CVE-2013-0242 in glibc's regex() can cause a DoS in any daemon
that runs a regex search on user input while in a multibyte locale.
I'm not sure how hard it would be to trigger such a setup for
libvirtd, but rather than risk things, we can avoid the issue:
gnulib has worked around the problem, and by updating to the latest
gnulib, we can avoid the bug even on platforms where glibc has yet
to be patched.
* .gnulib: Update to latest, for various fixes, including regex.
* bootstrap: Resync from upstream.
---
* .gnulib 61c7b1e...a0b25da (45):
> regex: avoid infinite configure test
> openpty: fix bug where HAVE_OPENPTY wasn't defined
> sys_time: port to Solaris 2.6
> regex: test for buffer overrun
> regex: fix buffer overrun in regexp matcher
> mountlist: don't consider "devtmpfs" as dummy
> futimens-tests, utimens-tests: Depend on gettext.
> test-getpeername: fix typo
> bootstrap: remove the need for a sorted .gitignore
> readlinkat: don't depend on gl_FUNC_OPENAT
> statat: new module, split out from fstatat
> autoupdate
> Fix typo in previous change, by including <unistd.h>.
> tests: don't assume fd 99 is closed
> Fix ChangeLog typo.
> stpncpy: port to OS X 10.8
> In intro, say only latest mingw is tested.
> unistd: port to recent mingw
> Fix typo in comment.
> largefile: port better to Mac OS X 10.5
> doc: clarify -Werror
> stdint: fix build with Android's Bionic fox x86
> net_if-tests: port to Solaris 7 + GCC 3.4.6
> net_if-tests: port to older Solaris
> system-quote-tests: port to older Solaris
> c-xvasprintf etc.: fix link errors on older Solaris
> locale: port to Solaris 2.6 and 7 + GNU gettext
> autoupdate
> stdlib: port to Solaris 2.6
> Fix misspellings of "occurred".
> autoupdate
> autoupdate
> doc: update main copyright year
> doc: improve ISO 8601 discussion
> doc: avoid small caps
> regex: conform to strict C
> gnulib-tool: fix incompatibility with autopoint 0.18.2
> autoupdate
> fprintftime: bring back and reword fwrite comment
> autoupdate
> stdio: remove now-unnecessary stdio.c
> unicodeio: depend on stdio, not ignore-value
> fprintftime: depend on stdio, not ignore-value
> stdint-tests: Fix expanded-before-required-warning. * modules/stdint-tests (Depends-on): Use AC_REQUIRE.
> fwrite: silence __wur only for older glibc versions
.gnulib | 2 +-
bootstrap | 44 ++++++++++++++++++++++----------------------
2 files changed, 23 insertions(+), 23 deletions(-)
diff --git a/.gnulib b/.gnulib
index 61c7b1e..a0b25da 160000
--- a/.gnulib
+++ b/.gnulib
@@ -1 +1 @@
-Subproject commit 61c7b1e32e11e9e40b4d59ab888a807620befcd3
+Subproject commit a0b25daf001cb1a0352f329e2b5e1640acc88541
diff --git a/bootstrap b/bootstrap
index 012907a..bee7765 100755
--- a/bootstrap
+++ b/bootstrap
@@ -1,6 +1,6 @@
#! /bin/sh
# Print a version string.
-scriptversion=2012-12-28.10; # UTC
+scriptversion=2013-01-20.16; # UTC
# Bootstrap this package from checked-out sources.
@@ -306,34 +306,34 @@ if test -n "$checkout_only_file" && test ! -r "$checkout_only_file"; then
die "Bootstrapping from a non-checked-out distribution is risky."
fi
-# Ensure that lines starting with ! sort last, per gitignore conventions
-# for whitelisting exceptions after a more generic blacklist pattern.
-sort_patterns() {
- sort -u "$@" | sed '/^!/ {
- H
- d
- }
- $ {
- P
- x
- s/^\n//
- }' | sed '/^$/d'
+# Strip blank and comment lines to leave significant entries.
+gitignore_entries() {
+ sed '/^#/d; /^$/d' "$@"
}
-# If $STR is not already on a line by itself in $FILE, insert it,
-# sorting the new contents of the file and replacing $FILE with the result.
-insert_sorted_if_absent() {
+# If $STR is not already on a line by itself in $FILE, insert it at the start.
+# Entries are inserted at the start of the ignore list to ensure existing
+# entries starting with ! are not overridden. Such entries support
+# whitelisting exceptions after a more generic blacklist pattern.
+insert_if_absent() {
file=$1
str=$2
test -f $file || touch $file
- echo "$str" | sort_patterns - $file | cmp -s - $file > /dev/null \
- || { echo "$str" | sort_patterns - $file > $file.bak \
- && mv $file.bak $file; } \
- || die "insert_sorted_if_absent $file $str: failed"
+ test -r $file || die "Error: failed to read ignore file: $file"
+ duplicate_entries=$(gitignore_entries $file | sort | uniq -d)
+ if [ "$duplicate_entries" ] ; then
+ die "Error: Duplicate entries in $file: " $duplicate_entries
+ fi
+ linesold=$(gitignore_entries $file | wc -l)
+ linesnew=$(echo "$str" | gitignore_entries - $file | sort -u | wc -l)
+ if [ $linesold != $linesnew ] ; then
+ { echo "$str" | cat - $file > $file.bak && mv $file.bak $file; } \
+ || die "insert_if_absent $file $str: failed"
+ fi
}
# Adjust $PATTERN for $VC_IGNORE_FILE and insert it with
-# insert_sorted_if_absent.
+# insert_if_absent.
insert_vc_ignore() {
vc_ignore_file="$1"
pattern="$2"
@@ -344,7 +344,7 @@ insert_vc_ignore() {
# .gitignore entry.
pattern=$(echo "$pattern" | sed s,^,/,);;
esac
- insert_sorted_if_absent "$vc_ignore_file" "$pattern"
+ insert_if_absent "$vc_ignore_file" "$pattern"
}
# Die if there is no AC_CONFIG_AUX_DIR($build_aux) line in configure.ac.
--
1.8.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list