mirror of
git://slackware.nl/current.git
synced 2024-12-31 10:28:29 +01:00
4dd4f47b2c
a/aaa_glibc-solibs-2.33-x86_64-4.txz: Rebuilt.
a/util-linux-2.37.2-x86_64-1.txz: Upgraded.
d/git-2.33.0-x86_64-1.txz: Upgraded.
d/vala-0.52.5-x86_64-1.txz: Upgraded.
l/gexiv2-0.12.3-x86_64-1.txz: Upgraded.
l/glibc-2.33-x86_64-4.txz: Rebuilt.
In librt, sysdeps/unix/sysv/linux/mq_notify.c mishandles certain
NOTIFY_REMOVED data, leading to a NULL pointer dereference.
NOTE: this vulnerability was introduced as a side effect of the
CVE-2021-33574 fix.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38604
(* Security fix *)
l/glibc-i18n-2.33-x86_64-4.txz: Rebuilt.
l/glibc-profile-2.33-x86_64-4.txz: Rebuilt.
l/libcap-2.53-x86_64-1.txz: Upgraded.
l/python2-module-collection-2.7.18-x86_64-5.txz: Rebuilt.
Added dbus-python-1.2.16.
n/ModemManager-1.16.10-x86_64-1.txz: Upgraded.
n/NetworkManager-1.32.8-x86_64-1.txz: Upgraded.
n/stunnel-5.60-x86_64-1.txz: Upgraded.
xap/mozilla-firefox-91.0.1-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/firefox/91.0.1/releasenotes/
https://www.mozilla.org/security/advisories/mfsa2021-37/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29991
(* Security fix *)
xap/mozilla-thunderbird-91.0.1-x86_64-1.txz: Upgraded.
This release contains security fixes and improvements.
For more information, see:
https://www.mozilla.org/en-US/thunderbird/91.0.1/releasenotes/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-37/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29991
(* Security fix *)
40 lines
1.6 KiB
Diff
40 lines
1.6 KiB
Diff
From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
|
|
From: Nikita Popov <npv1310@gmail.com>
|
|
Date: Mon, 9 Aug 2021 20:17:34 +0530
|
|
Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
|
|
|
|
Helper thread frees copied attribute on NOTIFY_REMOVED message
|
|
received from the OS kernel. Unfortunately, it fails to check whether
|
|
copied attribute actually exists (data.attr != NULL). This worked
|
|
earlier because free() checks passed pointer before actually
|
|
attempting to release corresponding memory. But
|
|
__pthread_attr_destroy assumes pointer is not NULL.
|
|
|
|
So passing NULL pointer to __pthread_attr_destroy will result in
|
|
segmentation fault. This scenario is possible if
|
|
notification->sigev_notify_attributes == NULL (which means default
|
|
thread attributes should be used).
|
|
|
|
Signed-off-by: Nikita Popov <npv1310@gmail.com>
|
|
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
|
---
|
|
sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
|
|
index 9799dcdaa4..eccae2e4c6 100644
|
|
--- a/sysdeps/unix/sysv/linux/mq_notify.c
|
|
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
|
|
@@ -131,7 +131,7 @@ helper_thread (void *arg)
|
|
to wait until it is done with it. */
|
|
(void) __pthread_barrier_wait (¬ify_barrier);
|
|
}
|
|
- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
|
|
+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
|
|
{
|
|
/* The only state we keep is the copy of the thread attributes. */
|
|
__pthread_attr_destroy (data.attr);
|
|
--
|
|
2.27.0
|
|
|
|
|