+ - Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)

.gitignore

@@ -1,3 +1,3 @@
-/glibc-ports-2.14.tar.xz
-/glibc-2.14-15-g9614794-fedora.tar.xz
-/glibc-2.14-15-g9614794.tar.xz
+/glibc-2.14.1-fedora.tar.xz
+/glibc-2.14.1.tar.xz
+/glibc-ports-2.14.1-1-g3eb1dbf.tar.xz

glibc-rh767696.patch

@@ -0,0 +1,82 @@
+commit 97ac2654b2d831acaa18a2b018b0736245903fd2
+Author: Ulrich Drepper <drepper@gmail.com>
+Date:   Sat Dec 17 20:18:42 2011 -0500
+
+    Check values from TZ file header
+
+
+	[BZ #13506]
+	* time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
+       goto read_again;
+     }
+ 
++  if (__builtin_expect (num_transitions
++			> ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++			   / (sizeof (time_t) + 1)), 0))
++    goto lose;
+   total_size = num_transitions * (sizeof (time_t) + 1);
+   total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+ 		& ~(__alignof__ (struct ttinfo) - 1));
+   types_idx = total_size;
+-  total_size += num_types * sizeof (struct ttinfo) + chars;
++  if (__builtin_expect (num_types
++			> (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++    goto lose;
++  total_size += num_types * sizeof (struct ttinfo);
++  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++    goto lose;
++  total_size += chars;
++  if (__builtin_expect (__alignof__ (struct leap) - 1
++			> SIZE_MAX - total_size, 0))
++    goto lose;
+   total_size = ((total_size + __alignof__ (struct leap) - 1)
+ 		& ~(__alignof__ (struct leap) - 1));
+   leaps_idx = total_size;
++  if (__builtin_expect (num_leaps
++			> (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++    goto lose;
+   total_size += num_leaps * sizeof (struct leap);
+-  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+-		? st.st_size - (ftello (f)
+-				+ num_transitions * (8 + 1)
+-				+ num_types * 6
+-				+ chars
+-				+ num_leaps * 12
+-				+ num_isstd
+-				+ num_isgmt) - 1 : 0);
++  tzspec_len = 0;
++  if (sizeof (time_t) == 8 && trans_width == 8)
++    {
++      off_t rem = st.st_size - ftello (f);
++      if (__builtin_expect (rem < 0
++			    || (size_t) rem < (num_transitions * (8 + 1)
++					       + num_types * 6
++					       + chars), 0))
++	goto lose;
++      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++				   + num_types * 6
++				   + chars);
++      if (__builtin_expect (num_leaps > SIZE_MAX / 12
++			    || tzspec_len < num_leaps * 12, 0))
++	goto lose;
++      tzspec_len -= num_leaps * 12;
++      if (__builtin_expect (tzspec_len < num_isstd, 0))
++	goto lose;
++      tzspec_len -= num_isstd;
++      if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
++	goto lose;
++      tzspec_len -= num_isgmt + 1;
++      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++	goto lose;
++    }
++  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++    goto lose;
+ 
+   /* Allocate enough memory including the extra block requested by the
+      caller.  */

glibc-rh794797.patch

@@ -0,0 +1,240 @@
+From libc-alpha-return-25252-listarch-libc-alpha=sources dot redhat dot com at sourceware dot org Thu Feb 16 16:21:17 2012
+Return-Path: <libc-alpha-return-25252-listarch-libc-alpha=sources dot redhat dot com at sourceware dot org>
+Delivered-To: listarch-libc-alpha at sources dot redhat dot com
+Received: (qmail 5187 invoked by alias); 16 Feb 2012 16:21:14 -0000
+Delivered-To: moderator for libc-alpha at sourceware dot org
+Received: (qmail 2174 invoked by uid 22791); 16 Feb 2012 16:17:18 -0000
+X-SWARE-Spam-Status: No, hits=-2.0 required=5.0
+	tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,TW_TV,TW_VB,TW_VF,T_RP_MATCHES_RCVD
+X-Spam-Check-By: sourceware.org
+Date: Thu, 16 Feb 2012 08:16:13 -0800
+From: Kees Cook <kees at outflux dot net>
+To: "Ryan S dot  Arnold" <ryan dot arnold at gmail dot com>
+Cc: libc-alpha at sourceware dot org, Paul Eggert <eggert at cs dot ucla dot edu>,
+        Roland McGrath <roland at hack dot frob dot com>,
+        Andreas Schwab <schwab at linux-m68k dot org>
+Subject: Re: [PATCH] vfprintf: validate nargs and maybe allocate from heap
+Message-ID: <20120216161613.GZ20420@outflux.net>
+References: <20120206062537.GM4979@outflux.net>
+ <20120207000509 dot GP4989 at outflux dot net>
+ <20120210192457 dot GF20420 at outflux dot net>
+ <CAAKybw8AgkGsKAx=kvX4Tsi74f+HtuVnatTCB0VfsHi7vVFi1Q at mail dot gmail dot com>
+ <20120214223048 dot GM20420 at outflux dot net>
+ <CAAKybw_HS+cav+YcDw3ns7UXu6_xA7EHPrkiB87P+OGwEB0PVQ at mail dot gmail dot com>
+ <20120214224543 dot GN20420 at outflux dot net>
+MIME-Version: 1.0
+Content-Type: text/plain; charset=us-ascii
+Content-Disposition: inline
+In-Reply-To: <20120214224543 dot GN20420 at outflux dot net>
+X-MIMEDefang-Filter: outflux$Revision: 1.316 $
+X-HELO: www.outflux.net
+Mailing-List: contact libc-alpha-help at sourceware dot org; run by ezmlm
+Precedence: bulk
+List-Id: <libc-alpha.sourceware.org>
+List-Subscribe: <mailto:libc-alpha-subscribe at sourceware dot org>
+List-Archive: <http://sourceware.org/ml/libc-alpha/>
+List-Post: <mailto:libc-alpha at sourceware dot org>
+List-Help: <mailto:libc-alpha-help at sourceware dot org>, <http://sourceware dot org/ml/#faqs>
+Sender: libc-alpha-owner at sourceware dot org
+Delivered-To: mailing list libc-alpha at sourceware dot org
+
+The nargs value can overflow when doing allocations, allowing arbitrary
+memory writes via format strings, bypassing _FORTIFY_SOURCE:
+http://www.phrack.org/issues.html?issue=67&id=9
+
+This checks for nargs overflow and possibly allocates from heap instead of
+stack, and adds a regression test for the situation.
+
+I have FSF assignment via Google. (Sent from @outflux since that's how I'm
+subscribed here, but CL shows @chromium.org as part of my Google work.)
+
+This version disables the useless test on non-32-bit platforms.
+
+2012-02-16  Kees Cook  <keescook@chromium.org>
+
+ 	[BZ #13656]
+ 	* stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
+ 	possibly allocate from heap instead of stack.
+ 	* stdio-common/bug-vfprintf-nargs.c: New file.
+ 	* stdio-common/Makefile (tests): Add nargs overflow test.
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index a847b28..080badc 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -59,7 +59,8 @@ tests := tstscanf test_rdwr test-popen tstgetln test-fseek \
+ 	 tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
+ 	 tst-fwrite bug16 bug17 tst-swscanf tst-sprintf2 bug18 bug18a \
+ 	 bug19 bug19a tst-popen2 scanf13 scanf14 scanf15 bug20 bug21 bug22 \
+-	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24
++	 scanf16 scanf17 tst-setvbuf1 tst-grouping bug23 bug24 \
++	 bug-vfprintf-nargs
+ 
+ test-srcs = tst-unbputc tst-printf
+ 
+diff --git a/stdio-common/bug-vfprintf-nargs.c b/stdio-common/bug-vfprintf-nargs.c
+new file mode 100644
+index 0000000..13c66c0
+--- /dev/null
++++ b/stdio-common/bug-vfprintf-nargs.c
+@@ -0,0 +1,78 @@
++/* Test for vfprintf nargs allocation overflow (BZ #13656).
++   Copyright (C) 2012 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++   Contributed by Kees Cook <keescook@chromium.org>, 2012.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, write to the Free
++   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++   02111-1307 USA.  */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <stdint.h>
++#include <unistd.h>
++#include <inttypes.h>
++#include <string.h>
++#include <signal.h>
++
++static int
++format_failed (const char *fmt, const char *expected)
++{
++  char output[80];
++
++  printf ("%s : ", fmt);
++
++  memset (output, 0, sizeof output);
++  /* Having sprintf itself detect a failure is good.  */
++  if (sprintf (output, fmt, 1, 2, 3, "test") > 0
++      && strcmp (output, expected) != 0)
++    {
++      printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
++      return 1;
++    }
++  puts ("ok");
++  return 0;
++}
++
++static int
++do_test (void)
++{
++  int rc = 0;
++  char buf[64];
++
++  /* Regular positionals work.  */
++  if (format_failed ("%1$d", "1") != 0)
++    rc = 1;
++
++  /* Regular width positionals work.  */
++  if (format_failed ("%1$*2$d", " 1") != 0)
++    rc = 1;
++
++  /* Positional arguments are constructed via read_int, so nargs can only
++     overflow on 32-bit systems.  On 64-bit systems, it will attempt to
++     allocate a giant amount of memory and possibly crash, which is the
++     expected situation.  Since the 64-bit behavior is arch-specific, only
++     test this on 32-bit systems.  */
++  if (sizeof (long int) == 4)
++    {
++      sprintf (buf, "%%1$d %%%" PRIdPTR "$d", UINT32_MAX / sizeof (int));
++      if (format_failed (buf, "1 %$d") != 0)
++        rc = 1;
++    }
++
++  return rc;
++}
++
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 863cd5d..022e72b 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -235,6 +235,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+      0 if unknown.  */
+   int readonly_format = 0;
+ 
++  /* For the argument descriptions, which may be allocated on the heap.  */
++  void *args_malloced = NULL;
++
+   /* This table maps a character into a number representing a
+      class.  In each step there is a destination label for each
+      class.  */
+@@ -1647,9 +1650,10 @@ do_positional:
+        determine the size of the array needed to store the argument
+        attributes.  */
+     size_t nargs = 0;
+-    int *args_type;
+-    union printf_arg *args_value = NULL;
++    size_t bytes_per_arg;
++    union printf_arg *args_value;
+     int *args_size;
++    int *args_type;
+ 
+     /* Positional parameters refer to arguments directly.  This could
+        also determine the maximum number of arguments.  Track the
+@@ -1698,13 +1702,33 @@ do_positional:
+ 
+     /* Determine the number of arguments the format string consumes.  */
+     nargs = MAX (nargs, max_ref_arg);
++    bytes_per_arg = sizeof (*args_value) + sizeof (*args_size)
++                    + sizeof (*args_type);
++
++    /* Check for potential integer overflow.  */
++    if (nargs > SIZE_MAX / bytes_per_arg)
++      {
++         done = -1;
++         goto all_done;
++      }
+ 
+     /* Allocate memory for the argument descriptions.  */
+-    args_type = alloca (nargs * sizeof (int));
++    if (__libc_use_alloca (nargs * bytes_per_arg))
++        args_value = alloca (nargs * bytes_per_arg);
++    else
++      {
++        args_value = args_malloced = malloc (nargs * bytes_per_arg);
++        if (args_value == NULL)
++          {
++            done = -1;
++            goto all_done;
++          }
++      }
++
++    args_size = &args_value[nargs].pa_int;
++    args_type = &args_size[nargs];
+     memset (args_type, s->_flags2 & _IO_FLAGS2_FORTIFY ? '\xff' : '\0',
+-	    nargs * sizeof (int));
+-    args_value = alloca (nargs * sizeof (union printf_arg));
+-    args_size = alloca (nargs * sizeof (int));
++	    nargs * sizeof (*args_type));
+ 
+     /* XXX Could do sanity check here: If any element in ARGS_TYPE is
+        still zero after this loop, format is invalid.  For now we
+@@ -1973,8 +1997,8 @@ do_positional:
+   }
+ 
+ all_done:
+-  if (__builtin_expect (workstart != NULL, 0))
+-    free (workstart);
++  free (args_malloced);
++  free (workstart);
+   /* Unlock the stream.  */
+   _IO_funlockfile (s);
+   _IO_cleanup_region_end (0);
+-- 
+1.7.5.4
+
+-- 
+Kees Cook                                            @outflux.net
+

glibc.spec

@@ -1,6 +1,6 @@
-%define glibcsrcdir glibc-2.14-15-g9614794
-%define glibcversion 2.14
-%define glibcportsdir glibc-ports-2.14
+%define glibcsrcdir glibc-2.14.1
+%define glibcversion 2.14.1
+%define glibcportsdir glibc-ports-2.14.1-1-g3eb1dbf
 ### glibc.spec.in follows:
 %define run_glibc_tests 1
 %define auxarches athlon alphaev6
@@ -27,7 +27,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 4
+Release: 6
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@@ -41,6 +41,10 @@ Source1: %{?glibc_release_url}%{glibcportsdir}.tar.xz
 Source2: %{glibcsrcdir}-fedora.tar.xz
 Patch0: %{name}-fedora.patch
 Patch1: %{name}-ia64-lib64.patch
+Patch2: %{name}-rh767696.patch
+Patch3: %{name}-rh794797.patch
+
+
 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Obsoletes: glibc-profile < 2.4
 Provides: ldconfig
@@ -62,10 +66,9 @@ BuildRequires: systemtap-sdt-devel
 BuildRequires: gcc >= 3.2
 %define enablekernel 2.6.32
 Conflicts: kernel < %{enablekernel}
-%ifarch i386
-%define nptl_target_cpu i486
-%else
-%define nptl_target_cpu %{_target_cpu}
+%define target %{_target_cpu}-redhat-linux
+%ifarch %{arm}
+%define target %{_target_cpu}-redhat-linuxeabi
 %endif
 %ifarch %{multiarcharches}
 # Need STT_IFUNC support
@@ -257,6 +260,8 @@ rm -rf %{glibcportsdir}
 %patch1 -p1
 %endif
 %endif
+%patch2 -p1
+%patch3 -p1
 
 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@@ -275,7 +280,6 @@ cat > find_provides.sh <<EOF
 /usr/lib/rpm/find-provides | grep -v GLIBC_PRIVATE
 exit 0
 EOF
-chmod +x find_provides.sh
 touch `find . -name configure`
 touch locale/programs/*-kw.h
 
@@ -283,7 +287,7 @@ touch locale/programs/*-kw.h
 GCC=gcc
 GXX=g++
 %ifarch %{ix86}
-BuildFlags="-march=%{nptl_target_cpu} -mtune=generic"
+BuildFlags="-march=%{_target_cpu} -mtune=generic"
 %endif
 %ifarch i686
 BuildFlags="-march=i686 -mtune=generic"
@@ -343,10 +347,10 @@ AddOns=`echo */configure | sed -e 's!/configure!!g;s!\(linuxthreads\|nptl\|rtkai
 AddOns=,rtkaio$AddOns
 %endif
 
-build_nptl()
+build()
 {
-builddir=build-%{nptl_target_cpu}-$1
-shift
+builddir=build-%{target}${1:+-$1}
+${1+shift}
 rm -rf $builddir
 mkdir $builddir ; cd $builddir
 build_CFLAGS="$BuildFlags -g -O3 $*"
@@ -357,8 +361,7 @@ configure_CFLAGS="$build_CFLAGS -fno-asynchronous-unwind-tables"
 	--prefix=%{_prefix} \
 	--enable-add-ons=../%{glibcportsdir},nptl$AddOns \
 	--with-headers=%{_prefix}/include $EnableKernel --enable-bind-now \
-	--with-tls --with-__thread --build %{nptl_target_cpu}-redhat-linux \
-	--host %{nptl_target_cpu}-redhat-linux \
+	--with-tls --with-__thread --build=%{target} \
 %ifarch %{multiarcharches}
 	--enable-multi-arch \
 %endif
@@ -373,10 +376,10 @@ make %{?_smp_mflags} -r CFLAGS="$build_CFLAGS" %{silentrules}
 cd ..
 }
 
-build_nptl linuxnptl
+build
 
 %if %{buildxen}
-build_nptl linuxnptl-nosegneg -mno-tls-direct-seg-refs
+build nosegneg -mno-tls-direct-seg-refs
 %endif
 
 %if %{buildpower6}
@@ -396,11 +399,11 @@ fi
 AddOns="$AddOns --with-cpu=power6"
 GCC="$GCC -mcpu=power6"
 GXX="$GXX -mcpu=power6"
-build_nptl linuxnptl-power6
+build power6
 )
 %endif
 
-cd build-%{nptl_target_cpu}-linuxnptl
+cd build-%{target}
 $GCC -static -L. -Os -g ../fedora/glibc_post_upgrade.c -o glibc_post_upgrade.%{_target_cpu} \
   -DNO_SIZE_OPTIMIZATION \
   '-DLIBTLS="/%{_lib}/tls/"' \
@@ -414,9 +417,9 @@ GCC=`cat Gcc`
 
 rm -rf $RPM_BUILD_ROOT
 mkdir -p $RPM_BUILD_ROOT
-make -j1 install_root=$RPM_BUILD_ROOT install -C build-%{nptl_target_cpu}-linuxnptl %{silentrules}
+make -j1 install_root=$RPM_BUILD_ROOT install -C build-%{target} %{silentrules}
 %ifnarch %{auxarches}
-cd build-%{nptl_target_cpu}-linuxnptl && \
+cd build-%{target} && \
   make %{?_smp_mflags} install_root=$RPM_BUILD_ROOT install-locales -C ../localedata objdir=`pwd` && \
   cd ..
 %endif
@@ -437,7 +440,7 @@ ln -sf `basename $RPM_BUILD_ROOT/%{_lib}/rtkaio/librtkaio-*.so` $RPM_BUILD_ROOT/
 %define nosegneg_subdir_base i686
 %define nosegneg_subdir i686/nosegneg
 %define nosegneg_subdir_up ../..
-cd build-%{nptl_target_cpu}-linuxnptl-nosegneg
+cd build-%{target}-nosegneg
 destdir=$RPM_BUILD_ROOT/%{_lib}/%{nosegneg_subdir}
 mkdir -p $destdir
 for lib in libc math/libm nptl/libpthread rt/librt nptl_db/libthread_db
@@ -445,7 +448,7 @@ do
   libbase=${lib#*/}
   libbaseso=$(basename $RPM_BUILD_ROOT/%{_lib}/${libbase}-*.so)
   # Only install if different from base lib
-  if cmp -s ${lib}.so ../build-%{nptl_target_cpu}-linuxnptl/${lib}.so; then
+  if cmp -s ${lib}.so ../build-%{target}/${lib}.so; then
     ln -sf %{nosegneg_subdir_up}/$libbaseso $destdir/$libbaseso
   else
     cp -a ${lib}.so $destdir/$libbaseso
@@ -456,7 +459,7 @@ done
 destdir=$RPM_BUILD_ROOT/%{_lib}/rtkaio/%{nosegneg_subdir}
 mkdir -p $destdir
 librtkaioso=$(basename $RPM_BUILD_ROOT/%{_lib}/librt-*.so | sed s/librt-/librtkaio-/)
-if cmp -s rtkaio/librtkaio.so ../build-%{nptl_target_cpu}-linuxnptl/rtkaio/librtkaio.so; then
+if cmp -s rtkaio/librtkaio.so ../build-%{target}/rtkaio/librtkaio.so; then
   ln -s %{nosegneg_subdir_up}/$librtkaioso $destdir/$librtkaioso
 else
   cp -a rtkaio/librtkaio.so $destdir/$librtkaioso
@@ -467,7 +470,7 @@ cd ..
 %endif
 
 %if %{buildpower6}
-cd build-%{nptl_target_cpu}-linuxnptl-power6
+cd build-%{target}-power6
 destdir=$RPM_BUILD_ROOT/%{_lib}/power6
 mkdir -p ${destdir}
 for lib in libc math/libm nptl/libpthread rt/librt nptl_db/libthread_db
@@ -545,7 +548,7 @@ mkdir -p $RPM_BUILD_ROOT/etc/sysconfig
 chmod 644 $RPM_BUILD_ROOT%{_prefix}/%{_lib}/gconv/gconv-modules.cache
 
 # Install the upgrade program
-install -m 700 build-%{nptl_target_cpu}-linuxnptl/glibc_post_upgrade.%{_target_cpu} \
+install -m 700 build-%{target}/glibc_post_upgrade.%{_target_cpu} \
   $RPM_BUILD_ROOT/usr/sbin/glibc_post_upgrade.%{_target_cpu}
 
 strip -g $RPM_BUILD_ROOT%{_prefix}/%{_lib}/*.o
@@ -567,9 +570,9 @@ pushd ${RPM_BUILD_ROOT}%{_prefix}/lib/locale
 rm locale-archive || :
 # Intentionally we do not pass --alias-file=, aliases will be added
 # by build-locale-archive.
-$olddir/build-%{nptl_target_cpu}-linuxnptl/elf/ld.so \
-  --library-path $olddir/build-%{nptl_target_cpu}-linuxnptl/ \
-  $olddir/build-%{nptl_target_cpu}-linuxnptl/locale/localedef \
+$olddir/build-%{target}/elf/ld.so \
+  --library-path $olddir/build-%{target}/ \
+  $olddir/build-%{target}/locale/localedef \
     --prefix ${RPM_BUILD_ROOT} --add-to-archive \
     *_*
 rm -rf *_*
@@ -670,7 +673,6 @@ sed -i -e '\|/%{_lib}/%{nosegneg_subdir}|d' rpm.filelist
 %endif
 
 echo '%{_prefix}/sbin/build-locale-archive' >> common.filelist
-echo '%{_prefix}/sbin/tzdata-update' >> common.filelist
 echo '%{_prefix}/sbin/nscd' > nscd.filelist
 
 cat > utils.filelist <<EOF
@@ -697,14 +699,11 @@ touch -r sunrpc/etc.rpc $RPM_BUILD_ROOT/etc/rpc
 
 cd fedora
 $GCC -Os -g -static -o build-locale-archive build-locale-archive.c \
-  ../build-%{nptl_target_cpu}-linuxnptl/locale/locarchive.o \
-  ../build-%{nptl_target_cpu}-linuxnptl/locale/md5.o \
+  ../build-%{target}/locale/locarchive.o \
+  ../build-%{target}/locale/md5.o \
   -DDATADIR=\"%{_datadir}\" -DPREFIX=\"%{_prefix}\" \
-  -L../build-%{nptl_target_cpu}-linuxnptl
+  -L../build-%{target}
 install -m 700 build-locale-archive $RPM_BUILD_ROOT/usr/sbin/build-locale-archive
-$GCC -Os -g -static -o tzdata-update tzdata-update.c \
-  -L../build-%{nptl_target_cpu}-linuxnptl
-install -m 700 tzdata-update $RPM_BUILD_ROOT/usr/sbin/tzdata-update
 cd ..
 
 # the last bit: more documentation
@@ -735,7 +734,7 @@ ln -sf /%{_lib}/ld-linux-ia64.so.2 $RPM_BUILD_ROOT/lib/ld-linux-ia64.so.2
 export TIMEOUTFACTOR=16
 parent=$$
 echo ====================TESTING=========================
-cd build-%{nptl_target_cpu}-linuxnptl
+cd build-%{target}
 ( make %{?_smp_mflags} -k check %{silentrules} 2>&1
   sleep 10s
   teepid="`ps -eo ppid,pid,command | awk '($1 == '${parent}' && $3 ~ /^tee/) { print $2 }'`"
@@ -744,7 +743,7 @@ cd build-%{nptl_target_cpu}-linuxnptl
 cd ..
 %if %{buildxen}
 echo ====================TESTING -mno-tls-direct-seg-refs=============
-cd build-%{nptl_target_cpu}-linuxnptl-nosegneg
+cd build-%{target}-nosegneg
 ( make %{?_smp_mflags} -k check %{silentrules} 2>&1
   sleep 10s
   teepid="`ps -eo ppid,pid,command | awk '($1 == '${parent}' && $3 ~ /^tee/) { print $2 }'`"
@@ -754,7 +753,7 @@ cd ..
 %endif
 %if %{buildpower6}
 echo ====================TESTING -mcpu=power6=============
-cd build-%{nptl_target_cpu}-linuxnptl-power6
+cd build-%{target}-power6
 ( if [ -d ../power6emul ]; then
     export LD_PRELOAD=`cd ../power6emul; pwd`/\$LIB/power6emul.so
   fi
@@ -895,7 +894,44 @@ end
 
 %post common -p /usr/sbin/build-locale-archive
 
-%triggerin common -p /usr/sbin/tzdata-update -- tzdata
+%triggerin common -p <lua> -- tzdata
+function update (filename, new_data)
+  local fd = io.open(filename)
+  if not fd then return end
+  local data = fd:read("*a")
+  fd:close()
+  if not data then return end
+  -- Don't update the file unnecessarily.
+  if data == new_data then return end
+  local tempfilename = filename .. ".tzupdate"
+  fd = io.open(tempfilename, "w")
+  if not fd then return end
+  fd:write(new_data)
+  fd:close()
+  posix.chmod(tempfilename, 0644)
+  if not os.rename(tempfilename, filename) then
+    os.remove(tempfilename)
+  end
+end
+fd = io.open("/etc/sysconfig/clock")
+if not fd then return end
+zonename = nil
+for l in fd:lines() do
+  zone = string.match(l, "^[ \t]*ZONE[ \t]*=[ \t]*\"?([^ \t\n\"]*)");
+  if zone then
+    zonename = "/usr/share/zoneinfo/" .. zone
+    break
+  end
+end
+fd:close()
+if not zonename then return end
+fd = io.open(zonename)
+if not fd then return end
+data = fd:read("*a")
+fd:close()
+if not data then return end
+update("/etc/localtime", data)
+update("/var/spool/postfix/etc/localtime", data)
 
 %post devel
 /sbin/install-info %{_infodir}/libc.info.gz %{_infodir}/dir > /dev/null 2>&1 || :
@@ -1051,6 +1087,55 @@ rm -f *.filelist*
 %endif
 
 %changelog
+* Mon Feb 20 2012 Jeff Law  <law@redhat.com> - 2.14.1-6
+  - Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)
+
+* Sun Jan 1 2012 Jeff Law  <law@redhat.com> - 2.14.1-5
+- Revert change from -6 which filtered out GLIBC_PRIVATE symbols.
+
+* Sun Dec 19 2011 Jeff Law  <law@redhat.com> - 2.14.1-4
+- Check values from TZ file header (#767696)
+
+* Fri Oct 28 2011 Andreas Schwab <schwab@redhat.com> - 2.14.1-2
+- Convert tzdata-update to lua (#743034)
+- Mark __clone as .cantunwind (#749556)
+
+* Fri Oct  7 2011 Andreas Schwab <schwab@redhat.com> - 2.14.1-1
+- Update to 2.14.1 release
+  - Correctly reparse group line after enlarging the buffer (#739360)
+  - Avoid race between {,__de}allocate_stack and __reclaim_stacks during fork
+
+* Thu Sep  8 2011 Andreas Schwab <schwab@redhat.com> - 2.14-7
+- Update from 2.14 branch
+  - Fix cfi directive in audit trampoline code
+  - Correct cycle detection during dependency sorting (BZ#11724)
+  - Fix fopen (non-existing-file, "re") errno (BZ#13114)
+  - Fix CFI info in x86-64 trampolines
+
+* Mon Aug 15 2011 Andreas Schwab <schwab@redhat.com> - 2.14-6
+- Update from 2.14 branch
+  - Locale-independent parsing in libintl (#726536)
+  - Fix stack alignment on x86_64 (#728762)
+- Filter out GLIBC_PRIVATE symbols again
+
+* Fri Aug  5 2011 Andreas Schwab <schwab@redhat.com> - 2.14-5
+- Update from 2.14 branch
+  - Properly tokenize nameserver line for servers with IPv6 address
+  - Fix encoding name for IDN in getaddrinfo (#725755)
+  - Fix inline strncat/strncmp on x86
+  - Fix check for AVX enablement (BZ#13007)
+  - Check for overflows in expressions (BZ#12852)
+  - Force La_x86_64_ymm to be 16-byte aligned
+  - Fix alloca accounting in strxfm
+  - Avoid possible crashes in anormal nscd exits
+  - Handle Lustre filesystem (BZ#12868)
+  - Handle W; without long options in getopt (BZ#12922)
+  - Change error code for underflows in strtod (BZ#9696)
+  - Fix robust mutex handling after fork
+  - Make sure RES_USE_INET6 is always restored
+  - Fix quoting in some installed shell scripts (#726483)
+- Use eabi for arm
+
 * Tue Jun 28 2011 Andreas Schwab <schwab@redhat.com> - 2.14-4
 - Update from 2.14 branch
   - Fix crash in GB18030 encoder (#712901)

sources

@@ -1,3 +1,3 @@
-af85a1921f8062fed1005a1a000c146f  glibc-2.14-15-g9614794-fedora.tar.xz
-dd6e7ae7a2251c25c2ce1fa81957bf98  glibc-2.14-15-g9614794.tar.xz
-05c85905b43021a81318c3aa81718019  glibc-ports-2.14.tar.xz
+24ae773557f07deaa9ffc4610ef11f03  glibc-2.14.1-fedora.tar.xz
+55501b8d037a4f1d330312b30fd6d4bc  glibc-2.14.1.tar.xz
+efa23a37cfa579a85eaef59550c1922c  glibc-ports-2.14.1-1-g3eb1dbf.tar.xz