fix double free error in tac, build su with pie again
This commit is contained in:
parent
24132a00a8
commit
626aa7bd2c
|
@ -0,0 +1,11 @@
|
|||
diff -urNp coreutils-8.4-orig/src/Makefile.am coreutils-8.4/src/Makefile.am
|
||||
--- coreutils-8.4-orig/src/Makefile.am 2010-09-03 17:34:43.399747649 +0200
|
||||
+++ coreutils-8.4/src/Makefile.am 2010-09-03 17:36:13.005765125 +0200
|
||||
@@ -367,6 +367,7 @@ factor_LDADD += $(LIB_GMP)
|
||||
|
||||
# for crypt
|
||||
su_LDADD += $(LIB_CRYPT) @LIB_PAM@
|
||||
+su_LDFLAGS = -pie
|
||||
|
||||
# for various ACL functions
|
||||
copy_LDADD += $(LIB_ACL)
|
|
@ -0,0 +1,66 @@
|
|||
From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001
|
||||
From: Jim Meyering <meyering@redhat.com>
|
||||
Date: Sat, 28 Aug 2010 17:45:29 +0200
|
||||
Subject: [PATCH] tac: avoid double free
|
||||
|
||||
* src/tac.c (main): Reading a line longer than 16KiB would cause
|
||||
tac to realloc its primary buffer. Then, just before exit, tac
|
||||
would mistakenly free the original (now free'd) buffer.
|
||||
This bug was introduced by commit be6c13e7, "maint: always free a
|
||||
buffer, to avoid even semblance of a leak".
|
||||
* tests/misc/tac (double-free): New test, to exercise this.
|
||||
Reported by Salvo Tomaselli in <http://bugs.debian.org/594666>.
|
||||
---
|
||||
src/tac.c | 6 ++++--
|
||||
tests/misc/tac | 6 ++++++
|
||||
2 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/tac.c b/src/tac.c
|
||||
index cec9736..859e006 100644
|
||||
--- a/src/tac.c
|
||||
+++ b/src/tac.c
|
||||
@@ -633,7 +633,6 @@ main (int argc, char **argv)
|
||||
if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size))
|
||||
xalloc_die ();
|
||||
G_buffer = xmalloc (G_buffer_size);
|
||||
- void *buf = G_buffer;
|
||||
if (sentinel_length)
|
||||
{
|
||||
strcpy (G_buffer, separator);
|
||||
@@ -666,6 +665,9 @@ main (int argc, char **argv)
|
||||
error (0, errno, "-");
|
||||
ok = false;
|
||||
}
|
||||
- free (buf);
|
||||
+
|
||||
+ size_t offset = sentinel_length ? sentinel_length : 1;
|
||||
+ free (G_buffer - offset);
|
||||
+
|
||||
exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
|
||||
}
|
||||
diff --git a/tests/misc/tac b/tests/misc/tac
|
||||
index 7631049..4130c00 100755
|
||||
--- a/tests/misc/tac
|
||||
+++ b/tests/misc/tac
|
||||
@@ -24,6 +24,9 @@ my $prog = 'tac';
|
||||
|
||||
my $bad_dir = 'no/such/dir';
|
||||
|
||||
+# This must be longer than 16KiB to trigger the double free in coreutils-8.5.
|
||||
+my $long_line = 'o' x (16 * 1024 + 1);
|
||||
+
|
||||
my @Tests =
|
||||
(
|
||||
['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}],
|
||||
@@ -67,6 +70,9 @@ my @Tests =
|
||||
{ERR_SUBST => "s,`$bad_dir': .*,...,"},
|
||||
{ERR => "$prog: cannot create temporary file in ...\n"},
|
||||
{EXIT => 1}],
|
||||
+
|
||||
+ # coreutils-8.5's tac would double-free its primary buffer.
|
||||
+ ['double-free', {IN=>$long_line}, {OUT=>$long_line}],
|
||||
);
|
||||
|
||||
@Tests = triple_test \@Tests;
|
||||
--
|
||||
1.7.2.2.510.g7180a
|
|
@ -1,7 +1,7 @@
|
|||
Summary: A set of basic GNU tools commonly used in shell scripts
|
||||
Name: coreutils
|
||||
Version: 8.5
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPLv3+
|
||||
Group: System Environment/Base
|
||||
Url: http://www.gnu.org/software/coreutils/
|
||||
|
@ -18,6 +18,8 @@ Source202: coreutils-su-l.pamd
|
|||
Source203: coreutils-runuser-l.pamd
|
||||
|
||||
# From upstream
|
||||
#fix double free error in tac (reported in debian bug #594666)
|
||||
Patch1: coreutils-8.5-tac-doublefree.patch
|
||||
|
||||
# Our patches
|
||||
#general patch to workaround koji build system issues
|
||||
|
@ -62,6 +64,8 @@ Patch912: coreutils-overflow.patch
|
|||
Patch915: coreutils-split-pam.patch
|
||||
#prevent koji build failure with wrong getfacl exit code
|
||||
Patch916: coreutils-getfacl-exit-code.patch
|
||||
#compile su with pie flag
|
||||
Patch917: coreutils-8.4-su-pie.patch
|
||||
|
||||
#SELINUX Patch - implements Redhat changes
|
||||
#(upstream did some SELinux implementation unlike with RedHat patch)
|
||||
|
@ -121,6 +125,7 @@ Libraries for coreutils package.
|
|||
%setup -q
|
||||
|
||||
# From upstream
|
||||
%patch1 -p1 -b .doublefree
|
||||
|
||||
# Our patches
|
||||
%patch100 -p1 -b .configure
|
||||
|
@ -146,6 +151,7 @@ Libraries for coreutils package.
|
|||
%patch912 -p1 -b .overflow
|
||||
%patch915 -p1 -b .splitl
|
||||
%patch916 -p1 -b .getfacl-exit-code
|
||||
%patch917 -p1 -b .pie
|
||||
|
||||
#SELinux
|
||||
%patch950 -p1 -b .selinux
|
||||
|
@ -176,8 +182,7 @@ automake --copy --add-missing
|
|||
touch man/*.x
|
||||
|
||||
make all %{?_smp_mflags} \
|
||||
%{?!nopam:CPPFLAGS="-DUSE_PAM"} \
|
||||
su_LDFLAGS="-pie %{?!nopam:-lpam -lpam_misc}"
|
||||
%{?!nopam:CPPFLAGS="-DUSE_PAM"}
|
||||
|
||||
# XXX docs should say /var/run/[uw]tmp not /etc/[uw]tmp
|
||||
sed -i -e 's,/etc/utmp,/var/run/utmp,g;s,/etc/wtmp,/var/run/wtmp,g' doc/coreutils.texi
|
||||
|
@ -339,6 +344,10 @@ fi
|
|||
%{_libdir}/coreutils
|
||||
|
||||
%changelog
|
||||
* Tue Sep 07 2010 Ondrej Vasik <ovasik@redhat.com> - 8.5-5
|
||||
- compile su with pie again (#630017)
|
||||
- fix double free abort in tac (#628213)
|
||||
|
||||
* Thu Jul 22 2010 Ondrej Vasik <ovasik@redhat.com> - 8.5-4
|
||||
- Add .ear, .war, .sar , for Java jar-like archives to
|
||||
dircolors (#616497)
|
||||
|
|
Loading…
Reference in New Issue