diff options
author | William Pitcock <nenolod@dereferenced.org> | 2017-10-19 22:56:38 +0000 |
---|---|---|
committer | William Pitcock <nenolod@dereferenced.org> | 2017-10-19 22:56:38 +0000 |
commit | 53993d6b5a3b555579aa202429764996517ed6aa (patch) | |
tree | dd1c86fe59c24ba1b142e0f61890f2740bd4c7bb /main | |
parent | 55c392b0f8dbb2b9639d975bdf2121f863785980 (diff) | |
download | aports-53993d6b5a3b555579aa202429764996517ed6aa.tar.bz2 aports-53993d6b5a3b555579aa202429764996517ed6aa.tar.xz |
main/musl: fix possible buffer overrun in __posix_spawnx().
This can allow programs to crash when $PATH contains elements that are larger than 1024 bytes.
Notably, PATH_MAX is larger than 1024 bytes, so this can cause environments with very long, but
valid path elements in $PATH to have program crashes when they spawn new processes.
No CVE for this one at the time of writing, but this seems like a probable security bug.
Diffstat (limited to 'main')
-rw-r--r-- | main/musl/0001-posix_spawn-use-larger-stack-to-cover-worst-case-in-.patch | 32 | ||||
-rw-r--r-- | main/musl/APKBUILD | 4 |
2 files changed, 35 insertions, 1 deletions
diff --git a/main/musl/0001-posix_spawn-use-larger-stack-to-cover-worst-case-in-.patch b/main/musl/0001-posix_spawn-use-larger-stack-to-cover-worst-case-in-.patch new file mode 100644 index 0000000000..0ff9084861 --- /dev/null +++ b/main/musl/0001-posix_spawn-use-larger-stack-to-cover-worst-case-in-.patch @@ -0,0 +1,32 @@ +From 9b5ca541b2c97850b00a051ad21efc46792b91b2 Mon Sep 17 00:00:00 2001 +From: Will Dietz <w@wdtz.org> +Date: Thu, 14 Sep 2017 16:32:59 -0500 +Subject: [PATCH] posix_spawn: use larger stack to cover worst-case in execvpe + +execvpe stack-allocates a buffer used to hold the full path +(combination of a PATH entry and the program name) +while searching through $PATH, so at least +NAME_MAX+PATH_MAX is needed. + +The stack size can be made conditionally smaller +(the current 1024 appears appropriate) +should this larger size be burdensome in those situations. +--- + src/process/posix_spawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/process/posix_spawn.c b/src/process/posix_spawn.c +index ea5d2998..0849c71f 100644 +--- a/src/process/posix_spawn.c ++++ b/src/process/posix_spawn.c +@@ -152,7 +152,7 @@ int __posix_spawnx(pid_t *restrict res, const char *restrict path, + char *const argv[restrict], char *const envp[restrict]) + { + pid_t pid; +- char stack[1024]; ++ char stack[1024+PATH_MAX]; + int ec=0, cs; + struct args args; + +-- +2.14.1 diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD index bafdf61646..1938bbb3ca 100644 --- a/main/musl/APKBUILD +++ b/main/musl/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Timo Teräs <timo.teras@iki.fi> pkgname=musl pkgver=1.1.17 -pkgrel=0 +pkgrel=1 pkgdesc="the musl c library (libc) implementation" url="http://www.musl-libc.org/" arch="all" @@ -18,6 +18,7 @@ nolibc) ;; esac source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz + 0001-posix_spawn-use-larger-stack-to-cover-worst-case-in-.patch 1000-implement-strftime-GNU-extension-padding-specifiers-.patch 2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch 3002-stdio-implement-fopencookie-3.patch @@ -144,6 +145,7 @@ compat() { } sha512sums="bc99c7d58d64116c03e68fe77141a1f2938e0c01ba027937587a060d435b4b00b8b1f18c63fb8ed445ef36f377974e02a7b4821c793e4292041e31e66f145428 musl-1.1.17.tar.gz +0ccf3dc82ab5556c001a0cc4209f4263eb3670f188e1ca0e649593f4dca0bd1107f1985f608b30c4eb0ef8b0a76d31434fb9ecc3c82fed2bb5f1860016d5057c 0001-posix_spawn-use-larger-stack-to-cover-worst-case-in-.patch 7e4c703e57a3564cd3ee1d5334b806cbe654355179ba55d4d25361dfc555eb4a7d081d80d64fdaff8476949afd04558d278b124d1fb108080beaa5ba2f8ce2b9 1000-implement-strftime-GNU-extension-padding-specifiers-.patch 2c8e1dde1834238097b2ee8a7bfb53471a0d9cff4a5e38b55f048b567deff1cdd47c170d0578a67b1a039f95a6c5fbb8cff369c75b6a3e4d7ed171e8e86ebb8c 2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch 0053e16cbac968b50dee98e3b36d29a497aaca6d9d0e120556273c9d0cd8360310eb7b7ab3c1e416217210fdd071e98268eaca54f3a0e9a22408ed8701dc54c1 3002-stdio-implement-fopencookie-3.patch |