Merge lp:~logan/ubuntu/raring/swi-prolog/5.10.4-5 into lp:ubuntu/raring/swi-prolog
- Raring (13.04)
- 5.10.4-5
- Merge into raring
Proposed by
Logan Rosen
Status: | Merged |
---|---|
Merged at revision: | 25 |
Proposed branch: | lp:~logan/ubuntu/raring/swi-prolog/5.10.4-5 |
Merge into: | lp:ubuntu/raring/swi-prolog |
Diff against target: |
447 lines (+289/-25) 8 files modified
.pc/applied-patches (+2/-0) debian/changelog (+22/-0) debian/patches/CVE-2012-6089.diff (+97/-0) debian/patches/CVE-2012-6090.diff (+126/-0) debian/patches/series (+2/-0) src/os/pl-buffer.h (+2/-0) src/os/pl-glob.c (+27/-17) src/os/pl-os.c (+11/-8) |
To merge this branch: | bzr merge lp:~logan/ubuntu/raring/swi-prolog/5.10.4-5 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu branches | Pending | ||
Review via email: mp+143007@code.launchpad.net |
Commit message
Description of the change
To post a comment you must log in.
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === modified file '.pc/applied-patches' |
2 | --- .pc/applied-patches 2012-08-08 16:51:24 +0000 |
3 | +++ .pc/applied-patches 2013-01-12 00:18:30 +0000 |
4 | @@ -1,2 +1,4 @@ |
5 | swi-prolog-mipsel-FTBFS.diff |
6 | java-compat.patch |
7 | +CVE-2012-6089.diff |
8 | +CVE-2012-6090.diff |
9 | |
10 | === modified file 'debian/changelog' |
11 | --- debian/changelog 2012-12-19 00:28:22 +0000 |
12 | +++ debian/changelog 2013-01-12 00:18:30 +0000 |
13 | @@ -1,3 +1,25 @@ |
14 | +swi-prolog (5.10.4-5ubuntu1) raring; urgency=low |
15 | + |
16 | + * Merge from Debian unstable. Remaining changes: |
17 | + - Transition package to use default java implementation: |
18 | + + debian/control: BD on default-jdk instead of openjdk-6-jdk, switch |
19 | + primary runtime dependency to default-jre-headless. |
20 | + + debian/patches/java-compat.patch: Set source/target = 1.5 to ensure |
21 | + that backwards compatible bytecode is built. |
22 | + |
23 | + -- Logan Rosen <logatronico@gmail.com> Fri, 11 Jan 2013 02:26:03 -0500 |
24 | + |
25 | +swi-prolog (5.10.4-5) unstable; urgency=medium |
26 | + |
27 | + * New patches (taken from RedHat bugzilla, closes: #697416): |
28 | + - CVE-2012-6089.diff - fix for CVE-2012-6089 - possible buffer overrun in |
29 | + path canonisation code |
30 | + - CVE-2012-6090.diff - fix for CVE-2012-6090 - Possible buffer overflows |
31 | + when expanding file-names with long paths |
32 | + * Urgency "medium" because of a fix for a security bug |
33 | + |
34 | + -- Євгеній Мещеряков <eugen@debian.org> Sat, 05 Jan 2013 03:43:46 +0100 |
35 | + |
36 | swi-prolog (5.10.4-4ubuntu1) raring; urgency=low |
37 | |
38 | * Merge from Debian unstable. Remaining changes: |
39 | |
40 | === added file 'debian/patches/CVE-2012-6089.diff' |
41 | --- debian/patches/CVE-2012-6089.diff 1970-01-01 00:00:00 +0000 |
42 | +++ debian/patches/CVE-2012-6089.diff 2013-01-12 00:18:30 +0000 |
43 | @@ -0,0 +1,97 @@ |
44 | +Author: Jan Wielemaker <J.Wielemaker@cs.vu.nl> |
45 | +Description: Fix for CVE-2012-6089 - Possible buffer overrun in path canonisation code |
46 | + The patch was taken from RedHat bugzilla, file locations were adjusted. |
47 | +Origin: vendor, RedHat |
48 | +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6089 |
49 | +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697416 |
50 | +--- |
51 | +From 6149f39ada50f7ebc6b0cb7756490a0fea967bd1 Mon Sep 17 00:00:00 2001 |
52 | +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> |
53 | +Date: Fri, 4 Jan 2013 13:33:11 +0100 |
54 | +Subject: [PATCH 1/2] Fix CVE-2012-6089 |
55 | + |
56 | +Upstream fix ported to 5.10.2: |
57 | + |
58 | +From a9a6fc8a2a9cf3b9154b490a4b1ffaa8be4d723c Mon Sep 17 00:00:00 2001 |
59 | +From: Jan Wielemaker <J.Wielemaker@cs.vu.nl> |
60 | +Date: Sun, 16 Dec 2012 18:13:17 +0100 |
61 | +Subject: [PATCH] FIXED: Possible buffer overrun in patch canonisation code. |
62 | + |
63 | +Pushes pointers on an automatic array without checking for overflow. |
64 | +Can be used for DoS attacks. Will be extremely hard to make it execute |
65 | +arbitrary code. |
66 | +--- |
67 | + src/pl-buffer.h | 2 ++ |
68 | + src/pl-os.c | 19 +++++++++++-------- |
69 | + 2 files changed, 13 insertions(+), 8 deletions(-) |
70 | + |
71 | +--- a/src/os/pl-buffer.h |
72 | ++++ b/src/os/pl-buffer.h |
73 | +@@ -83,6 +83,8 @@ |
74 | + sizeof((b)->static_buffer)) |
75 | + #define emptyBuffer(b) ((b)->top = (b)->base) |
76 | + #define isEmptyBuffer(b) ((b)->top == (b)->base) |
77 | ++#define popBuffer(b,type) \ |
78 | ++ ((b)->top -= sizeof(type), *(type*)(b)->top) |
79 | + |
80 | + #define discardBuffer(b) \ |
81 | + do \ |
82 | +--- a/src/os/pl-os.c |
83 | ++++ b/src/os/pl-os.c |
84 | +@@ -1081,8 +1081,7 @@ |
85 | + char * |
86 | + canoniseFileName(char *path) |
87 | + { char *out = path, *in = path, *start = path; |
88 | +- char *osave[100]; |
89 | +- int osavep = 0; |
90 | ++ tmp_buffer saveb; |
91 | + |
92 | + #ifdef O_HASDRIVES /* C: */ |
93 | + if ( in[1] == ':' && isLetter(in[0]) ) |
94 | +@@ -1110,7 +1109,8 @@ |
95 | + in += 2; |
96 | + if ( in[0] == '/' ) |
97 | + *out++ = '/'; |
98 | +- osave[osavep++] = out; |
99 | ++ initBuffer(&saveb); |
100 | ++ addBuffer(&saveb, out, char*); |
101 | + |
102 | + while(*in) |
103 | + { if (*in == '/') |
104 | +@@ -1126,15 +1126,15 @@ |
105 | + } |
106 | + if ( in[2] == EOS ) /* delete trailing /. */ |
107 | + { *out = EOS; |
108 | +- return path; |
109 | ++ goto out; |
110 | + } |
111 | + if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) ) |
112 | +- { if ( osavep > 0 ) /* delete /foo/../ */ |
113 | +- { out = osave[--osavep]; |
114 | ++ { if ( !isEmptyBuffer(&saveb) ) /* delete /foo/../ */ |
115 | ++ { out = popBuffer(&saveb, char*); |
116 | + in += 3; |
117 | + if ( in[0] == EOS && out > start+1 ) |
118 | + { out[-1] = EOS; /* delete trailing / */ |
119 | +- return path; |
120 | ++ goto out; |
121 | + } |
122 | + goto again; |
123 | + } else if ( start[0] == '/' && out == start+1 ) |
124 | +@@ -1148,12 +1148,15 @@ |
125 | + in++; |
126 | + if ( out > path && out[-1] != '/' ) |
127 | + *out++ = '/'; |
128 | +- osave[osavep++] = out; |
129 | ++ addBuffer(&saveb, out, char*); |
130 | + } else |
131 | + *out++ = *in++; |
132 | + } |
133 | + *out++ = *in++; |
134 | + |
135 | ++out: |
136 | ++ discardBuffer(&saveb); |
137 | ++ |
138 | + return path; |
139 | + } |
140 | + |
141 | |
142 | === added file 'debian/patches/CVE-2012-6090.diff' |
143 | --- debian/patches/CVE-2012-6090.diff 1970-01-01 00:00:00 +0000 |
144 | +++ debian/patches/CVE-2012-6090.diff 2013-01-12 00:18:30 +0000 |
145 | @@ -0,0 +1,126 @@ |
146 | +Author: Jan Wielemaker <J.Wielemaker@cs.vu.nl> |
147 | +Description: Fix for CVE-2012-6090 - Possible buffer overflows when expanding file-names with long paths |
148 | + The patch was taken from RedHat bugzilla, file locations were adjusted. |
149 | +Origin: vendor, RedHat |
150 | +Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-6090 |
151 | +Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697416 |
152 | +--- |
153 | +From 212e2fcac834dec25a4fa0f4fd4652bfd19cdeea Mon Sep 17 00:00:00 2001 |
154 | +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> |
155 | +Date: Fri, 4 Jan 2013 13:35:27 +0100 |
156 | +Subject: [PATCH 2/2] Fix CVE-2012-6090 |
157 | + |
158 | +Upstream fix ported to 5.10.2: |
159 | + |
160 | +From b2c88972e7515ada025e97e7d3ce3e34f81cf33e Mon Sep 17 00:00:00 2001 |
161 | +From: Jan Wielemaker <J.Wielemaker@cs.vu.nl> |
162 | +Date: Sun, 16 Dec 2012 17:29:37 +0100 |
163 | +Subject: [PATCH] SECURITY: Possible buffer overflows when expanding |
164 | + file-names with long paths. Affects expand_file_name/2. |
165 | + |
166 | +Can lead to crashes (DoS attacks) and possibly execution of arbitrary |
167 | +code if an attacker can control the names of the files searched for, |
168 | +e.g., if expand_file_name/2 is used in a directory to which an attacker |
169 | +can upload files for which he can control the name. |
170 | +--- |
171 | + src/pl-glob.c | 46 ++++++++++++++++++++++++++++------------------ |
172 | + 1 file changed, 28 insertions(+), 18 deletions(-) |
173 | + |
174 | +diff --git a/src/pl-glob.c b/src/pl-glob.c |
175 | +index 417a69c..1fad6ca 100644 |
176 | +--- a/src/os/pl-glob.c |
177 | ++++ b/src/os/pl-glob.c |
178 | +@@ -423,6 +423,7 @@ expand(const char *pattern, GlobInfo info) |
179 | + compiled_pattern cbuf; |
180 | + char prefix[MAXPATHLEN]; /* before first pattern */ |
181 | + char patbuf[MAXPATHLEN]; /* pattern buffer */ |
182 | ++ size_t prefix_len; |
183 | + int end, dot; |
184 | + |
185 | + initBuffer(&info->files); |
186 | +@@ -441,20 +442,25 @@ expand(const char *pattern, GlobInfo info) |
187 | + switch( (c=*s++) ) |
188 | + { case EOS: |
189 | + if ( s > pat ) /* something left and expanded */ |
190 | +- { un_escape(prefix, pat, s); |
191 | ++ { size_t prefix_len; |
192 | ++ |
193 | ++ un_escape(prefix, pat, s); |
194 | ++ prefix_len = strlen(prefix); |
195 | + |
196 | + end = info->end; |
197 | + for( ; info->start < end; info->start++ ) |
198 | + { char path[MAXPATHLEN]; |
199 | +- size_t plen; |
200 | +- |
201 | +- strcpy(path, expand_entry(info, info->start)); |
202 | +- plen = strlen(path); |
203 | +- if ( prefix[0] && plen > 0 && path[plen-1] != '/' ) |
204 | +- path[plen++] = '/'; |
205 | +- strcpy(&path[plen], prefix); |
206 | +- if ( end == 1 || AccessFile(path, ACCESS_EXIST) ) |
207 | +- add_path(path, info); |
208 | ++ const char *entry = expand_entry(info, info->start); |
209 | ++ size_t plen = strlen(entry); |
210 | ++ |
211 | ++ if ( plen+prefix_len+2 <= MAXPATHLEN ) |
212 | ++ { strcpy(path, entry); |
213 | ++ if ( prefix[0] && plen > 0 && path[plen-1] != '/' ) |
214 | ++ path[plen++] = '/'; |
215 | ++ strcpy(&path[plen], prefix); |
216 | ++ if ( end == 1 || AccessFile(path, ACCESS_EXIST) ) |
217 | ++ add_path(path, info); |
218 | ++ } |
219 | + } |
220 | + } |
221 | + succeed; |
222 | +@@ -489,8 +495,9 @@ expand(const char *pattern, GlobInfo info) |
223 | + */ |
224 | + un_escape(prefix, pat, head); |
225 | + un_escape(patbuf, head, tail); |
226 | ++ prefix_len = strlen(prefix); |
227 | + |
228 | +- if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */ |
229 | ++ if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */ |
230 | + fail; |
231 | + dot = (patbuf[0] == '.'); /* do dots as well */ |
232 | + |
233 | +@@ -502,12 +509,16 @@ expand(const char *pattern, GlobInfo info) |
234 | + char path[MAXPATHLEN]; |
235 | + char tmp[MAXPATHLEN]; |
236 | + const char *current = expand_entry(info, info->start); |
237 | ++ size_t clen = strlen(current); |
238 | ++ |
239 | ++ if ( clen+prefix_len+1 > sizeof(path) ) |
240 | ++ continue; |
241 | + |
242 | + strcpy(path, current); |
243 | +- strcat(path, prefix); |
244 | ++ strcpy(&path[clen], prefix); |
245 | + |
246 | + if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) ) |
247 | +- { size_t plen = strlen(path); |
248 | ++ { size_t plen = clen+prefix_len; |
249 | + |
250 | + if ( plen > 0 && path[plen-1] != '/' ) |
251 | + path[plen++] = '/'; |
252 | +@@ -521,12 +532,11 @@ expand(const char *pattern, GlobInfo info) |
253 | + matchPattern(e->d_name, &cbuf) ) |
254 | + { char newp[MAXPATHLEN]; |
255 | + |
256 | +- strcpy(newp, path); |
257 | +- strcpy(&newp[plen], e->d_name); |
258 | +-/* if ( !tail[0] || ExistsDirectory(newp) ) |
259 | +- Saves memory, but involves one more file-access |
260 | +-*/ |
261 | ++ if ( plen+strlen(e->d_name)+1 < sizeof(newp) ) |
262 | ++ { strcpy(newp, path); |
263 | ++ strcpy(&newp[plen], e->d_name); |
264 | + add_path(newp, info); |
265 | ++ } |
266 | + } |
267 | + } |
268 | + closedir(d); |
269 | +-- |
270 | +1.7.11.7 |
271 | + |
272 | |
273 | === modified file 'debian/patches/series' |
274 | --- debian/patches/series 2012-08-08 16:51:24 +0000 |
275 | +++ debian/patches/series 2013-01-12 00:18:30 +0000 |
276 | @@ -1,2 +1,4 @@ |
277 | swi-prolog-mipsel-FTBFS.diff |
278 | java-compat.patch |
279 | +CVE-2012-6089.diff |
280 | +CVE-2012-6090.diff |
281 | |
282 | === modified file 'src/os/pl-buffer.h' |
283 | --- src/os/pl-buffer.h 2011-06-19 14:04:49 +0000 |
284 | +++ src/os/pl-buffer.h 2013-01-12 00:18:30 +0000 |
285 | @@ -83,6 +83,8 @@ |
286 | sizeof((b)->static_buffer)) |
287 | #define emptyBuffer(b) ((b)->top = (b)->base) |
288 | #define isEmptyBuffer(b) ((b)->top == (b)->base) |
289 | +#define popBuffer(b,type) \ |
290 | + ((b)->top -= sizeof(type), *(type*)(b)->top) |
291 | |
292 | #define discardBuffer(b) \ |
293 | do \ |
294 | |
295 | === modified file 'src/os/pl-glob.c' |
296 | --- src/os/pl-glob.c 2011-06-19 14:04:49 +0000 |
297 | +++ src/os/pl-glob.c 2013-01-12 00:18:30 +0000 |
298 | @@ -423,6 +423,7 @@ |
299 | compiled_pattern cbuf; |
300 | char prefix[MAXPATHLEN]; /* before first pattern */ |
301 | char patbuf[MAXPATHLEN]; /* pattern buffer */ |
302 | + size_t prefix_len; |
303 | int end, dot; |
304 | |
305 | initBuffer(&info->files); |
306 | @@ -441,20 +442,25 @@ |
307 | switch( (c=*s++) ) |
308 | { case EOS: |
309 | if ( s > pat ) /* something left and expanded */ |
310 | - { un_escape(prefix, pat, s); |
311 | + { size_t prefix_len; |
312 | + |
313 | + un_escape(prefix, pat, s); |
314 | + prefix_len = strlen(prefix); |
315 | |
316 | end = info->end; |
317 | for( ; info->start < end; info->start++ ) |
318 | { char path[MAXPATHLEN]; |
319 | - size_t plen; |
320 | + const char *entry = expand_entry(info, info->start); |
321 | + size_t plen = strlen(entry); |
322 | |
323 | - strcpy(path, expand_entry(info, info->start)); |
324 | - plen = strlen(path); |
325 | - if ( prefix[0] && plen > 0 && path[plen-1] != '/' ) |
326 | - path[plen++] = '/'; |
327 | - strcpy(&path[plen], prefix); |
328 | - if ( end == 1 || AccessFile(path, ACCESS_EXIST) ) |
329 | - add_path(path, info); |
330 | + if ( plen+prefix_len+2 <= MAXPATHLEN ) |
331 | + { strcpy(path, entry); |
332 | + if ( prefix[0] && plen > 0 && path[plen-1] != '/' ) |
333 | + path[plen++] = '/'; |
334 | + strcpy(&path[plen], prefix); |
335 | + if ( end == 1 || AccessFile(path, ACCESS_EXIST) ) |
336 | + add_path(path, info); |
337 | + } |
338 | } |
339 | } |
340 | succeed; |
341 | @@ -489,8 +495,9 @@ |
342 | */ |
343 | un_escape(prefix, pat, head); |
344 | un_escape(patbuf, head, tail); |
345 | + prefix_len = strlen(prefix); |
346 | |
347 | - if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */ |
348 | + if ( !compilePattern(patbuf, &cbuf) ) /* syntax error */ |
349 | fail; |
350 | dot = (patbuf[0] == '.'); /* do dots as well */ |
351 | |
352 | @@ -502,12 +509,16 @@ |
353 | char path[MAXPATHLEN]; |
354 | char tmp[MAXPATHLEN]; |
355 | const char *current = expand_entry(info, info->start); |
356 | + size_t clen = strlen(current); |
357 | + |
358 | + if ( clen+prefix_len+1 > sizeof(path) ) |
359 | + continue; |
360 | |
361 | strcpy(path, current); |
362 | - strcat(path, prefix); |
363 | + strcpy(&path[clen], prefix); |
364 | |
365 | if ( (d=opendir(path[0] ? OsPath(path, tmp) : ".")) ) |
366 | - { size_t plen = strlen(path); |
367 | + { size_t plen = clen+prefix_len; |
368 | |
369 | if ( plen > 0 && path[plen-1] != '/' ) |
370 | path[plen++] = '/'; |
371 | @@ -521,12 +532,11 @@ |
372 | matchPattern(e->d_name, &cbuf) ) |
373 | { char newp[MAXPATHLEN]; |
374 | |
375 | - strcpy(newp, path); |
376 | - strcpy(&newp[plen], e->d_name); |
377 | -/* if ( !tail[0] || ExistsDirectory(newp) ) |
378 | - Saves memory, but involves one more file-access |
379 | -*/ |
380 | + if ( plen+strlen(e->d_name)+1 < sizeof(newp) ) |
381 | + { strcpy(newp, path); |
382 | + strcpy(&newp[plen], e->d_name); |
383 | add_path(newp, info); |
384 | + } |
385 | } |
386 | } |
387 | closedir(d); |
388 | |
389 | === modified file 'src/os/pl-os.c' |
390 | --- src/os/pl-os.c 2011-06-19 14:04:49 +0000 |
391 | +++ src/os/pl-os.c 2013-01-12 00:18:30 +0000 |
392 | @@ -1081,8 +1081,7 @@ |
393 | char * |
394 | canoniseFileName(char *path) |
395 | { char *out = path, *in = path, *start = path; |
396 | - char *osave[100]; |
397 | - int osavep = 0; |
398 | + tmp_buffer saveb; |
399 | |
400 | #ifdef O_HASDRIVES /* C: */ |
401 | if ( in[1] == ':' && isLetter(in[0]) ) |
402 | @@ -1110,7 +1109,8 @@ |
403 | in += 2; |
404 | if ( in[0] == '/' ) |
405 | *out++ = '/'; |
406 | - osave[osavep++] = out; |
407 | + initBuffer(&saveb); |
408 | + addBuffer(&saveb, out, char*); |
409 | |
410 | while(*in) |
411 | { if (*in == '/') |
412 | @@ -1126,15 +1126,15 @@ |
413 | } |
414 | if ( in[2] == EOS ) /* delete trailing /. */ |
415 | { *out = EOS; |
416 | - return path; |
417 | + goto out; |
418 | } |
419 | if ( in[2] == '.' && (in[3] == '/' || in[3] == EOS) ) |
420 | - { if ( osavep > 0 ) /* delete /foo/../ */ |
421 | - { out = osave[--osavep]; |
422 | + { if ( !isEmptyBuffer(&saveb) ) /* delete /foo/../ */ |
423 | + { out = popBuffer(&saveb, char*); |
424 | in += 3; |
425 | if ( in[0] == EOS && out > start+1 ) |
426 | { out[-1] = EOS; /* delete trailing / */ |
427 | - return path; |
428 | + goto out; |
429 | } |
430 | goto again; |
431 | } else if ( start[0] == '/' && out == start+1 ) |
432 | @@ -1148,12 +1148,15 @@ |
433 | in++; |
434 | if ( out > path && out[-1] != '/' ) |
435 | *out++ = '/'; |
436 | - osave[osavep++] = out; |
437 | + addBuffer(&saveb, out, char*); |
438 | } else |
439 | *out++ = *in++; |
440 | } |
441 | *out++ = *in++; |
442 | |
443 | +out: |
444 | + discardBuffer(&saveb); |
445 | + |
446 | return path; |
447 | } |
448 |