fix CVE-2021-27645 CVE-2020-27618

2025-02-23 15:52:52 +00:00 · 2021-04-16 09:16:55 +09:00 · 2021-04-16 09:16:55 +09:00 · 08fbd14fcd
commit 08fbd14fcd
parent 3861d3d668
3 changed files with 67 additions and 1 deletions
--- a/CVE-2020-27618.patch
+++ b/CVE-2020-27618.patch
@ -0,0 +1,44 @@
+diff -ruN a/NEWS b/NEWS
+--- a/NEWS	2020-02-01 20:52:50.000000000 +0900
+++ b/NEWS	2021-04-16 08:56:18.255582011 +0900
+@@ -149,6 +149,10 @@
+   addresses for loaded libraries and thus bypass ASLR for a setuid
+   program.  Reported by Marcin Kościelnicki.
+ 
+  CVE-2020-27618: An infinite loop has been fixed in the iconv program when
+  invoked with input containing redundant shift sequences in the IBM1364,
+  IBM1371, IBM1388, IBM1390, or IBM1399 character sets.
+
+ The following bugs are resolved with this release:
+ 
+   [12031] localedata: iconv -t ascii//translit with Greek characters
+diff -ruN a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
+--- a/iconvdata/ibm1364.c	2020-02-01 20:52:50.000000000 +0900
+++ b/iconvdata/ibm1364.c	2021-04-16 09:01:27.268590024 +0900
+@@ -158,24 +158,14 @@
+ 									      \
+     if (__builtin_expect (ch, 0) == SO)					      \
+       {									      \
+-	/* Shift OUT, change to DBCS converter.  */			      \
+-	if (curcs == db)						      \
+-	  {								      \
+-	    result = __GCONV_ILLEGAL_INPUT;				      \
+-	    break;							      \
+-	  }								      \
+	/* Shift OUT, change to DBCS converter (redundant escape okay). */    \
+ 	curcs = db;							      \
+ 	++inptr;							      \
+ 	continue;							      \
+       }									      \
+     if (__builtin_expect (ch, 0) == SI)					      \
+       {									      \
+-	/* Shift IN, change to SBCS converter.  */			      \
+-	if (curcs == sb)						      \
+-	  {								      \
+-	    result = __GCONV_ILLEGAL_INPUT;				      \
+-	    break;							      \
+-	  }								      \
+	/* Shift IN, change to SBCS converter (redundant escape okay).  */    \
+ 	curcs = sb;							      \
+ 	++inptr;							      \
+ 	continue;							      \
--- a/CVE-2021-27645.patch
+++ b/CVE-2021-27645.patch
@ -0,0 +1,21 @@
+diff -ruN a/nscd/netgroupcache.c b/nscd/netgroupcache.c
+--- a/nscd/netgroupcache.c	2020-02-01 20:52:50.000000000 +0900
+++ b/nscd/netgroupcache.c	2021-04-16 09:10:09.046603554 +0900
+@@ -248,7 +248,7 @@
+ 					     : NULL);
+ 				    ndomain = (ndomain ? newbuf + ndomaindiff
+ 					       : NULL);
+-				    buffer = newbuf;
+				    *tofreep = buffer = newbuf;
+ 				  }
+ 
+ 				nhost = memcpy (buffer + bufused,
+@@ -319,7 +319,7 @@
+ 		    else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
+ 		      {
+ 			buflen *= 2;
+-			buffer = xrealloc (buffer, buflen);
+			*tofreep = buffer = xrealloc (buffer, buflen);
+ 		      }
+ 		    else if (status == NSS_STATUS_RETURN
+ 			     || status == NSS_STATUS_NOTFOUND
--- a/glibc.spec
+++ b/glibc.spec
@ -253,7 +253,8 @@ Patch1043:      iconv-Fix-incorrect-UCS4-inner-loop-bounds-BZ-26923.patch
 Patch1044:      Fix-buffer-overrun-in-EUC-KR-conversion-module-bz-24.patch
 # CVE-2021-3326
 Patch1045:      gconv-Fix-assertion-failure-in-ISO-2022-JP-3-module-.patch
-
+Patch1046:      CVE-2020-27618.patch
+Patch1047:      CVE-2021-27645.patch
 # These generatiors are exeperimentally disabled while
 # bootstrapping aarch64 to try to get rid of them
 %ifnarch aarch64