Fix CVE-2020-27618

Signed-off-by: liusirui <liusirui@huawei.com>
2020-11-10 17:28:03 +08:00 · 2020-11-10 17:28:03 +08:00 · 95f5794214
commit 95f5794214
parent 5ac8495534
2 changed files with 62 additions and 1 deletions
--- a/Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch
+++ b/Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch
@ -0,0 +1,56 @@
 From 9a99c682144bdbd40792ebf822fe9264e0376fb5 Mon Sep 17 00:00:00 2001
 From: Arjun Shankar <arjun@redhat.com>
 Date: Wed, 4 Nov 2020 12:19:38 +0100
 Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ
 #26224]
 The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
 share converter logic (iconvdata/ibm1364.c) which would reject
 redundant shift sequences when processing input in these character
 sets.  This led to a hang in the iconv program (CVE-2020-27618).
 This commit adjusts the converter to ignore redundant shift sequences
 and adds test cases for iconv_prog hangs that would be triggered upon
 their rejection.  This brings the implementation in line with other
 converters that also ignore redundant shift sequences (e.g. IBM930
 etc., fixed in commit 692de4b3960d).
 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
 ---
 iconvdata/ibm1364.c     | 14 ++------------
 1 files changed, 2 insertions(+), 12 deletions(-)
 diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
 index 49e7267ab45..521f0825b7f 100644
 --- a/iconvdata/ibm1364.c
 +++ b/iconvdata/ibm1364.c
@@ -158,24 +158,14 @@ enum
 									      \
     if (__builtin_expect (ch, 0) == SO)					      \
       {									      \
 -	/* Shift OUT, change to DBCS converter.  */			      \
 -	if (curcs == db)						      \
 -	  {								      \
 -	    result = __GCONV_ILLEGAL_INPUT;				      \
 -	    break;							      \
 -	  }								      \
 +	/* Shift OUT, change to DBCS converter (redundant escape okay).  */   \
 	curcs = db;							      \
 	++inptr;							      \
 	continue;							      \
       }									      \
     if (__builtin_expect (ch, 0) == SI)					      \
       {									      \
 -	/* Shift IN, change to SBCS converter.  */			      \
 -	if (curcs == sb)						      \
 -	  {								      \
 -	    result = __GCONV_ILLEGAL_INPUT;				      \
 -	    break;							      \
 -	  }								      \
 +	/* Shift IN, change to SBCS converter (redundant escape okay).  */    \
 	curcs = sb;							      \
 	++inptr;							      \
 	continue;							      \
 -- 
 2.25.1
--- a/glibc.spec
+++ b/glibc.spec
@ -60,7 +60,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.31
-Release: 	6
+Release: 	7
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -92,6 +92,7 @@ Patch6012: Fix-CVE-2020-6096-001.patch
 Patch6013: Fix-CVE-2020-6096-002.patch
 Patch6014: Disable-warnings-due-to-deprecated-libselinux-symbol.patch
 Patch6015: rtld-Avoid-using-up-static-TLS-surplus-for-optimizat.patch 
 Patch6016: Fix-CVE-2020-27618-iconv-Accept-redundant-shift-sequences.patch
 Patch9000: delete-no-hard-link-to-avoid-all_language-package-to.patch 
 Patch9001: build-extra-libpthreadcond-so.patch
@ -1189,6 +1190,10 @@ fi
 %doc hesiod/README.hesiod
 %changelog
 * Tue Nov 10 2020 liusirui <liusirui@huawei.com> - 2.31-7
 - Fix CVE-2020-27618, iconv accept redundant shift sequences in IBM1364 [BZ #26224]
  https://sourceware.org/bugzilla/show_bug.cgi?id=26224
 * Tue Sep 15 2020 shanzhikun<shanzhikun@huawei.com> - 2.31-6
 - rtld: Avoid using up static TLS surplus for optimizations [BZ #25051].
  https://sourceware.org/git/?p=glibc.git;a=commit;h=ffb17e7ba3a5ba9632cee97330b325072fbe41dd