Djam/coreutils
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/coreutils.git synced 2025-02-24 01:32:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added security fix in sort.c for CVE-2015-xxxx: buffer overflow.

Browse source
This commit is contained in:
kuzma kazygashev 2015-05-15 18:11:01 +07:00
parent 01cf42c9a8
commit 84189f7e77
2 changed files with 61 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
coreutils-8.9-buffer-overflow-in-sort.patch Normal file
View file

@ -0,0 +1,60 @@
diff -pruN a/src/sort.c b/src/sort.c
--- a/src/sort.c 2015-05-15 14:59:56.054854874 +0700
+++ b/src/sort.c 2015-05-15 15:21:43.994905457 +0700
@@ -3148,8 +3148,10 @@ keycompare_mb (const struct line *a, con
{
if (ignore || translate)
{
- char *copy_a = (char *) alloca (lena + 1 + lenb + 1);
- char *copy_b = copy_a + lena + 1;
+ if (SIZE_MAX - lenb - 2 < lena)
+ xalloc_die ();
+ char *copy_a = (char *) xnmalloc (lena + lenb + 2, MB_CUR_MAX);
+ char *copy_b = copy_a + lena * MB_CUR_MAX + 1;
size_t new_len_a, new_len_b;
size_t i, j;
diff -pruN a/tests/i18n/sort.sh b/tests/i18n/sort.sh
--- a/tests/i18n/sort.sh 1970-01-01 07:00:00.000000000 +0700
+++ b/tests/i18n/sort.sh 2015-05-15 15:08:08.000000000 +0700
@@ -0,0 +1,29 @@
+#!/bin/sh
+# Verify sort's multi-byte support.
+
+. "${srcdir=.}/tests/init.sh"; path_prepend_ ./src
+print_ver_ sort
+
+export LC_ALL=en_US.UTF-8
+locale -k LC_CTYPE | grep -q "charmap.*UTF-8" \
+ || skip_ "No UTF-8 locale available"
+
+# Enable heap consistency checkng on older systems
+export MALLOC_CHECK_=2
+
+
+# check buffer overflow issue due to
+# expanding multi-byte representation due to case conversion
+# https://bugzilla.suse.com/show_bug.cgi?id=928749
+cat <<EOF > exp
+.
+ɑ
+EOF
+cat <<EOF | sort -f > out || fail=1
+.
+ɑ
+EOF
+compare exp out || { fail=1; cat out; }
+
+
+Exit $fail
diff -pruN a/tests/Makefile.am b/tests/Makefile.am
--- a/tests/Makefile.am 2015-05-15 14:59:56.055854875 +0700
+++ b/tests/Makefile.am 2015-05-15 15:20:17.668902118 +0700
@@ -421,6 +421,7 @@ TESTS = \
du/slink \
du/trailing-slash \
du/two-args \
+ i18n/sort.sh \
id/gnu-zero-uids \
id/no-context \
install/basic-1 \

2
coreutils.spec
View file

@ -3,7 +3,7 @@
Summary: The GNU core utilities: a set of tools commonly used in shell scripts Summary: The GNU core utilities: a set of tools commonly used in shell scripts
Name: coreutils Name: coreutils
Version: 8.19 Version: 8.19
Release: 17 Release: 18
License: GPLv3+ License: GPLv3+
Group: System/Base Group: System/Base
Url: http://www.gnu.org/software/coreutils/ Url: http://www.gnu.org/software/coreutils/