Apply patch for CVE-2010-2632. #458718

(Portage version: 2.2.0_alpha166/cvs/Linux x86_64, signed Manifest commit with key F8551514)

3 files changed, 225 insertions, 2 deletions

diff --git a/sys-freebsd/freebsd-lib/ChangeLog b/sys-freebsd/freebsd-lib/ChangeLog
index cac9e1bc84d3..003b3e2d98d0 100644
--- a/sys-freebsd/freebsd-lib/ChangeLog
+++ b/sys-freebsd/freebsd-lib/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for sys-freebsd/freebsd-lib
 # Copyright 1999-2013 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/ChangeLog,v 1.170 2013/02/12 11:08:17 naota Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/ChangeLog,v 1.171 2013/03/10 14:01:51 naota Exp $
+
+*freebsd-lib-9.0-r4 (10 Mar 2013)
+
+  10 Mar 2013; Naohiro Aota <naota@gentoo.org>
+  +files/freebsd-lib-9.0-cve-2010-2632.patch, +freebsd-lib-9.0-r4.ebuild,
+  -freebsd-lib-9.0-r3.ebuild:
+  Apply patch for CVE-2010-2632. #458718
 
   12 Feb 2013; Naohiro Aota <naota@gentoo.org>
   +files/freebsd-lib-9.0-bluetooth.patch, +files/freebsd-lib-9.0-netware.patch,
diff --git a/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch b/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch
new file mode 100644
index 000000000000..ad9b9608f42c
--- /dev/null
+++ b/sys-freebsd/freebsd-lib/files/freebsd-lib-9.0-cve-2010-2632.patch
@@ -0,0 +1,215 @@
+Index: lib/libc/gen/glob.c
+===================================================================
+--- lib/libc/gen/glob.c	(revision 246357)
++++ lib/libc/gen/glob.c	(working copy)
+@@ -94,6 +94,25 @@ __FBSDID("$FreeBSD$");
+ 
+ #include "collate.h"
+ 
++/*
++ * glob(3) expansion limits. Stop the expansion if any of these limits
++ * is reached. This caps the runtime in the face of DoS attacks. See
++ * also CVE-2010-2632
++ */
++#define	GLOB_LIMIT_BRACE	128	/* number of brace calls */
++#define	GLOB_LIMIT_PATH		65536	/* number of path elements */
++#define	GLOB_LIMIT_READDIR	16384	/* number of readdirs */
++#define	GLOB_LIMIT_STAT		1024	/* number of stat system calls */
++#define	GLOB_LIMIT_STRING	ARG_MAX	/* maximum total size for paths */
++
++struct glob_limit {
++	size_t	l_brace_cnt;
++	size_t	l_path_lim;
++	size_t	l_readdir_cnt;	
++	size_t	l_stat_cnt;	
++	size_t	l_string_cnt;
++};
++
+ #define	DOLLAR		'$'
+ #define	DOT		'.'
+ #define	EOS		'\0'
+@@ -153,15 +172,18 @@ static const Char *g_strchr(const Char *, wchar_t)
+ static Char	*g_strcat(Char *, const Char *);
+ #endif
+ static int	 g_stat(Char *, struct stat *, glob_t *);
+-static int	 glob0(const Char *, glob_t *, size_t *);
+-static int	 glob1(Char *, glob_t *, size_t *);
+-static int	 glob2(Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int	 glob3(Char *, Char *, Char *, Char *, Char *, glob_t *, size_t *);
+-static int	 globextend(const Char *, glob_t *, size_t *);
+-static const Char *	
++static int	 glob0(const Char *, glob_t *, struct glob_limit *);
++static int	 glob1(Char *, glob_t *, struct glob_limit *);
++static int	 glob2(Char *, Char *, Char *, Char *, glob_t *,
++    struct glob_limit *);
++static int	 glob3(Char *, Char *, Char *, Char *, Char *, glob_t *,
++    struct glob_limit *);
++static int	 globextend(const Char *, glob_t *, struct glob_limit *);
++static const Char *
+ 		 globtilde(const Char *, Char *, size_t, glob_t *);
+-static int	 globexp1(const Char *, glob_t *, size_t *);
+-static int	 globexp2(const Char *, const Char *, glob_t *, int *, size_t *);
++static int	 globexp1(const Char *, glob_t *, struct glob_limit *);
++static int	 globexp2(const Char *, const Char *, glob_t *, int *,
++    struct glob_limit *);
+ static int	 match(Char *, Char *, Char *);
+ #ifdef DEBUG
+ static void	 qprintf(const char *, Char *);
+@@ -171,8 +193,8 @@ int
+ glob(const char * __restrict pattern, int flags,
+ 	 int (*errfunc)(const char *, int), glob_t * __restrict pglob)
+ {
++	struct glob_limit limit = { 0, 0, 0, 0, 0 };
+ 	const char *patnext;
+-	size_t limit;
+ 	Char *bufnext, *bufend, patbuf[MAXPATHLEN], prot;
+ 	mbstate_t mbs;
+ 	wchar_t wc;
+@@ -186,11 +208,10 @@ glob(const char * __restrict pattern, int flags,
+ 			pglob->gl_offs = 0;
+ 	}
+ 	if (flags & GLOB_LIMIT) {
+-		limit = pglob->gl_matchc;
+-		if (limit == 0)
+-			limit = ARG_MAX;
+-	} else
+-		limit = 0;
++		limit.l_path_lim = pglob->gl_matchc;
++		if (limit.l_path_lim == 0)
++			limit.l_path_lim = GLOB_LIMIT_PATH;
++	}
+ 	pglob->gl_flags = flags & ~GLOB_MAGCHAR;
+ 	pglob->gl_errfunc = errfunc;
+ 	pglob->gl_matchc = 0;
+@@ -243,11 +264,17 @@ glob(const char * __restrict pattern, int flags,
+  * characters
+  */
+ static int
+-globexp1(const Char *pattern, glob_t *pglob, size_t *limit)
++globexp1(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	const Char* ptr = pattern;
+ 	int rv;
+ 
++	if ((pglob->gl_flags & GLOB_LIMIT) &&
++	    limit->l_brace_cnt++ >= GLOB_LIMIT_BRACE) {
++		errno = 0;
++		return (GLOB_NOSPACE);
++	}
++
+ 	/* Protect a single {}, for find(1), like csh */
+ 	if (pattern[0] == LBRACE && pattern[1] == RBRACE && pattern[2] == EOS)
+ 		return glob0(pattern, pglob, limit);
+@@ -266,7 +293,8 @@ static int
+  * If it fails then it tries to glob the rest of the pattern and returns.
+  */
+ static int
+-globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv, size_t *limit)
++globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv,
++    struct glob_limit *limit)
+ {
+ 	int     i;
+ 	Char   *lm, *ls;
+@@ -436,7 +464,7 @@ globtilde(const Char *pattern, Char *patbuf, size_
+  * if things went well, nonzero if errors occurred.
+  */
+ static int
+-glob0(const Char *pattern, glob_t *pglob, size_t *limit)
++glob0(const Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	const Char *qpatnext;
+ 	int err;
+@@ -529,7 +557,7 @@ compare(const void *p, const void *q)
+ }
+ 
+ static int
+-glob1(Char *pattern, glob_t *pglob, size_t *limit)
++glob1(Char *pattern, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	Char pathbuf[MAXPATHLEN];
+ 
+@@ -547,7 +575,7 @@ static int
+  */
+ static int
+ glob2(Char *pathbuf, Char *pathend, Char *pathend_last, Char *pattern,
+-      glob_t *pglob, size_t *limit)
++      glob_t *pglob, struct glob_limit *limit)
+ {
+ 	struct stat sb;
+ 	Char *p, *q;
+@@ -563,6 +591,15 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ 			if (g_lstat(pathbuf, &sb, pglob))
+ 				return(0);
+ 
++			if ((pglob->gl_flags & GLOB_LIMIT) &&
++			    limit->l_stat_cnt++ >= GLOB_LIMIT_STAT) {
++				errno = 0;
++				if (pathend + 1 > pathend_last)
++					return (GLOB_ABORTED);
++				*pathend++ = SEP;
++				*pathend = EOS;
++				return (GLOB_NOSPACE);
++			}
+ 			if (((pglob->gl_flags & GLOB_MARK) &&
+ 			    pathend[-1] != SEP) && (S_ISDIR(sb.st_mode)
+ 			    || (S_ISLNK(sb.st_mode) &&
+@@ -606,7 +643,7 @@ glob2(Char *pathbuf, Char *pathend, Char *pathend_
+ static int
+ glob3(Char *pathbuf, Char *pathend, Char *pathend_last,
+       Char *pattern, Char *restpattern,
+-      glob_t *pglob, size_t *limit)
++      glob_t *pglob, struct glob_limit *limit)
+ {
+ 	struct dirent *dp;
+ 	DIR *dirp;
+@@ -652,6 +689,19 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+ 		size_t clen;
+ 		mbstate_t mbs;
+ 
++		if ((pglob->gl_flags & GLOB_LIMIT) &&
++		    limit->l_readdir_cnt++ >= GLOB_LIMIT_READDIR) {
++			errno = 0;
++			if (pathend + 1 > pathend_last)
++				err = GLOB_ABORTED;
++			else {
++				*pathend++ = SEP;
++				*pathend = EOS;
++				err = GLOB_NOSPACE;
++			}
++			break;
++		}
++
+ 		/* Initial DOT must be matched literally. */
+ 		if (dp->d_name[0] == DOT && *pattern != DOT)
+ 			continue;
+@@ -702,14 +752,15 @@ glob3(Char *pathbuf, Char *pathend, Char *pathend_
+  *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
+  */
+ static int
+-globextend(const Char *path, glob_t *pglob, size_t *limit)
++globextend(const Char *path, glob_t *pglob, struct glob_limit *limit)
+ {
+ 	char **pathv;
+ 	size_t i, newsize, len;
+ 	char *copy;
+ 	const Char *p;
+ 
+-	if (*limit && pglob->gl_pathc > *limit) {
++	if ((pglob->gl_flags & GLOB_LIMIT) &&
++	    pglob->gl_matchc > limit->l_path_lim) {
+ 		errno = 0;
+ 		return (GLOB_NOSPACE);
+ 	}
+@@ -737,6 +788,12 @@ static int
+ 	for (p = path; *p++;)
+ 		continue;
+ 	len = MB_CUR_MAX * (size_t)(p - path);	/* XXX overallocation */
++	limit->l_string_cnt += len;
++	if ((pglob->gl_flags & GLOB_LIMIT) &&
++	    limit->l_string_cnt >= GLOB_LIMIT_STRING) {
++		errno = 0;
++		return (GLOB_NOSPACE);
++	}
+ 	if ((copy = malloc(len)) != NULL) {
+ 		if (g_Ctoc(path, copy, len)) {
+ 			free(copy);
diff --git a/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild b/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild
index 4295da798ef4..82c6a8ef4869 100644
--- a/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild
+++ b/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2013 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r3.ebuild,v 1.9 2013/02/12 11:08:17 naota Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-freebsd/freebsd-lib/freebsd-lib-9.0-r4.ebuild,v 1.1 2013/03/10 14:01:51 naota Exp $
 
 EAPI=2
 
@@ -94,6 +94,7 @@ PATCHES=(
 	"${FILESDIR}/${PN}-bsdxml2expat.patch"
 	"${FILESDIR}/${PN}-9.0-trylock-adaptive.patch"
 	"${FILESDIR}/${PN}-9.0-netware.patch"
+	"${FILESDIR}/${PN}-9.0-cve-2010-2632.patch" 
 	"${FILESDIR}/${PN}-9.0-bluetooth.patch" )
 
 # Here we disable and remove source which we don't need or want