strtold_l.c
++@@ -25,22 +25,13 @@
++ #ifdef USE_WIDE_CHAR
++ # define STRTOF wcstold_l
++ # define __STRTOF __wcstold_l
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ # define STRTOF strtold_l
++ # define __STRTOF __strtold_l
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee854_long_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = 0; \
++- u.ieee_nan.mantissa1 = 0; \
++- u.ieee_nan.mantissa2 = (mant) >> 32; \
++- u.ieee_nan.mantissa3 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
++- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
++- (flt) = u.d; \
++- } while (0)
++
++ #include <strtod_l.c>
++Index: git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
++===================================================================
++--- /dev/null
+++++ git/sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. For ldbl-128ibm.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT long double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ibm_extended_long_double u; \
+++ u.ld = (flt); \
+++ u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
+++ u.d[0].ieee_nan.mantissa1 = (mant); \
+++ if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
+++ (flt) = u.ld; \
+++ } \
+++ while (0)
++Index: git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-128ibm/strtold_l.c
++@@ -30,25 +30,19 @@ extern long double ____new_wcstold_l (co
++ # define STRTOF __new_wcstold_l
++ # define __STRTOF ____new_wcstold_l
++ # define ____STRTOF_INTERNAL ____wcstold_l_internal
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ extern long double ____new_strtold_l (const char *, char **, __locale_t);
++ # define STRTOF __new_strtold_l
++ # define __STRTOF ____new_strtold_l
++ # define ____STRTOF_INTERNAL ____strtold_l_internal
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ extern __typeof (__STRTOF) STRTOF;
++ libc_hidden_proto (__STRTOF)
++ libc_hidden_proto (STRTOF)
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-# define SET_MANTISSA(flt, mant) \
++- do { union ibm_extended_long_double u; \
++- u.ld = (flt); \
++- u.d[0].ieee_nan.mantissa0 = (mant) >> 32; \
++- u.d[0].ieee_nan.mantissa1 = (mant); \
++- if ((u.d[0].ieee.mantissa0 | u.d[0].ieee.mantissa1) != 0) \
++- (flt) = u.ld; \
++- } while (0)
++
++ #include <strtod_l.c>
++
++Index: git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-64-128/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-64-128/strtold_l.c
++@@ -30,28 +30,19 @@ extern long double ____new_wcstold_l (co
++ # define STRTOF __new_wcstold_l
++ # define __STRTOF ____new_wcstold_l
++ # define ____STRTOF_INTERNAL ____wcstold_l_internal
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ extern long double ____new_strtold_l (const char *, char **, __locale_t);
++ # define STRTOF __new_strtold_l
++ # define __STRTOF ____new_strtold_l
++ # define ____STRTOF_INTERNAL ____strtold_l_internal
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ extern __typeof (__STRTOF) STRTOF;
++ libc_hidden_proto (__STRTOF)
++ libc_hidden_proto (STRTOF)
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee854_long_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = 0; \
++- u.ieee_nan.mantissa1 = 0; \
++- u.ieee_nan.mantissa2 = (mant) >> 32; \
++- u.ieee_nan.mantissa3 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1 \
++- | u.ieee.mantissa2 | u.ieee.mantissa3) != 0) \
++- (flt) = u.d; \
++- } while (0)
++
++ #include <strtod_l.c>
++
++Index: git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
++===================================================================
++--- /dev/null
+++++ git/sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. For ldbl-96.
+++ Copyright (C) 1997-2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#define FLOAT long double
+++#define SET_MANTISSA(flt, mant) \
+++ do \
+++ { \
+++ union ieee854_long_double u; \
+++ u.d = (flt); \
+++ u.ieee_nan.mantissa0 = (mant) >> 32; \
+++ u.ieee_nan.mantissa1 = (mant); \
+++ if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
+++ (flt) = u.d; \
+++ } \
+++ while (0)
++Index: git/sysdeps/ieee754/ldbl-96/strtold_l.c
++===================================================================
++--- git.orig/sysdeps/ieee754/ldbl-96/strtold_l.c
+++++ git/sysdeps/ieee754/ldbl-96/strtold_l.c
++@@ -25,19 +25,13 @@
++ #ifdef USE_WIDE_CHAR
++ # define STRTOF wcstold_l
++ # define __STRTOF __wcstold_l
+++# define STRTOF_NAN __wcstold_nan
++ #else
++ # define STRTOF strtold_l
++ # define __STRTOF __strtold_l
+++# define STRTOF_NAN __strtold_nan
++ #endif
++ #define MPN2FLOAT __mpn_construct_long_double
++ #define FLOAT_HUGE_VAL HUGE_VALL
++-#define SET_MANTISSA(flt, mant) \
++- do { union ieee854_long_double u; \
++- u.d = (flt); \
++- u.ieee_nan.mantissa0 = (mant) >> 32; \
++- u.ieee_nan.mantissa1 = (mant); \
++- if ((u.ieee.mantissa0 | u.ieee.mantissa1) != 0) \
++- (flt) = u.d; \
++- } while (0)
++
++ #include <stdlib/strtod_l.c>
++Index: git/wcsmbs/Makefile
++===================================================================
++--- git.orig/wcsmbs/Makefile
+++++ git/wcsmbs/Makefile
++@@ -39,6 +39,7 @@ routines-$(OPTION_POSIX_C_LANG_WIDE_CHAR
++ wcstol wcstoul wcstoll wcstoull wcstod wcstold wcstof \
++ wcstol_l wcstoul_l wcstoll_l wcstoull_l \
++ wcstod_l wcstold_l wcstof_l \
+++ wcstod_nan wcstold_nan wcstof_nan \
++ wcscoll wcsxfrm \
++ wcwidth wcswidth \
++ wcscoll_l wcsxfrm_l \
++Index: git/wcsmbs/wcstod_l.c
++===================================================================
++--- git.orig/wcsmbs/wcstod_l.c
+++++ git/wcsmbs/wcstod_l.c
++@@ -23,9 +23,6 @@
++
++ extern double ____wcstod_l_internal (const wchar_t *, wchar_t **, int,
++ __locale_t);
++-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++- wchar_t **, int, int,
++- __locale_t);
++
++ #define USE_WIDE_CHAR 1
++
++Index: git/wcsmbs/wcstod_nan.c
++===================================================================
++--- /dev/null
+++++ git/wcsmbs/wcstod_nan.c
++@@ -0,0 +1,23 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings, double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include "../stdlib/strtod_nan_wide.h"
+++#include "../stdlib/strtod_nan_double.h"
+++
+++#define STRTOD_NAN __wcstod_nan
+++#include "../stdlib/strtod_nan_main.c"
++Index: git/wcsmbs/wcstof_l.c
++===================================================================
++--- git.orig/wcsmbs/wcstof_l.c
+++++ git/wcsmbs/wcstof_l.c
++@@ -25,8 +25,5 @@
++
++ extern float ____wcstof_l_internal (const wchar_t *, wchar_t **, int,
++ __locale_t);
++-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++- wchar_t **, int, int,
++- __locale_t);
++
++ #include <stdlib/strtof_l.c>
++Index: git/wcsmbs/wcstof_nan.c
++===================================================================
++--- /dev/null
+++++ git/wcsmbs/wcstof_nan.c
++@@ -0,0 +1,23 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings, float.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include "../stdlib/strtod_nan_wide.h"
+++#include "../stdlib/strtod_nan_float.h"
+++
+++#define STRTOD_NAN __wcstof_nan
+++#include "../stdlib/strtod_nan_main.c"
++Index: git/wcsmbs/wcstold_l.c
++===================================================================
++--- git.orig/wcsmbs/wcstold_l.c
+++++ git/wcsmbs/wcstold_l.c
++@@ -24,8 +24,5 @@
++
++ extern long double ____wcstold_l_internal (const wchar_t *, wchar_t **, int,
++ __locale_t);
++-extern unsigned long long int ____wcstoull_l_internal (const wchar_t *,
++- wchar_t **, int, int,
++- __locale_t);
++
++ #include <strtold_l.c>
++Index: git/wcsmbs/wcstold_nan.c
++===================================================================
++--- /dev/null
+++++ git/wcsmbs/wcstold_nan.c
++@@ -0,0 +1,30 @@
+++/* Convert string for NaN payload to corresponding NaN. Wide strings,
+++ long double.
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <math.h>
+++
+++/* This function is unused if long double and double have the same
+++ representation. */
+++#ifndef __NO_LONG_DOUBLE_MATH
+++# include "../stdlib/strtod_nan_wide.h"
+++# include <strtod_nan_ldouble.h>
+++
+++# define STRTOD_NAN __wcstold_nan
+++# include "../stdlib/strtod_nan_main.c"
+++#endif
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,57 @@
+++2015-11-24 Joseph Myers <joseph@codesourcery.com>
+++
+++ * stdlib/strtod_nan.c: New file.
+++ * stdlib/strtod_nan_double.h: Likewise.
+++ * stdlib/strtod_nan_float.h: Likewise.
+++ * stdlib/strtod_nan_main.c: Likewise.
+++ * stdlib/strtod_nan_narrow.h: Likewise.
+++ * stdlib/strtod_nan_wide.h: Likewise.
+++ * stdlib/strtof_nan.c: Likewise.
+++ * stdlib/strtold_nan.c: Likewise.
+++ * sysdeps/ieee754/ldbl-128/strtod_nan_ldouble.h: Likewise.
+++ * sysdeps/ieee754/ldbl-128ibm/strtod_nan_ldouble.h: Likewise.
+++ * sysdeps/ieee754/ldbl-96/strtod_nan_ldouble.h: Likewise.
+++ * wcsmbs/wcstod_nan.c: Likewise.
+++ * wcsmbs/wcstof_nan.c: Likewise.
+++ * wcsmbs/wcstold_nan.c: Likewise.
+++ * stdlib/Makefile (routines): Add strtof_nan, strtod_nan and
+++ strtold_nan.
+++ * wcsmbs/Makefile (routines): Add wcstod_nan, wcstold_nan and
+++ wcstof_nan.
+++ * include/stdlib.h (__strtof_nan): Declare and use
+++ libc_hidden_proto.
+++ (__strtod_nan): Likewise.
+++ (__strtold_nan): Likewise.
+++ (__wcstof_nan): Likewise.
+++ (__wcstod_nan): Likewise.
+++ (__wcstold_nan): Likewise.
+++ * include/wchar.h (____wcstoull_l_internal): Declare.
+++ * stdlib/strtod_l.c: Do not include <ieee754.h>.
+++ (____strtoull_l_internal): Remove declaration.
+++ (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ (STRTOULL): Likewise.
+++ (____STRTOF_INTERNAL): Use STRTOF_NAN to parse NaN payload.
+++ * stdlib/strtof_l.c (____strtoull_l_internal): Remove declaration.
+++ (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-128/strtold_l.c (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-128ibm/strtold_l.c (STRTOF_NAN): Define
+++ macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-64-128/strtold_l.c (STRTOF_NAN): Define
+++ macro.
+++ (SET_MANTISSA): Remove macro.
+++ * sysdeps/ieee754/ldbl-96/strtold_l.c (STRTOF_NAN): Define macro.
+++ (SET_MANTISSA): Remove macro.
+++ * wcsmbs/wcstod_l.c (____wcstoull_l_internal): Remove declaration.
+++ * wcsmbs/wcstof_l.c (____wcstoull_l_internal): Likewise.
+++ * wcsmbs/wcstold_l.c (____wcstoull_l_internal): Likewise.
+++
+++ [BZ #19266]
+++ * stdlib/strtod_l.c (____STRTOF_INTERNAL): Check directly for
+++ upper case and lower case letters inside NAN(), not using TOLOWER.
++ 2015-08-08 Paul Pluzhnikov <ppluzhnikov@google.com>
++
++ [BZ #17905]
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-9761_2.patch
+@@ -0,0 +1,385 @@
++From 8f5e8b01a1da2a207228f2072c934fa5918554b8 Mon Sep 17 00:00:00 2001
++From: Joseph Myers <joseph@codesourcery.com>
++Date: Fri, 4 Dec 2015 20:36:28 +0000
++Subject: [PATCH] Fix nan functions handling of payload strings (bug 16961, bug
++ 16962).
++
++The nan, nanf and nanl functions handle payload strings by doing e.g.:
++
++ if (tagp[0] != '\0')
++ {
++ char buf[6 + strlen (tagp)];
++ sprintf (buf, "NAN(%s)", tagp);
++ return strtod (buf, NULL);
++ }
++
++This is an unbounded stack allocation based on the length of the
++argument. Furthermore, if the argument starts with an n-char-sequence
++followed by ')', that n-char-sequence is wrongly treated as
++significant for determining the payload of the resulting NaN, when ISO
++C says the call should be equivalent to strtod ("NAN", NULL), without
++being affected by that initial n-char-sequence. This patch fixes both
++those problems by using the __strtod_nan etc. functions recently
++factored out of strtod etc. for that purpose, with those functions
++being exported from libc at version GLIBC_PRIVATE.
++
++Tested for x86_64, x86, mips64 and powerpc.
++
++ [BZ #16961]
++ [BZ #16962]
++ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
++ string on the stack for strtod.
++ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
++ a string on the stack for strtof.
++ * math/s_nanl.c (__nanl): Use __strtold_nan instead of
++ constructing a string on the stack for strtold.
++ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
++ __strtold_nan to GLIBC_PRIVATE.
++ * math/test-nan-overflow.c: New file.
++ * math/test-nan-payload.c: Likewise.
++ * math/Makefile (tests): Add test-nan-overflow and
++ test-nan-payload.
++
++Upstream-Status: Backport
++CVE: CVE-2015-9761 patch #2
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8f5e8b01a1da2a207228f2072c934fa5918554b8
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 17 +++++++
++ NEWS | 6 +++
++ math/Makefile | 3 +-
++ math/s_nan.c | 9 +---
++ math/s_nanf.c | 9 +---
++ math/s_nanl.c | 9 +---
++ math/test-nan-overflow.c | 66 +++++++++++++++++++++++++
++ math/test-nan-payload.c | 122 +++++++++++++++++++++++++++++++++++++++++++++++
++ stdlib/Versions | 1 +
++ 9 files changed, 217 insertions(+), 25 deletions(-)
++ create mode 100644 math/test-nan-overflow.c
++ create mode 100644 math/test-nan-payload.c
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,20 @@
+++2015-12-04 Joseph Myers <joseph@codesourcery.com>
+++
+++ [BZ #16961]
+++ [BZ #16962]
+++ * math/s_nan.c (__nan): Use __strtod_nan instead of constructing a
+++ string on the stack for strtod.
+++ * math/s_nanf.c (__nanf): Use __strtof_nan instead of constructing
+++ a string on the stack for strtof.
+++ * math/s_nanl.c (__nanl): Use __strtold_nan instead of
+++ constructing a string on the stack for strtold.
+++ * stdlib/Versions (libc): Add __strtof_nan, __strtod_nan and
+++ __strtold_nan to GLIBC_PRIVATE.
+++ * math/test-nan-overflow.c: New file.
+++ * math/test-nan-payload.c: Likewise.
+++ * math/Makefile (tests): Add test-nan-overflow and
+++ test-nan-payload.
+++
++ 2015-11-24 Joseph Myers <joseph@codesourcery.com>
++
++ * stdlib/strtod_nan.c: New file.
++Index: git/NEWS
++===================================================================
++--- git.orig/NEWS
+++++ git/NEWS
++@@ -99,6 +99,12 @@ Version 2.22
++ \f
++ Version 2.21
++
+++Security related changes:
+++
+++* The nan, nanf and nanl functions no longer have unbounded stack usage
+++ depending on the length of the string passed as an argument to the
+++ functions. Reported by Joseph Myers.
+++
++ * The following bugs are resolved with this release:
++
++ 6652, 10672, 12674, 12847, 12926, 13862, 14132, 14138, 14171, 14498,
++Index: git/math/Makefile
++===================================================================
++--- git.orig/math/Makefile
+++++ git/math/Makefile
++@@ -110,6 +110,7 @@ tests = test-matherr test-fenv atest-exp
++ test-tgmath-ret bug-nextafter bug-nexttoward bug-tgmath1 \
++ test-tgmath-int test-tgmath2 test-powl tst-CMPLX tst-CMPLX2 test-snan \
++ test-fenv-tls test-fenv-preserve test-fenv-return test-fenvinline \
+++ test-nan-overflow test-nan-payload \
++ $(tests-static)
++ tests-static = test-fpucw-static test-fpucw-ieee-static
++ # We do the `long double' tests only if this data type is available and
++Index: git/math/s_nan.c
++===================================================================
++--- git.orig/math/s_nan.c
+++++ git/math/s_nan.c
++@@ -28,14 +28,7 @@
++ double
++ __nan (const char *tagp)
++ {
++- if (tagp[0] != '\0')
++- {
++- char buf[6 + strlen (tagp)];
++- sprintf (buf, "NAN(%s)", tagp);
++- return strtod (buf, NULL);
++- }
++-
++- return NAN;
+++ return __strtod_nan (tagp, NULL, 0);
++ }
++ weak_alias (__nan, nan)
++ #ifdef NO_LONG_DOUBLE
++Index: git/math/s_nanf.c
++===================================================================
++--- git.orig/math/s_nanf.c
+++++ git/math/s_nanf.c
++@@ -28,13 +28,6 @@
++ float
++ __nanf (const char *tagp)
++ {
++- if (tagp[0] != '\0')
++- {
++- char buf[6 + strlen (tagp)];
++- sprintf (buf, "NAN(%s)", tagp);
++- return strtof (buf, NULL);
++- }
++-
++- return NAN;
+++ return __strtof_nan (tagp, NULL, 0);
++ }
++ weak_alias (__nanf, nanf)
++Index: git/math/s_nanl.c
++===================================================================
++--- git.orig/math/s_nanl.c
+++++ git/math/s_nanl.c
++@@ -28,13 +28,6 @@
++ long double
++ __nanl (const char *tagp)
++ {
++- if (tagp[0] != '\0')
++- {
++- char buf[6 + strlen (tagp)];
++- sprintf (buf, "NAN(%s)", tagp);
++- return strtold (buf, NULL);
++- }
++-
++- return NAN;
+++ return __strtold_nan (tagp, NULL, 0);
++ }
++ weak_alias (__nanl, nanl)
++Index: git/math/test-nan-overflow.c
++===================================================================
++--- /dev/null
+++++ git/math/test-nan-overflow.c
++@@ -0,0 +1,66 @@
+++/* Test nan functions stack overflow (bug 16962).
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <math.h>
+++#include <stdio.h>
+++#include <string.h>
+++#include <sys/resource.h>
+++
+++#define STACK_LIM 1048576
+++#define STRING_SIZE (2 * STACK_LIM)
+++
+++static int
+++do_test (void)
+++{
+++ int result = 0;
+++ struct rlimit lim;
+++ getrlimit (RLIMIT_STACK, &lim);
+++ lim.rlim_cur = STACK_LIM;
+++ setrlimit (RLIMIT_STACK, &lim);
+++ char *nanstr = malloc (STRING_SIZE);
+++ if (nanstr == NULL)
+++ {
+++ puts ("malloc failed, cannot test");
+++ return 77;
+++ }
+++ memset (nanstr, '0', STRING_SIZE - 1);
+++ nanstr[STRING_SIZE - 1] = 0;
+++#define NAN_TEST(TYPE, FUNC) \
+++ do \
+++ { \
+++ char *volatile p = nanstr; \
+++ volatile TYPE v = FUNC (p); \
+++ if (isnan (v)) \
+++ puts ("PASS: " #FUNC); \
+++ else \
+++ { \
+++ puts ("FAIL: " #FUNC); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++ NAN_TEST (float, nanf);
+++ NAN_TEST (double, nan);
+++#ifndef NO_LONG_DOUBLE
+++ NAN_TEST (long double, nanl);
+++#endif
+++ return result;
+++}
+++
+++#define TEST_FUNCTION do_test ()
+++#include "../test-skeleton.c"
++Index: git/math/test-nan-payload.c
++===================================================================
++--- /dev/null
+++++ git/math/test-nan-payload.c
++@@ -0,0 +1,122 @@
+++/* Test nan functions payload handling (bug 16961).
+++ Copyright (C) 2015 Free Software Foundation, Inc.
+++ This file is part of the GNU C Library.
+++
+++ The GNU C Library is free software; you can redistribute it and/or
+++ modify it under the terms of the GNU Lesser General Public
+++ License as published by the Free Software Foundation; either
+++ version 2.1 of the License, or (at your option) any later version.
+++
+++ The GNU C Library is distributed in the hope that it will be useful,
+++ but WITHOUT ANY WARRANTY; without even the implied warranty of
+++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+++ Lesser General Public License for more details.
+++
+++ You should have received a copy of the GNU Lesser General Public
+++ License along with the GNU C Library; if not, see
+++ <http://www.gnu.org/licenses/>. */
+++
+++#include <float.h>
+++#include <math.h>
+++#include <stdio.h>
+++#include <stdlib.h>
+++#include <string.h>
+++
+++/* Avoid built-in functions. */
+++#define WRAP_NAN(FUNC, STR) \
+++ ({ const char *volatile wns = (STR); FUNC (wns); })
+++#define WRAP_STRTO(FUNC, STR) \
+++ ({ const char *volatile wss = (STR); FUNC (wss, NULL); })
+++
+++#define CHECK_IS_NAN(TYPE, A) \
+++ do \
+++ { \
+++ if (isnan (A)) \
+++ puts ("PASS: " #TYPE " " #A); \
+++ else \
+++ { \
+++ puts ("FAIL: " #TYPE " " #A); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++
+++#define CHECK_SAME_NAN(TYPE, A, B) \
+++ do \
+++ { \
+++ if (memcmp (&(A), &(B), sizeof (A)) == 0) \
+++ puts ("PASS: " #TYPE " " #A " = " #B); \
+++ else \
+++ { \
+++ puts ("FAIL: " #TYPE " " #A " = " #B); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++
+++#define CHECK_DIFF_NAN(TYPE, A, B) \
+++ do \
+++ { \
+++ if (memcmp (&(A), &(B), sizeof (A)) != 0) \
+++ puts ("PASS: " #TYPE " " #A " != " #B); \
+++ else \
+++ { \
+++ puts ("FAIL: " #TYPE " " #A " != " #B); \
+++ result = 1; \
+++ } \
+++ } \
+++ while (0)
+++
+++/* Cannot test payloads by memcmp for formats where NaNs have padding
+++ bits. */
+++#define CAN_TEST_EQ(MANT_DIG) ((MANT_DIG) != 64 && (MANT_DIG) != 106)
+++
+++#define RUN_TESTS(TYPE, SFUNC, FUNC, MANT_DIG) \
+++ do \
+++ { \
+++ TYPE n123 = WRAP_NAN (FUNC, "123"); \
+++ CHECK_IS_NAN (TYPE, n123); \
+++ TYPE s123 = WRAP_STRTO (SFUNC, "NAN(123)"); \
+++ CHECK_IS_NAN (TYPE, s123); \
+++ TYPE n456 = WRAP_NAN (FUNC, "456"); \
+++ CHECK_IS_NAN (TYPE, n456); \
+++ TYPE s456 = WRAP_STRTO (SFUNC, "NAN(456)"); \
+++ CHECK_IS_NAN (TYPE, s456); \
+++ TYPE n123x = WRAP_NAN (FUNC, "123)"); \
+++ CHECK_IS_NAN (TYPE, n123x); \
+++ TYPE nemp = WRAP_NAN (FUNC, ""); \
+++ CHECK_IS_NAN (TYPE, nemp); \
+++ TYPE semp = WRAP_STRTO (SFUNC, "NAN()"); \
+++ CHECK_IS_NAN (TYPE, semp); \
+++ TYPE sx = WRAP_STRTO (SFUNC, "NAN"); \
+++ CHECK_IS_NAN (TYPE, sx); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, n123, s123); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, n456, s456); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, nemp, semp); \
+++ if (CAN_TEST_EQ (MANT_DIG)) \
+++ CHECK_SAME_NAN (TYPE, n123x, sx); \
+++ CHECK_DIFF_NAN (TYPE, n123, n456); \
+++ CHECK_DIFF_NAN (TYPE, n123, nemp); \
+++ CHECK_DIFF_NAN (TYPE, n123, n123x); \
+++ CHECK_DIFF_NAN (TYPE, n456, nemp); \
+++ CHECK_DIFF_NAN (TYPE, n456, n123x); \
+++ } \
+++ while (0)
+++
+++static int
+++do_test (void)
+++{
+++ int result = 0;
+++ RUN_TESTS (float, strtof, nanf, FLT_MANT_DIG);
+++ RUN_TESTS (double, strtod, nan, DBL_MANT_DIG);
+++#ifndef NO_LONG_DOUBLE
+++ RUN_TESTS (long double, strtold, nanl, LDBL_MANT_DIG);
+++#endif
+++ return result;
+++}
+++
+++#define TEST_FUNCTION do_test ()
+++#include "../test-skeleton.c"
++Index: git/stdlib/Versions
++===================================================================
++--- git.orig/stdlib/Versions
+++++ git/stdlib/Versions
++@@ -118,5 +118,6 @@ libc {
++ # Used from other libraries
++ __libc_secure_getenv;
++ __call_tls_dtors;
+++ __strtof_nan; __strtod_nan; __strtold_nan;
++ }
++ }
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index afe32d5..5d05f0c 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -50,6 +50,7 @@ CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
file://CVE-2015-8777.patch \
file://CVE-2015-8779.patch \
+ file://CVE-2015-9761.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 4/4] glibc: CVE_2015-8776
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
` (2 preceding siblings ...)
2016-01-25 19:34 ` [PATCH 3/4] glibc: CVE-2015-9761 Armin Kuster
@ 2016-01-25 19:34 ` Armin Kuster
2016-01-25 20:00 ` [PATCH 0/4][fido] Glibc security fixes Khem Raj
4 siblings, 0 replies; 6+ messages in thread
From: Armin Kuster @ 2016-01-25 19:34 UTC (permalink / raw)
To: openembedded-core
From: Armin Kuster <akuster@mvista.com>
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 176 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.21.bb | 1 +
2 files changed, 177 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
new file mode 100644
index 0000000..118958f
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
@@ -0,0 +1,176 @@
+From 08564114d5c0150131ce3b29037f0202f2d4002b Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster@mvista.com>
+Date: Fri, 22 Jan 2016 20:25:19 -0800
+Subject: [PATCH 4/4] glibc: CVE-2015-8776
+
+it was found that out-of-range time values passed to the strftime function may
+cause it to crash, leading to a denial of service, or potentially disclosure
+information.
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 155 ++++++++++++++++++++++
+ meta/recipes-core/glibc/glibc_2.22.bb | 1 +
+ 2 files changed, 156 insertions(+)
+ create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+
+Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+===================================================================
+--- /dev/null
++++ git/meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
+@@ -0,0 +1,155 @@
++From d36c75fc0d44deec29635dd239b0fbd206ca49b7 Mon Sep 17 00:00:00 2001
++From: Paul Pluzhnikov <ppluzhnikov@google.com>
++Date: Sat, 26 Sep 2015 13:27:48 -0700
++Subject: [PATCH] Fix BZ #18985 -- out of range data to strftime() causes a
++ segfault
++
++Upstream-Status: Backport
++CVE: CVE-2015-8776
++[Yocto # 8980]
++
++https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
++
++Signed-off-by: Armin Kuster <akuster@mvista.com>
++
++---
++ ChangeLog | 8 ++++++++
++ NEWS | 2 +-
++ time/strftime_l.c | 20 +++++++++++++-------
++ time/tst-strftime.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
++ 4 files changed, 73 insertions(+), 9 deletions(-)
++
++Index: git/ChangeLog
++===================================================================
++--- git.orig/ChangeLog
+++++ git/ChangeLog
++@@ -1,3 +1,11 @@
+++2015-09-26 Paul Pluzhnikov <ppluzhnikov@google.com>
+++
+++ [BZ #18985]
+++ * time/strftime_l.c (a_wkday, f_wkday, a_month, f_month): Range check.
+++ (__strftime_internal): Likewise.
+++ * time/tst-strftime.c (do_bz18985): New test.
+++ (do_test): Call it.
+++
++ 2015-12-04 Joseph Myers <joseph@codesourcery.com>
++
++ [BZ #16961]
++Index: git/time/strftime_l.c
++===================================================================
++--- git.orig/time/strftime_l.c
+++++ git/time/strftime_l.c
++@@ -514,13 +514,17 @@ __strftime_internal (s, maxsize, format,
++ only a few elements. Dereference the pointers only if the format
++ requires this. Then it is ok to fail if the pointers are invalid. */
++ # define a_wkday \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday))
+++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABDAY_1) + tp->tm_wday)))
++ # define f_wkday \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday))
+++ ((const CHAR_T *) (tp->tm_wday < 0 || tp->tm_wday > 6 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(DAY_1) + tp->tm_wday)))
++ # define a_month \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon))
+++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(ABMON_1) + tp->tm_mon)))
++ # define f_month \
++- ((const CHAR_T *) _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon))
+++ ((const CHAR_T *) (tp->tm_mon < 0 || tp->tm_mon > 11 \
+++ ? "?" : _NL_CURRENT (LC_TIME, NLW(MON_1) + tp->tm_mon)))
++ # define ampm \
++ ((const CHAR_T *) _NL_CURRENT (LC_TIME, tp->tm_hour > 11 \
++ ? NLW(PM_STR) : NLW(AM_STR)))
++@@ -530,8 +534,10 @@ __strftime_internal (s, maxsize, format,
++ # define ap_len STRLEN (ampm)
++ #else
++ # if !HAVE_STRFTIME
++-# define f_wkday (weekday_name[tp->tm_wday])
++-# define f_month (month_name[tp->tm_mon])
+++# define f_wkday (tp->tm_wday < 0 || tp->tm_wday > 6 \
+++ ? "?" : weekday_name[tp->tm_wday])
+++# define f_month (tp->tm_mon < 0 || tp->tm_mon > 11 \
+++ ? "?" : month_name[tp->tm_mon])
++ # define a_wkday f_wkday
++ # define a_month f_month
++ # define ampm (L_("AMPM") + 2 * (tp->tm_hour > 11))
++@@ -1325,7 +1331,7 @@ __strftime_internal (s, maxsize, format,
++ *tzset_called = true;
++ }
++ # endif
++- zone = tzname[tp->tm_isdst];
+++ zone = tp->tm_isdst <= 1 ? tzname[tp->tm_isdst] : "?";
++ }
++ #endif
++ if (! zone)
++Index: git/time/tst-strftime.c
++===================================================================
++--- git.orig/time/tst-strftime.c
+++++ git/time/tst-strftime.c
++@@ -4,6 +4,56 @@
++ #include <time.h>
++
++
+++static int
+++do_bz18985 (void)
+++{
+++ char buf[1000];
+++ struct tm ttm;
+++ int rc, ret = 0;
+++
+++ memset (&ttm, 1, sizeof (ttm));
+++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+++
+++ if (rc == 66)
+++ {
+++ const char expected[]
+++ = "? ? ? ? ? ? 16843009 16843009:16843009:16843009 16844909 +467836 ?";
+++ if (0 != strcmp (buf, expected))
+++ {
+++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+++ ret += 1;
+++ }
+++ }
+++ else
+++ {
+++ printf ("expected 66, got %d\n", rc);
+++ ret += 1;
+++ }
+++
+++ /* Check negative values as well. */
+++ memset (&ttm, 0xFF, sizeof (ttm));
+++ ttm.tm_zone = NULL; /* Dereferenced directly if non-NULL. */
+++ rc = strftime (buf, sizeof (buf), "%a %A %b %B %c %z %Z", &ttm);
+++
+++ if (rc == 30)
+++ {
+++ const char expected[] = "? ? ? ? ? ? -1 -1:-1:-1 1899 ";
+++ if (0 != strcmp (buf, expected))
+++ {
+++ printf ("expected:\n %s\ngot:\n %s\n", expected, buf);
+++ ret += 1;
+++ }
+++ }
+++ else
+++ {
+++ printf ("expected 30, got %d\n", rc);
+++ ret += 1;
+++ }
+++
+++ return ret;
+++}
+++
++ static struct
++ {
++ const char *fmt;
++@@ -104,7 +154,7 @@ do_test (void)
++ }
++ }
++
++- return result;
+++ return result + do_bz18985 ();
++ }
++
++ #define TEST_FUNCTION do_test ()
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index 5d05f0c..1829647 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -51,6 +51,7 @@ CVEPATCHES = "\
file://CVE-2015-8777.patch \
file://CVE-2015-8779.patch \
file://CVE-2015-9761.patch \
+ file://CVE-2015-8776.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
--
2.3.5
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/4][fido] Glibc security fixes
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
` (3 preceding siblings ...)
2016-01-25 19:34 ` [PATCH 4/4] glibc: CVE_2015-8776 Armin Kuster
@ 2016-01-25 20:00 ` Khem Raj
4 siblings, 0 replies; 6+ messages in thread
From: Khem Raj @ 2016-01-25 20:00 UTC (permalink / raw)
To: Armin Kuster; +Cc: Patches and discussions about the oe-core layer
[-- Attachment #1: Type: text/plain, Size: 1699 bytes --]
Patches are ok. I was wondering if BACKPORTS variable was good enough for
cve patches too. Anyway the patch name ha cve informations
On Jan 25, 2016 12:35 PM, "Armin Kuster" <akuster808@gmail.com> wrote:
> noticed this did not hit the patchwork. resending.
>
> Please consider these for the next fido update.
>
> The following changes since commit
> 9845a542a76156adb5aef6fd33ad5bc5777acf64:
>
> openssh: CVE-2016-077x (2016-01-20 17:08:30 +0000)
>
> are available in the git repository at:
>
> git://git.yoctoproject.org/poky-contrib akuster/fido_glibc_cve_fixes
>
> http://git.yoctoproject.org/cgit.cgi//log/?h=akuster/fido_glibc_cve_fixes
>
> Armin Kuster (4):
> glibc: CVE-2015-8777
> glibc: CVE-2015-8779
> glibc: CVE-2015-9761
> glibc: CVE_2015-8776
>
> meta/recipes-core/glibc/glibc/CVE-2015-8776.patch | 176 +++
> meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++
> meta/recipes-core/glibc/glibc/CVE-2015-8779.patch | 282 ++++
> meta/recipes-core/glibc/glibc/CVE-2015-9761.patch | 1452
> +++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.21.bb | 4 +
> 5 files changed, 2057 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8776.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8779.patch
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-9761.patch
>
> --
> 2.3.5
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
[-- Attachment #2: Type: text/html, Size: 2495 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-01-25 20:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-25 19:34 [PATCH 0/4][fido] Glibc security fixes Armin Kuster
2016-01-25 19:34 ` [PATCH 1/4] glibc: CVE-2015-8777 Armin Kuster
2016-01-25 19:34 ` [PATCH 2/4] glibc: CVE-2015-8779 Armin Kuster
2016-01-25 19:34 ` [PATCH 3/4] glibc: CVE-2015-9761 Armin Kuster
2016-01-25 19:34 ` [PATCH 4/4] glibc: CVE_2015-8776 Armin Kuster
2016-01-25 20:00 ` [PATCH 0/4][fido] Glibc security fixes Khem Raj
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.