Miroirs/slackware-current
1
0
Fork 0
mirror of git://slackware.nl/current.git synced 2025-01-03 23:03:22 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
slackware-current/source/l/glibc/patches/CVE-2021-33574_1.patch
Patrick J Volkerding 667b86aaab Sat Aug 7 19:04:04 UTC 2021 
a/aaa_glibc-solibs-2.33-x86_64-3.txz:  Rebuilt.
a/usbutils-014-x86_64-1.txz:  Upgraded.
ap/mariadb-10.6.4-x86_64-1.txz:  Upgraded.
ap/nvme-cli-1.15-x86_64-1.txz:  Upgraded.
l/glibc-2.33-x86_64-3.txz:  Rebuilt.
  Since glibc-2.34 makes a potentially risky change of moving all functions
  into the main library, and another inconvenient (for us) change of renaming
  the library files, we'll stick with glibc-2.33 for Slackware 15.0 and test
  the newer glibc in the next release cycle. But we'll backport the security
  fixes from glibc-2.34 with this update:
  The nameserver caching daemon (nscd), when processing a request for netgroup
  lookup, may crash due to a double-free, potentially resulting in degraded
  service or Denial of Service on the local system. Reported by Chris Schanzle.
  The mq_notify function has a potential use-after-free issue when using a
  notification type of SIGEV_THREAD and a thread attribute with a non-default
  affinity mask.
  The wordexp function may overflow the positional parameter number when
  processing the expansion resulting in a crash. Reported by Philippe Antoine.
  For more information, see:
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27645
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33574
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35942
  (* Security fix *)
l/glibc-i18n-2.33-x86_64-3.txz:  Rebuilt.
l/glibc-profile-2.33-x86_64-3.txz:  Rebuilt.
l/liburing-2.0-x86_64-1.txz:  Added.
  This is needed by mariadb, and provides increased performance on high speed
  devices such as NVMe.
n/dovecot-2.3.16-x86_64-1.txz:  Upgraded.
xap/blueman-2.2.2-x86_64-1.txz:  Upgraded.
2021-08-08 00:01:02 +02:00

71 lines
2.3 KiB
Diff
Raw Blame History

From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Thu, 27 May 2021 12:49:47 +0200
Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
Make a deep copy of the pthread attribute object to remove a potential
use-after-free issue.
---
NEWS | 4 ++++
sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/NEWS b/NEWS
index 6f4d325d55..1bf3daa502 100644
--- a/NEWS
+++ b/NEWS
@@ -62,6 +62,10 @@ Security related changes:
potentially resulting in degraded service or Denial of Service on the
local system. Reported by Chris Schanzle.
+ CVE-2021-33574: The mq_notify function has a potential use-after-free
+ issue when using a notification type of SIGEV_THREAD and a thread
+ attribute with a non-default affinity mask.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
index cc575a0cdd..f7ddfe5a6c 100644
--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
@@ -133,8 +133,11 @@ helper_thread (void *arg)
(void) __pthread_barrier_wait (&notify_barrier);
}
else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
- /* The only state we keep is the copy of the thread attributes. */
- free (data.attr);
+ {
+ /* The only state we keep is the copy of the thread attributes. */
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
+ }
}
return NULL;
}
@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
if (data.attr == NULL)
return -1;
- memcpy (data.attr, notification->sigev_notify_attributes,
- sizeof (pthread_attr_t));
+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
}
/* Construct the new request. */
@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
/* If it failed, free the allocated memory. */
if (__glibc_unlikely (retval != 0))
- free (data.attr);
+ {
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
+ }
return retval;
}
--
2.27.0
Reference in a new issue View git blame Copy permalink