diff --git a/SOURCES/glibc-rh1979127.patch b/SOURCES/glibc-rh1979127.patch new file mode 100644 index 0000000..4a21d5a --- /dev/null +++ b/SOURCES/glibc-rh1979127.patch @@ -0,0 +1,33 @@ +commit 5adda61f62b77384718b4c0d8336ade8f2b4b35c +Author: Andreas Schwab +Date: Fri Jun 25 15:02:47 2021 +0200 + + wordexp: handle overflow in positional parameter number (bug 28011) + + Use strtoul instead of atoi so that overflow can be detected. + +diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c +index cc29840355e047cc..30c1dd65efcc0b49 100644 +--- a/posix/wordexp-test.c ++++ b/posix/wordexp-test.c +@@ -200,6 +200,7 @@ struct test_case_struct + { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, + { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, + { 0, NULL, "", 0, 0, { NULL, }, IFS }, ++ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, + + /* Flags not already covered (testit() has special handling for these) */ + { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, +diff --git a/posix/wordexp.c b/posix/wordexp.c +index 048a8068544c81fa..4061969c720f1f34 100644 +--- a/posix/wordexp.c ++++ b/posix/wordexp.c +@@ -1420,7 +1420,7 @@ envsubst: + /* Is it a numeric parameter? */ + else if (isdigit (env[0])) + { +- int n = atoi (env); ++ unsigned long n = strtoul (env, NULL, 10); + + if (n >= __libc_argc) + /* Substitute NULL. */ diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index 6794e06..2aa98e9 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -1,6 +1,6 @@ %define glibcsrcdir glibc-2.28 %define glibcversion 2.28 -%define glibcrelease 161%{?dist} +%define glibcrelease 162%{?dist} # Pre-release tarballs are pulled in from git using a command that is # effectively: # @@ -714,6 +714,7 @@ Patch577: glibc-rh1956357-5.patch Patch578: glibc-rh1956357-6.patch Patch579: glibc-rh1956357-7.patch Patch580: glibc-rh1956357-8.patch +Patch581: glibc-rh1979127.patch ############################################################################## # Continued list of core "glibc" package information: @@ -2626,6 +2627,10 @@ fi %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared %changelog +* Thu Jul 8 2021 Siddhesh Poyarekar - 2.28-162 +- CVE-2021-35942: wordexp: handle overflow in positional parameter number + (#1979127) + * Fri Jun 18 2021 Carlos O'Donell - 2.28-161 - Improve POWER10 performance with POWER9 fallbacks (#1956357)