summaryrefslogtreecommitdiff
path: root/gnu
diff options
context:
space:
mode:
authorMarius Bakke <marius@gnu.org>2020-07-26 13:37:12 +0200
committerMarius Bakke <marius@gnu.org>2020-07-26 13:37:12 +0200
commitebd1ba713cbefc9ad5dac609255e1344a328e360 (patch)
tree39a48103b244191090bd43984100935940611f7e /gnu
parentccc1d743a64fd71bee1a27f1f495978989b41126 (diff)
gnu: glibc: Remove old versions.
* gnu/packages/patches/glibc-CVE-2015-5180.patch, gnu/packages/patches/glibc-CVE-2015-7547.patch, gnu/packages/patches/glibc-CVE-2016-3075.patch, gnu/packages/patches/glibc-CVE-2016-3706.patch, gnu/packages/patches/glibc-CVE-2016-4429.patch, gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch, gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch, gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch, gnu/packages/patches/glibc-o-largefile.patch, gnu/packages/patches/glibc-vectorized-strcspn-guards.patch: Delete files. * gnu/local.mk (dist_patch_DATA): Adjust accordingly. * gnu/packages/base.scm (glibc-2.26, glibc-2.25, glibc-2.24, glibc-2.23, glibc-2.22): Remove variables.
Diffstat (limited to 'gnu')
-rw-r--r--gnu/local.mk10
-rw-r--r--gnu/packages/base.scm112
-rw-r--r--gnu/packages/patches/glibc-CVE-2015-5180.patch311
-rw-r--r--gnu/packages/patches/glibc-CVE-2015-7547.patch590
-rw-r--r--gnu/packages/patches/glibc-CVE-2016-3075.patch43
-rw-r--r--gnu/packages/patches/glibc-CVE-2016-3706.patch188
-rw-r--r--gnu/packages/patches/glibc-CVE-2016-4429.patch58
-rw-r--r--gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch36
-rw-r--r--gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch124
-rw-r--r--gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch206
-rw-r--r--gnu/packages/patches/glibc-o-largefile.patch25
-rw-r--r--gnu/packages/patches/glibc-vectorized-strcspn-guards.patch23
12 files changed, 0 insertions, 1726 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index f2a7b6b984..ef6533bd8d 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1016,14 +1016,6 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-no-header-uuid.patch \
%D%/packages/patches/ghostscript-no-header-creationdate.patch \
%D%/packages/patches/glib-tests-timer.patch \
- %D%/packages/patches/glibc-CVE-2015-5180.patch \
- %D%/packages/patches/glibc-CVE-2015-7547.patch \
- %D%/packages/patches/glibc-CVE-2016-3075.patch \
- %D%/packages/patches/glibc-CVE-2016-3706.patch \
- %D%/packages/patches/glibc-CVE-2016-4429.patch \
- %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
- %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
- %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
%D%/packages/patches/glibc-CVE-2018-11236.patch \
%D%/packages/patches/glibc-CVE-2018-11237.patch \
%D%/packages/patches/glibc-CVE-2019-7309.patch \
@@ -1045,9 +1037,7 @@ dist_patch_DATA = \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
%D%/packages/patches/glibc-locales-2.28.patch \
- %D%/packages/patches/glibc-o-largefile.patch \
%D%/packages/patches/glibc-reinstate-prlimit64-fallback.patch \
- %D%/packages/patches/glibc-vectorized-strcspn-guards.patch \
%D%/packages/patches/glibc-versioned-locpath.patch \
%D%/packages/patches/glibc-2.27-git-fixes.patch \
%D%/packages/patches/glibc-2.28-git-fixes.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 7116708743..6cd7ed749b 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -1014,118 +1014,6 @@ with the Linux kernel.")
"glibc-CVE-2018-11237.patch"))))
(properties `((lint-hidden-cve . ("CVE-2017-18269")))))) ; glibc-2.27-git-fixes
-(define-public glibc-2.26
- (package
- (inherit glibc)
- ;; This version number corresponds to the output of `git describe` and the
- ;; archive can be generated by checking out the commit ID and running:
- ;; git archive --prefix=$(git describe)/ HEAD | xz > $(git describe).tar.xz
- ;; See <https://bugs.gnu.org/29406> for why this was necessary.
- (version "2.26.105-g0890d5379c")
- (source (origin
- (inherit (package-source glibc))
- (uri (string-append "https://alpha.gnu.org/gnu/guix/mirror/"
- "glibc-" (version-major+minor version) "-"
- (caddr (string-split version #\.)) ".tar.xz"))
- (sha256
- (base32
- "1jck0c1i248sn02rvsfjykk77qncma34bjq89dyy2irwm50d7s3g"))
- (patches (search-patches "glibc-ldd-x86_64.patch"
- "glibc-versioned-locpath.patch"
- "glibc-allow-kernel-2.6.32.patch"))))))
-
-(define-public glibc-2.25
- (package
- (inherit glibc)
- (version "2.25")
- (source (origin
- (inherit (package-source glibc))
- (uri (string-append "mirror://gnu/glibc/glibc-"
- version ".tar.xz"))
- (sha256
- (base32
- "1813dzkgw6v8q8q1m4v96yfis7vjqc9pslqib6j9mrwh6fxxjyq6"))
- (patches (search-patches "glibc-ldd-x86_64.patch"
- "glibc-versioned-locpath.patch"
- "glibc-vectorized-strcspn-guards.patch"
- "glibc-CVE-2017-1000366-pt1.patch"
- "glibc-CVE-2017-1000366-pt2.patch"
- "glibc-CVE-2017-1000366-pt3.patch"))))))
-
-(define-public glibc-2.24
- (package
- (inherit glibc)
- (version "2.24")
- (source (origin
- (inherit (package-source glibc))
- (uri (string-append "mirror://gnu/glibc/glibc-"
- version ".tar.xz"))
- (sha256
- (base32
- "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
- (patches (search-patches "glibc-ldd-x86_64.patch"
- "glibc-versioned-locpath.patch"
- "glibc-vectorized-strcspn-guards.patch"
- "glibc-CVE-2015-5180.patch"
- "glibc-CVE-2017-1000366-pt1.patch"
- "glibc-CVE-2017-1000366-pt2.patch"
- "glibc-CVE-2017-1000366-pt3.patch"))))))
-
-(define-public glibc-2.23
- (package
- (inherit glibc)
- (version "2.23")
- (source (origin
- (inherit (package-source glibc))
- (uri (string-append "mirror://gnu/glibc/glibc-"
- version ".tar.xz"))
- (sha256
- (base32
- "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
- (patches (search-patches "glibc-ldd-x86_64.patch"
- "glibc-versioned-locpath.patch"
- "glibc-vectorized-strcspn-guards.patch"
- "glibc-CVE-2015-5180.patch"
- "glibc-CVE-2016-3075.patch"
- "glibc-CVE-2016-3706.patch"
- "glibc-CVE-2016-4429.patch"
- "glibc-CVE-2017-1000366-pt1.patch"
- "glibc-CVE-2017-1000366-pt2.patch"
- "glibc-CVE-2017-1000366-pt3.patch"))))))
-
-(define-public glibc-2.22
- (package
- (inherit glibc)
- (version "2.22")
- (source (origin
- (inherit (package-source glibc))
- (uri (string-append "mirror://gnu/glibc/glibc-"
- version ".tar.xz"))
- (sha256
- (base32
- "0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
- (patches (search-patches "glibc-ldd-x86_64.patch"
- "glibc-o-largefile.patch"
- "glibc-vectorized-strcspn-guards.patch"
- "glibc-CVE-2015-5180.patch"
- "glibc-CVE-2015-7547.patch"
- "glibc-CVE-2016-3075.patch"
- "glibc-CVE-2016-3706.patch"
- "glibc-CVE-2016-4429.patch"
- "glibc-CVE-2017-1000366-pt1.patch"
- "glibc-CVE-2017-1000366-pt2.patch"
- "glibc-CVE-2017-1000366-pt3.patch"))))
- (arguments
- (substitute-keyword-arguments (package-arguments glibc)
- ((#:phases phases)
- `(modify-phases ,phases
- (add-before 'configure 'fix-pwd
- (lambda _
- ;; Use `pwd' instead of `/bin/pwd' for glibc-2.22.
- (substitute* "configure"
- (("/bin/pwd") "pwd"))
- #t))))))))
-
(define-public (make-gcc-libc base-gcc libc)
"Return a GCC that targets LIBC."
(package (inherit base-gcc)
diff --git a/gnu/packages/patches/glibc-CVE-2015-5180.patch b/gnu/packages/patches/glibc-CVE-2015-5180.patch
deleted file mode 100644
index 92e3740fc1..0000000000
--- a/gnu/packages/patches/glibc-CVE-2015-5180.patch
+++ /dev/null
@@ -1,311 +0,0 @@
-From b3b37f1a5559a7620e31c8053ed1b44f798f2b6d Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Sat, 31 Dec 2016 20:22:09 +0100
-Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
- #18784]
-
-Also rename T_UNSPEC because an upcoming public header file
-update will use that name.
-
-(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
----
- ChangeLog | 14 ++++
- NEWS | 6 ++
- include/arpa/nameser_compat.h | 6 +-
- resolv/Makefile | 5 ++
- resolv/nss_dns/dns-host.c | 2 +-
- resolv/res_mkquery.c | 4 +
- resolv/res_query.c | 6 +-
- resolv/tst-resolv-qtypes.c | 185 ++++++++++++++++++++++++++++++++++++++++++
- 8 files changed, 221 insertions(+), 7 deletions(-)
- create mode 100644 resolv/tst-resolv-qtypes.c
-
-diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
-index 2e735ed..7c0deed 100644
---- a/include/arpa/nameser_compat.h
-+++ b/include/arpa/nameser_compat.h
-@@ -1,8 +1,8 @@
- #ifndef _ARPA_NAMESER_COMPAT_
- #include <resolv/arpa/nameser_compat.h>
-
--/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
-- T_A and T_AAAA). */
--#define T_UNSPEC 62321
-+/* The number is outside the 16-bit RR type range and is used
-+ internally by the implementation. */
-+#define T_QUERY_A_AND_AAAA 439963904
-
- #endif
-diff --git a/resolv/Makefile b/resolv/Makefile
-index 8be41d3..a4c86b9 100644
---- a/resolv/Makefile
-+++ b/resolv/Makefile
-@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
- extra-libs += libanl
- routines += gai_sigqueue
- tests += tst-res_hconf_reorder
-+
-+# This test sends millions of packets and is rather slow.
-+xtests += tst-resolv-qtypes
- endif
- extra-libs-others = $(extra-libs)
- libresolv-routines := gethnamaddr res_comp res_debug \
-@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
- $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
- $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
- $(evaluate-test)
-+
-+$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
-diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
-index 5f9e357..d16fa4b 100644
---- a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
-
- int olderr = errno;
- enum nss_status status;
-- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
-+ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
- host_buffer.buf->buf, 2048, &host_buffer.ptr,
- &ans2p, &nans2p, &resplen2, &ans2p_malloced);
- if (n >= 0)
-diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
-index 12f9730..d80b531 100644
---- a/resolv/res_mkquery.c
-+++ b/resolv/res_mkquery.c
-@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
- int n;
- u_char *dnptrs[20], **dpp, **lastdnptr;
-
-+ if (class < 0 || class > 65535
-+ || type < 0 || type > 65535)
-+ return -1;
-+
- #ifdef DEBUG
- if (statp->options & RES_DEBUG)
- printf(";; res_nmkquery(%s, %s, %s, %s)\n",
-diff --git a/resolv/res_query.c b/resolv/res_query.c
-index 944d1a9..07dc6f6 100644
---- a/resolv/res_query.c
-+++ b/resolv/res_query.c
-@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
- int n, use_malloc = 0;
- u_int oflags = statp->_flags;
-
-- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
-+ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
- u_char *buf = alloca (bufsize);
- u_char *query1 = buf;
- int nquery1 = -1;
-@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
- printf(";; res_query(%s, %d, %d)\n", name, class, type);
- #endif
-
-- if (type == T_UNSPEC)
-+ if (type == T_QUERY_A_AND_AAAA)
- {
- n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
- query1, bufsize);
-@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
- if (__builtin_expect (n <= 0, 0) && !use_malloc) {
- /* Retry just in case res_nmkquery failed because of too
- short buffer. Shouldn't happen. */
-- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
-+ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
- buf = malloc (bufsize);
- if (buf != NULL) {
- query1 = buf;
-diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
-new file mode 100644
-index 0000000..b3e60c6
---- /dev/null
-+++ b/resolv/tst-resolv-qtypes.c
-@@ -0,0 +1,185 @@
-+/* Exercise low-level query functions with different QTYPEs.
-+ Copyright (C) 2016 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <http://www.gnu.org/licenses/>. */
-+
-+#include <resolv.h>
-+#include <string.h>
-+#include <support/check.h>
-+#include <support/check_nss.h>
-+#include <support/resolv_test.h>
-+#include <support/support.h>
-+#include <support/test-driver.h>
-+#include <support/xmemstream.h>
-+
-+/* If ture, the response function will send the actual response packet
-+ over TCP instead of UDP. */
-+static volatile bool force_tcp;
-+
-+/* Send back a fake resource record matching the QTYPE. */
-+static void
-+response (const struct resolv_response_context *ctx,
-+ struct resolv_response_builder *b,
-+ const char *qname, uint16_t qclass, uint16_t qtype)
-+{
-+ if (force_tcp && ctx->tcp)
-+ {
-+ resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
-+ resolv_response_add_question (b, qname, qclass, qtype);
-+ return;
-+ }
-+
-+ resolv_response_init (b, (struct resolv_response_flags) { });
-+ resolv_response_add_question (b, qname, qclass, qtype);
-+ resolv_response_section (b, ns_s_an);
-+ resolv_response_open_record (b, qname, qclass, qtype, 0);
-+ resolv_response_add_data (b, &qtype, sizeof (qtype));
-+ resolv_response_close_record (b);
-+}
-+
-+static const const char *domain = "www.example.com";
-+
-+static int
-+wrap_res_query (int type, unsigned char *answer, int answer_length)
-+{
-+ return res_query (domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_search (int type, unsigned char *answer, int answer_length)
-+{
-+ return res_query (domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
-+{
-+ return res_querydomain ("www", "example.com", C_IN, type,
-+ answer, answer_length);
-+}
-+
-+static int
-+wrap_res_send (int type, unsigned char *answer, int answer_length)
-+{
-+ unsigned char buf[512];
-+ int ret = res_mkquery (QUERY, domain, C_IN, type,
-+ (const unsigned char *) "", 0, NULL,
-+ buf, sizeof (buf));
-+ if (type < 0 || type >= 65536)
-+ {
-+ /* res_mkquery fails for out-of-range record types. */
-+ TEST_VERIFY_EXIT (ret == -1);
-+ return -1;
-+ }
-+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
-+ return res_send (buf, ret, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nquery (int type, unsigned char *answer, int answer_length)
-+{
-+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
-+{
-+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
-+{
-+ return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
-+ answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nsend (int type, unsigned char *answer, int answer_length)
-+{
-+ unsigned char buf[512];
-+ int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
-+ (const unsigned char *) "", 0, NULL,
-+ buf, sizeof (buf));
-+ if (type < 0 || type >= 65536)
-+ {
-+ /* res_mkquery fails for out-of-range record types. */
-+ TEST_VERIFY_EXIT (ret == -1);
-+ return -1;
-+ }
-+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
-+ return res_nsend (&_res, buf, ret, answer, answer_length);
-+}
-+
-+static void
-+test_function (const char *fname,
-+ int (*func) (int type,
-+ unsigned char *answer, int answer_length))
-+{
-+ unsigned char buf[512];
-+ for (int tcp = 0; tcp < 2; ++tcp)
-+ {
-+ force_tcp = tcp;
-+ for (unsigned int type = 1; type <= 65535; ++type)
-+ {
-+ if (test_verbose)
-+ printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
-+ type, fname, tcp);
-+ int ret = func (type, buf, sizeof (buf));
-+ if (ret != 47)
-+ FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
-+ fname,tcp, type, ret);
-+ /* One question, one answer record. */
-+ TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
-+ /* Question section. */
-+ static const char qname[] = "\3www\7example\3com";
-+ size_t qname_length = sizeof (qname);
-+ TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
-+ /* RDATA part of answer. */
-+ uint16_t type16 = type;
-+ TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
-+ }
-+ }
-+
-+ TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
-+ TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
-+}
-+
-+static int
-+do_test (void)
-+{
-+ struct resolv_redirect_config config =
-+ {
-+ .response_callback = response,
-+ };
-+ struct resolv_test *obj = resolv_test_start (config);
-+
-+ test_function ("res_query", &wrap_res_query);
-+ test_function ("res_search", &wrap_res_search);
-+ test_function ("res_querydomain", &wrap_res_querydomain);
-+ test_function ("res_send", &wrap_res_send);
-+
-+ test_function ("res_nquery", &wrap_res_nquery);
-+ test_function ("res_nsearch", &wrap_res_nsearch);
-+ test_function ("res_nquerydomain", &wrap_res_nquerydomain);
-+ test_function ("res_nsend", &wrap_res_nsend);
-+
-+ resolv_test_end (obj);
-+ return 0;
-+}
-+
-+#define TIMEOUT 300
-+#include <support/test-driver.c>
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2015-7547.patch b/gnu/packages/patches/glibc-CVE-2015-7547.patch
deleted file mode 100644
index 12abeb76d4..0000000000
--- a/gnu/packages/patches/glibc-CVE-2015-7547.patch
+++ /dev/null
@@ -1,590 +0,0 @@
-From b995d95a5943785be3ab862b2d3276f3b4a22481 Mon Sep 17 00:00:00 2001
-From: Carlos O'Donell <carlos@systemhalted.org>
-Date: Tue, 16 Feb 2016 21:26:37 -0500
-Subject: [PATCH] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug
- 18665).
-
-* A stack-based buffer overflow was found in libresolv when invoked from
- libnss_dns, allowing specially crafted DNS responses to seize control
- of execution flow in the DNS client. The buffer overflow occurs in
- the functions send_dg (send datagram) and send_vc (send TCP) for the
- NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
- family. The use of AF_UNSPEC triggers the low-level resolver code to
- send out two parallel queries for A and AAAA. A mismanagement of the
- buffers used for those queries could result in the response of a query
- writing beyond the alloca allocated buffer created by
- _nss_dns_gethostbyname4_r. Buffer management is simplified to remove
- the overflow. Thanks to the Google Security Team and Red Hat for
- reporting the security impact of this issue, and Robert Holiday of
- Ciena for reporting the related bug 18665. (CVE-2015-7547)
-
-See also:
-https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
-https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
-
-(cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
----
- ChangeLog | 15 +++
- NEWS | 14 +++
- resolv/nss_dns/dns-host.c | 111 ++++++++++++++++++-
- resolv/res_query.c | 3 +
- resolv/res_send.c | 264 ++++++++++++++++++++++++++++++++++------------
- 5 files changed, 338 insertions(+), 69 deletions(-)
-
-diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
-index 357ac04..a0fe9a8 100644
---- a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
- int h_namelen = 0;
-
- if (ancount == 0)
-- return NSS_STATUS_NOTFOUND;
-+ {
-+ *h_errnop = HOST_NOT_FOUND;
-+ return NSS_STATUS_NOTFOUND;
-+ }
-
- while (ancount-- > 0 && cp < end_of_message && had_error == 0)
- {
-@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
- /* Special case here: if the resolver sent a result but it only
- contains a CNAME while we are looking for a T_A or T_AAAA record,
- we fail with NOTFOUND instead of TRYAGAIN. */
-- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
-+ if (canon != NULL)
-+ {
-+ *h_errnop = HOST_NOT_FOUND;
-+ return NSS_STATUS_NOTFOUND;
-+ }
-+
-+ *h_errnop = NETDB_INTERNAL;
-+ return NSS_STATUS_TRYAGAIN;
- }
-
-
-@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
-
- enum nss_status status = NSS_STATUS_NOTFOUND;
-
-+ /* Combining the NSS status of two distinct queries requires some
-+ compromise and attention to symmetry (A or AAAA queries can be
-+ returned in any order). What follows is a breakdown of how this
-+ code is expected to work and why. We discuss only SUCCESS,
-+ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
-+ that apply (though RETURN and MERGE exist). We make a distinction
-+ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
-+ A recoverable TRYAGAIN is almost always due to buffer size issues
-+ and returns ERANGE in errno and the caller is expected to retry
-+ with a larger buffer.
-+
-+ Lastly, you may be tempted to make significant changes to the
-+ conditions in this code to bring about symmetry between responses.
-+ Please don't change anything without due consideration for
-+ expected application behaviour. Some of the synthesized responses
-+ aren't very well thought out and sometimes appear to imply that
-+ IPv4 responses are always answer 1, and IPv6 responses are always
-+ answer 2, but that's not true (see the implementation of send_dg
-+ and send_vc to see response can arrive in any order, particularly
-+ for UDP). However, we expect it holds roughly enough of the time
-+ that this code works, but certainly needs to be fixed to make this
-+ a more robust implementation.
-+
-+ ----------------------------------------------
-+ | Answer 1 Status / | Synthesized | Reason |
-+ | Answer 2 Status | Status | |
-+ |--------------------------------------------|
-+ | SUCCESS/SUCCESS | SUCCESS | [1] |
-+ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] |
-+ | SUCCESS/TRYAGAIN' | SUCCESS | [1] |
-+ | SUCCESS/NOTFOUND | SUCCESS | [1] |
-+ | SUCCESS/UNAVAIL | SUCCESS | [1] |
-+ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] |
-+ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] |
-+ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] |
-+ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] |
-+ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] |
-+ | TRYAGAIN'/SUCCESS | SUCCESS | [3] |
-+ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] |
-+ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] |
-+ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] |
-+ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] |
-+ | NOTFOUND/SUCCESS | SUCCESS | [3] |
-+ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] |
-+ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] |
-+ | NOTFOUND/NOTFOUND | NOTFOUND | [3] |
-+ | NOTFOUND/UNAVAIL | UNAVAIL | [3] |
-+ | UNAVAIL/SUCCESS | UNAVAIL | [4] |
-+ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] |
-+ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] |
-+ | UNAVAIL/NOTFOUND | UNAVAIL | [4] |
-+ | UNAVAIL/UNAVAIL | UNAVAIL | [4] |
-+ ----------------------------------------------
-+
-+ [1] If the first response is a success we return success.
-+ This ignores the state of the second answer and in fact
-+ incorrectly sets errno and h_errno to that of the second
-+ answer. However because the response is a success we ignore
-+ *errnop and *h_errnop (though that means you touched errno on
-+ success). We are being conservative here and returning the
-+ likely IPv4 response in the first answer as a success.
-+
-+ [2] If the first response is a recoverable TRYAGAIN we return
-+ that instead of looking at the second response. The
-+ expectation here is that we have failed to get an IPv4 response
-+ and should retry both queries.
-+
-+ [3] If the first response was not a SUCCESS and the second
-+ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
-+ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
-+ result from the second response, otherwise the first responses
-+ status is used. Again we have some odd side-effects when the
-+ second response is NOTFOUND because we overwrite *errnop and
-+ *h_errnop that means that a first answer of NOTFOUND might see
-+ its *errnop and *h_errnop values altered. Whether it matters
-+ in practice that a first response NOTFOUND has the wrong
-+ *errnop and *h_errnop is undecided.
-+
-+ [4] If the first response is UNAVAIL we return that instead of
-+ looking at the second response. The expectation here is that
-+ it will have failed similarly e.g. configuration failure.
-+
-+ [5] Testing this code is complicated by the fact that truncated
-+ second response buffers might be returned as SUCCESS if the
-+ first answer is a SUCCESS. To fix this we add symmetry to
-+ TRYAGAIN with the second response. If the second response
-+ is a recoverable error we now return TRYAGIN even if the first
-+ response was SUCCESS. */
-+
- if (anslen1 > 0)
- status = gaih_getanswer_slice(answer1, anslen1, qname,
- &pat, &buffer, &buflen,
- errnop, h_errnop, ttlp,
- &first);
-+
- if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
- || (status == NSS_STATUS_TRYAGAIN
- /* We want to look at the second answer in case of an
-@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
- &pat, &buffer, &buflen,
- errnop, h_errnop, ttlp,
- &first);
-+ /* Use the second response status in some cases. */
- if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
- status = status2;
-+ /* Do not return a truncated second response (unless it was
-+ unavoidable e.g. unrecoverable TRYAGAIN). */
-+ if (status == NSS_STATUS_SUCCESS
-+ && (status2 == NSS_STATUS_TRYAGAIN
-+ && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
-+ status = NSS_STATUS_TRYAGAIN;
- }
-
- return status;
-diff --git a/resolv/res_query.c b/resolv/res_query.c
-index 4a9b3b3..95470a9 100644
---- a/resolv/res_query.c
-+++ b/resolv/res_query.c
-@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
- {
- free (*answerp2);
- *answerp2 = NULL;
-+ *nanswerp2 = 0;
- *answerp2_malloced = 0;
- }
- }
-@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
- {
- free (*answerp2);
- *answerp2 = NULL;
-+ *nanswerp2 = 0;
- *answerp2_malloced = 0;
- }
-
-@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
- {
- free (*answerp2);
- *answerp2 = NULL;
-+ *nanswerp2 = 0;
- *answerp2_malloced = 0;
- }
- if (saved_herrno != -1)
-diff --git a/resolv/res_send.c b/resolv/res_send.c
-index 5e53cc2..6511bb1 100644
---- a/resolv/res_send.c
-+++ b/resolv/res_send.c
-@@ -1,3 +1,20 @@
-+/* Copyright (C) 2016 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <http://www.gnu.org/licenses/>. */
-+
- /*
- * Copyright (c) 1985, 1989, 1993
- * The Regents of the University of California. All rights reserved.
-@@ -363,6 +380,8 @@ __libc_res_nsend(res_state statp, const u_char *buf, int buflen,
- #ifdef USE_HOOKS
- if (__glibc_unlikely (statp->qhook || statp->rhook)) {
- if (anssiz < MAXPACKET && ansp) {
-+ /* Always allocate MAXPACKET, callers expect
-+ this specific size. */
- u_char *buf = malloc (MAXPACKET);
- if (buf == NULL)
- return (-1);
-@@ -638,6 +657,77 @@ get_nsaddr (res_state statp, int n)
- return (struct sockaddr *) (void *) &statp->nsaddr_list[n];
- }
-
-+/* The send_vc function is responsible for sending a DNS query over TCP
-+ to the nameserver numbered NS from the res_state STATP i.e.
-+ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and
-+ IPv6 queries at the same serially on the same socket.
-+
-+ Please note that for TCP there is no way to disable sending both
-+ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
-+ and sends the queries serially and waits for the result after each
-+ sent query. This implemetnation should be corrected to honour these
-+ options.
-+
-+ Please also note that for TCP we send both queries over the same
-+ socket one after another. This technically violates best practice
-+ since the server is allowed to read the first query, respond, and
-+ then close the socket (to service another client). If the server
-+ does this, then the remaining second query in the socket data buffer
-+ will cause the server to send the client an RST which will arrive
-+ asynchronously and the client's OS will likely tear down the socket
-+ receive buffer resulting in a potentially short read and lost
-+ response data. This will force the client to retry the query again,
-+ and this process may repeat until all servers and connection resets
-+ are exhausted and then the query will fail. It's not known if this
-+ happens with any frequency in real DNS server implementations. This
-+ implementation should be corrected to use two sockets by default for
-+ parallel queries.
-+
-+ The query stored in BUF of BUFLEN length is sent first followed by
-+ the query stored in BUF2 of BUFLEN2 length. Queries are sent
-+ serially on the same socket.
-+
-+ Answers to the query are stored firstly in *ANSP up to a max of
-+ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
-+ is non-NULL (to indicate that modifying the answer buffer is allowed)
-+ then malloc is used to allocate a new response buffer and ANSCP and
-+ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
-+ are needed but ANSCP is NULL, then as much of the response as
-+ possible is read into the buffer, but the results will be truncated.
-+ When truncation happens because of a small answer buffer the DNS
-+ packets header field TC will bet set to 1, indicating a truncated
-+ message and the rest of the socket data will be read and discarded.
-+
-+ Answers to the query are stored secondly in *ANSP2 up to a max of
-+ *ANSSIZP2 bytes, with the actual response length stored in
-+ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
-+ is non-NULL (required for a second query) then malloc is used to
-+ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
-+ size and *ANSP2_MALLOCED is set to 1.
-+
-+ The ANSP2_MALLOCED argument will eventually be removed as the
-+ change in buffer pointer can be used to detect the buffer has
-+ changed and that the caller should use free on the new buffer.
-+
-+ Note that the answers may arrive in any order from the server and
-+ therefore the first and second answer buffers may not correspond to
-+ the first and second queries.
-+
-+ It is not supported to call this function with a non-NULL ANSP2
-+ but a NULL ANSCP. Put another way, you can call send_vc with a
-+ single unmodifiable buffer or two modifiable buffers, but no other
-+ combination is supported.
-+
-+ It is the caller's responsibility to free the malloc allocated
-+ buffers by detecting that the pointers have changed from their
-+ original values i.e. *ANSCP or *ANSP2 has changed.
-+
-+ If errors are encountered then *TERRNO is set to an appropriate
-+ errno value and a zero result is returned for a recoverable error,
-+ and a less-than zero result is returned for a non-recoverable error.
-+
-+ If no errors are encountered then *TERRNO is left unmodified and
-+ a the length of the first response in bytes is returned. */
- static int
- send_vc(res_state statp,
- const u_char *buf, int buflen, const u_char *buf2, int buflen2,
-@@ -647,11 +737,7 @@ send_vc(res_state statp,
- {
- const HEADER *hp = (HEADER *) buf;
- const HEADER *hp2 = (HEADER *) buf2;
-- u_char *ans = *ansp;
-- int orig_anssizp = *anssizp;
-- // XXX REMOVE
-- // int anssiz = *anssizp;
-- HEADER *anhp = (HEADER *) ans;
-+ HEADER *anhp = (HEADER *) *ansp;
- struct sockaddr *nsap = get_nsaddr (statp, ns);
- int truncating, connreset, n;
- /* On some architectures compiler might emit a warning indicating
-@@ -743,6 +829,8 @@ send_vc(res_state statp,
- * Receive length & response
- */
- int recvresp1 = 0;
-+ /* Skip the second response if there is no second query.
-+ To do that we mark the second response as received. */
- int recvresp2 = buf2 == NULL;
- uint16_t rlen16;
- read_len:
-@@ -779,40 +867,14 @@ send_vc(res_state statp,
- u_char **thisansp;
- int *thisresplenp;
- if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
-+ /* We have not received any responses
-+ yet or we only have one response to
-+ receive. */
- thisanssizp = anssizp;
- thisansp = anscp ?: ansp;
- assert (anscp != NULL || ansp2 == NULL);
- thisresplenp = &resplen;
- } else {
-- if (*anssizp != MAXPACKET) {
-- /* No buffer allocated for the first
-- reply. We can try to use the rest
-- of the user-provided buffer. */
--#if __GNUC_PREREQ (4, 7)
-- DIAG_PUSH_NEEDS_COMMENT;
-- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
--#endif
--#if _STRING_ARCH_unaligned
-- *anssizp2 = orig_anssizp - resplen;
-- *ansp2 = *ansp + resplen;
--#else
-- int aligned_resplen
-- = ((resplen + __alignof__ (HEADER) - 1)
-- & ~(__alignof__ (HEADER) - 1));
-- *anssizp2 = orig_anssizp - aligned_resplen;
-- *ansp2 = *ansp + aligned_resplen;
--#endif
--#if __GNUC_PREREQ (4, 7)
-- DIAG_POP_NEEDS_COMMENT;
--#endif
-- } else {
-- /* The first reply did not fit into the
-- user-provided buffer. Maybe the second
-- answer will. */
-- *anssizp2 = orig_anssizp;
-- *ansp2 = *ansp;
-- }
--
- thisanssizp = anssizp2;
- thisansp = ansp2;
- thisresplenp = resplen2;
-@@ -820,10 +882,14 @@ send_vc(res_state statp,
- anhp = (HEADER *) *thisansp;
-
- *thisresplenp = rlen;
-- if (rlen > *thisanssizp) {
-- /* Yes, we test ANSCP here. If we have two buffers
-- both will be allocatable. */
-- if (__glibc_likely (anscp != NULL)) {
-+ /* Is the answer buffer too small? */
-+ if (*thisanssizp < rlen) {
-+ /* If the current buffer is not the the static
-+ user-supplied buffer then we can reallocate
-+ it. */
-+ if (thisansp != NULL && thisansp != ansp) {
-+ /* Always allocate MAXPACKET, callers expect
-+ this specific size. */
- u_char *newp = malloc (MAXPACKET);
- if (newp == NULL) {
- *terrno = ENOMEM;
-@@ -835,6 +901,9 @@ send_vc(res_state statp,
- if (thisansp == ansp2)
- *ansp2_malloced = 1;
- anhp = (HEADER *) newp;
-+ /* A uint16_t can't be larger than MAXPACKET
-+ thus it's safe to allocate MAXPACKET but
-+ read RLEN bytes instead. */
- len = rlen;
- } else {
- Dprint(statp->options & RES_DEBUG,
-@@ -997,6 +1066,66 @@ reopen (res_state statp, int *terrno, int ns)
- return 1;
- }
-
-+/* The send_dg function is responsible for sending a DNS query over UDP
-+ to the nameserver numbered NS from the res_state STATP i.e.
-+ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries
-+ along with the ability to send the query in parallel for both stacks
-+ (default) or serially (RES_SINGLKUP). It also supports serial lookup
-+ with a close and reopen of the socket used to talk to the server
-+ (RES_SNGLKUPREOP) to work around broken name servers.
-+
-+ The query stored in BUF of BUFLEN length is sent first followed by
-+ the query stored in BUF2 of BUFLEN2 length. Queries are sent
-+ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
-+
-+ Answers to the query are stored firstly in *ANSP up to a max of
-+ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
-+ is non-NULL (to indicate that modifying the answer buffer is allowed)
-+ then malloc is used to allocate a new response buffer and ANSCP and
-+ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
-+ are needed but ANSCP is NULL, then as much of the response as
-+ possible is read into the buffer, but the results will be truncated.
-+ When truncation happens because of a small answer buffer the DNS
-+ packets header field TC will bet set to 1, indicating a truncated
-+ message, while the rest of the UDP packet is discarded.
-+
-+ Answers to the query are stored secondly in *ANSP2 up to a max of
-+ *ANSSIZP2 bytes, with the actual response length stored in
-+ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
-+ is non-NULL (required for a second query) then malloc is used to
-+ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
-+ size and *ANSP2_MALLOCED is set to 1.
-+
-+ The ANSP2_MALLOCED argument will eventually be removed as the
-+ change in buffer pointer can be used to detect the buffer has
-+ changed and that the caller should use free on the new buffer.
-+
-+ Note that the answers may arrive in any order from the server and
-+ therefore the first and second answer buffers may not correspond to
-+ the first and second queries.
-+
-+ It is not supported to call this function with a non-NULL ANSP2
-+ but a NULL ANSCP. Put another way, you can call send_vc with a
-+ single unmodifiable buffer or two modifiable buffers, but no other
-+ combination is supported.
-+
-+ It is the caller's responsibility to free the malloc allocated
-+ buffers by detecting that the pointers have changed from their
-+ original values i.e. *ANSCP or *ANSP2 has changed.
-+
-+ If an answer is truncated because of UDP datagram DNS limits then
-+ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
-+ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1
-+ if any progress was made reading a response from the nameserver and
-+ is used by the caller to distinguish between ECONNREFUSED and
-+ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
-+
-+ If errors are encountered then *TERRNO is set to an appropriate
-+ errno value and a zero result is returned for a recoverable error,
-+ and a less-than zero result is returned for a non-recoverable error.
-+
-+ If no errors are encountered then *TERRNO is left unmodified and
-+ a the length of the first response in bytes is returned. */
- static int
- send_dg(res_state statp,
- const u_char *buf, int buflen, const u_char *buf2, int buflen2,
-@@ -1006,8 +1135,6 @@ send_dg(res_state statp,
- {
- const HEADER *hp = (HEADER *) buf;
- const HEADER *hp2 = (HEADER *) buf2;
-- u_char *ans = *ansp;
-- int orig_anssizp = *anssizp;
- struct timespec now, timeout, finish;
- struct pollfd pfd[1];
- int ptimeout;
-@@ -1040,6 +1167,8 @@ send_dg(res_state statp,
- int need_recompute = 0;
- int nwritten = 0;
- int recvresp1 = 0;
-+ /* Skip the second response if there is no second query.
-+ To do that we mark the second response as received. */
- int recvresp2 = buf2 == NULL;
- pfd[0].fd = EXT(statp).nssocks[ns];
- pfd[0].events = POLLOUT;
-@@ -1203,55 +1332,56 @@ send_dg(res_state statp,
- int *thisresplenp;
-
- if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
-+ /* We have not received any responses
-+ yet or we only have one response to
-+ receive. */
- thisanssizp = anssizp;
- thisansp = anscp ?: ansp;
- assert (anscp != NULL || ansp2 == NULL);
- thisresplenp = &resplen;
- } else {
-- if (*anssizp != MAXPACKET) {
-- /* No buffer allocated for the first
-- reply. We can try to use the rest
-- of the user-provided buffer. */
--#if _STRING_ARCH_unaligned
-- *anssizp2 = orig_anssizp - resplen;
-- *ansp2 = *ansp + resplen;
--#else
-- int aligned_resplen
-- = ((resplen + __alignof__ (HEADER) - 1)
-- & ~(__alignof__ (HEADER) - 1));
-- *anssizp2 = orig_anssizp - aligned_resplen;
-- *ansp2 = *ansp + aligned_resplen;
--#endif
-- } else {
-- /* The first reply did not fit into the
-- user-provided buffer. Maybe the second
-- answer will. */
-- *anssizp2 = orig_anssizp;
-- *ansp2 = *ansp;
-- }
--
- thisanssizp = anssizp2;
- thisansp = ansp2;
- thisresplenp = resplen2;
- }
-
- if (*thisanssizp < MAXPACKET
-- /* Yes, we test ANSCP here. If we have two buffers
-- both will be allocatable. */
-- && anscp
-+ /* If the current buffer is not the the static
-+ user-supplied buffer then we can reallocate
-+ it. */
-+ && (thisansp != NULL && thisansp != ansp)
- #ifdef FIONREAD
-+ /* Is the size too small? */
- && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
- || *thisanssizp < *thisresplenp)
- #endif
- ) {
-+ /* Always allocate MAXPACKET, callers expect
-+ this specific size. */
- u_char *newp = malloc (MAXPACKET);
- if (newp != NULL) {
-- *anssizp = MAXPACKET;
-- *thisansp = ans = newp;
-+ *thisanssizp = MAXPACKET;
-+ *thisansp = newp;
- if (thisansp == ansp2)
- *ansp2_malloced = 1;
- }
- }
-+ /* We could end up with truncation if anscp was NULL
-+ (not allowed to change caller's buffer) and the
-+ response buffer size is too small. This isn't a
-+ reliable way to detect truncation because the ioctl
-+ may be an inaccurate report of the UDP message size.
-+ Therefore we use this only to issue debug output.
-+ To do truncation accurately with UDP we need
-+ MSG_TRUNC which is only available on Linux. We
-+ can abstract out the Linux-specific feature in the
-+ future to detect truncation. */
-+ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
-+ Dprint(statp->options & RES_DEBUG,
-+ (stdout, ";; response may be truncated (UDP)\n")
-+ );
-+ }
-+
- HEADER *anhp = (HEADER *) *thisansp;
- socklen_t fromlen = sizeof(struct sockaddr_in6);
- assert (sizeof(from) <= fromlen);
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2016-3075.patch b/gnu/packages/patches/glibc-CVE-2016-3075.patch
deleted file mode 100644
index d16722806e..0000000000
--- a/gnu/packages/patches/glibc-CVE-2016-3075.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 146b58d11fddbef15b888906e3be4f33900c416f Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Tue, 29 Mar 2016 12:57:56 +0200
-Subject: [PATCH] CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ
- #19879]
-
-The defensive copy is not needed because the name may not alias the
-output buffer.
-
-(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
-(cherry picked from commit 883dceebc8f11921a9890211a4e202e5be17562f)
----
- ChangeLog | 7 +++++++
- NEWS | 10 ++++++++--
- resolv/nss_dns/dns-network.c | 5 +----
- 3 files changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
-index 2eb2f67..8f301a7 100644
---- a/resolv/nss_dns/dns-network.c
-+++ b/resolv/nss_dns/dns-network.c
-@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
- } net_buffer;
- querybuf *orig_net_buffer;
- int anslen;
-- char *qbuf;
- enum nss_status status;
-
- if (__res_maybe_init (&_res, 0) == -1)
- return NSS_STATUS_UNAVAIL;
-
-- qbuf = strdupa (name);
--
- net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
-
-- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
-+ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
- 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
- if (anslen < 0)
- {
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2016-3706.patch b/gnu/packages/patches/glibc-CVE-2016-3706.patch
deleted file mode 100644
index 617242df24..0000000000
--- a/gnu/packages/patches/glibc-CVE-2016-3706.patch
+++ /dev/null
@@ -1,188 +0,0 @@
-From 1a8a7c12950a0026a3c406a7cb1608f96aa1460e Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Fri, 29 Apr 2016 10:35:34 +0200
-Subject: [PATCH] CVE-2016-3706: getaddrinfo: stack overflow in hostent
- conversion [BZ #20010]
-
-When converting a struct hostent response to struct gaih_addrtuple, the
-gethosts macro (which is called from gaih_inet) used alloca, without
-malloc fallback for large responses. This commit changes this code to
-use calloc unconditionally.
-
-This commit also consolidated a second hostent-to-gaih_addrtuple
-conversion loop (in gaih_inet) to use the new conversion function.
-
-(cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)
----
- ChangeLog | 10 ++++
- sysdeps/posix/getaddrinfo.c | 130 +++++++++++++++++++++++---------------------
- 2 files changed, 79 insertions(+), 61 deletions(-)
-
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index 1ef3f20..fed2d3b 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -168,9 +168,58 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
- return 0;
- }
-
-+/* Convert struct hostent to a list of struct gaih_addrtuple objects.
-+ h_name is not copied, and the struct hostent object must not be
-+ deallocated prematurely. *RESULT must be NULL or a pointer to an
-+ object allocated using malloc, which is freed. */
-+static bool
-+convert_hostent_to_gaih_addrtuple (const struct addrinfo *req,
-+ int family,
-+ struct hostent *h,
-+ struct gaih_addrtuple **result)
-+{
-+ free (*result);
-+ *result = NULL;
-+
-+ /* Count the number of addresses in h->h_addr_list. */
-+ size_t count = 0;
-+ for (char **p = h->h_addr_list; *p != NULL; ++p)
-+ ++count;
-+
-+ /* Report no data if no addresses are available, or if the incoming
-+ address size is larger than what we can store. */
-+ if (count == 0 || h->h_length > sizeof (((struct gaih_addrtuple) {}).addr))
-+ return true;
-+
-+ struct gaih_addrtuple *array = calloc (count, sizeof (*array));
-+ if (array == NULL)
-+ return false;
-+
-+ for (size_t i = 0; i < count; ++i)
-+ {
-+ if (family == AF_INET && req->ai_family == AF_INET6)
-+ {
-+ /* Perform address mapping. */
-+ array[i].family = AF_INET6;
-+ memcpy(array[i].addr + 3, h->h_addr_list[i], sizeof (uint32_t));
-+ array[i].addr[2] = htonl (0xffff);
-+ }
-+ else
-+ {
-+ array[i].family = family;
-+ memcpy (array[i].addr, h->h_addr_list[i], h->h_length);
-+ }
-+ array[i].next = array + i + 1;
-+ }
-+ array[0].name = h->h_name;
-+ array[count - 1].next = NULL;
-+
-+ *result = array;
-+ return true;
-+}
-+
- #define gethosts(_family, _type) \
- { \
-- int i; \
- int herrno; \
- struct hostent th; \
- struct hostent *h; \
-@@ -219,36 +268,23 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
- } \
- else if (h != NULL) \
- { \
-- for (i = 0; h->h_addr_list[i]; i++) \
-+ /* Make sure that addrmem can be freed. */ \
-+ if (!malloc_addrmem) \
-+ addrmem = NULL; \
-+ if (!convert_hostent_to_gaih_addrtuple (req, _family,h, &addrmem)) \
- { \
-- if (*pat == NULL) \
-- { \
-- *pat = __alloca (sizeof (struct gaih_addrtuple)); \
-- (*pat)->scopeid = 0; \
-- } \
-- uint32_t *addr = (*pat)->addr; \
-- (*pat)->next = NULL; \
-- (*pat)->name = i == 0 ? strdupa (h->h_name) : NULL; \
-- if (_family == AF_INET && req->ai_family == AF_INET6) \
-- { \
-- (*pat)->family = AF_INET6; \
-- addr[3] = *(uint32_t *) h->h_addr_list[i]; \
-- addr[2] = htonl (0xffff); \
-- addr[1] = 0; \
-- addr[0] = 0; \
-- } \
-- else \
-- { \
-- (*pat)->family = _family; \
-- memcpy (addr, h->h_addr_list[i], sizeof(_type)); \
-- } \
-- pat = &((*pat)->next); \
-+ _res.options |= old_res_options & RES_USE_INET6; \
-+ result = -EAI_SYSTEM; \
-+ goto free_and_return; \
- } \
-+ *pat = addrmem; \
-+ /* The conversion uses malloc unconditionally. */ \
-+ malloc_addrmem = true; \
- \
- if (localcanon != NULL && canon == NULL) \
- canon = strdupa (localcanon); \
- \
-- if (_family == AF_INET6 && i > 0) \
-+ if (_family == AF_INET6 && *pat != NULL) \
- got_ipv6 = true; \
- } \
- }
-@@ -612,44 +648,16 @@ gaih_inet (const char *name, const struct gaih_service *service,
- {
- if (h != NULL)
- {
-- int i;
-- /* We found data, count the number of addresses. */
-- for (i = 0; h->h_addr_list[i]; ++i)
-- ;
-- if (i > 0 && *pat != NULL)
-- --i;
--
-- if (__libc_use_alloca (alloca_used
-- + i * sizeof (struct gaih_addrtuple)))
-- addrmem = alloca_account (i * sizeof (struct gaih_addrtuple),
-- alloca_used);
-- else
-- {
-- addrmem = malloc (i
-- * sizeof (struct gaih_addrtuple));
-- if (addrmem == NULL)
-- {
-- result = -EAI_MEMORY;
-- goto free_and_return;
-- }
-- malloc_addrmem = true;
-- }
--
-- /* Now convert it into the list. */
-- struct gaih_addrtuple *addrfree = addrmem;
-- for (i = 0; h->h_addr_list[i]; ++i)
-+ /* We found data, convert it. */
-+ if (!convert_hostent_to_gaih_addrtuple
-+ (req, AF_INET, h, &addrmem))
- {
-- if (*pat == NULL)
-- {
-- *pat = addrfree++;
-- (*pat)->scopeid = 0;
-- }
-- (*pat)->next = NULL;
-- (*pat)->family = AF_INET;
-- memcpy ((*pat)->addr, h->h_addr_list[i],
-- h->h_length);
-- pat = &((*pat)->next);
-+ result = -EAI_MEMORY;
-+ goto free_and_return;
- }
-+ *pat = addrmem;
-+ /* The conversion uses malloc unconditionally. */
-+ malloc_addrmem = true;
- }
- }
- else
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2016-4429.patch b/gnu/packages/patches/glibc-CVE-2016-4429.patch
deleted file mode 100644
index 5eebd10543..0000000000
--- a/gnu/packages/patches/glibc-CVE-2016-4429.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From bdce95930e1d9a7d013d1ba78740243491262879 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Mon, 23 May 2016 20:18:34 +0200
-Subject: [PATCH] CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call [BZ
- #20112]
-
-The call is technically in a loop, and under certain circumstances
-(which are quite difficult to reproduce in a test case), alloca
-can be invoked repeatedly during a single call to clntudp_call.
-As a result, the available stack space can be exhausted (even
-though individual alloca sizes are bounded implicitly by what
-can fit into a UDP packet, as a side effect of the earlier
-successful send operation).
-
-(cherry picked from commit bc779a1a5b3035133024b21e2f339fe4219fb11c)
----
- ChangeLog | 7 +++++++
- NEWS | 4 ++++
- sunrpc/clnt_udp.c | 10 +++++++++-
- 3 files changed, 20 insertions(+), 1 deletion(-)
-
-diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
-index a6cf5f1..4d9acb1 100644
---- a/sunrpc/clnt_udp.c
-+++ b/sunrpc/clnt_udp.c
-@@ -388,9 +388,15 @@ send_again:
- struct sock_extended_err *e;
- struct sockaddr_in err_addr;
- struct iovec iov;
-- char *cbuf = (char *) alloca (outlen + 256);
-+ char *cbuf = malloc (outlen + 256);
- int ret;
-
-+ if (cbuf == NULL)
-+ {
-+ cu->cu_error.re_errno = errno;
-+ return (cu->cu_error.re_status = RPC_CANTRECV);
-+ }
-+
- iov.iov_base = cbuf + 256;
- iov.iov_len = outlen;
- msg.msg_name = (void *) &err_addr;
-@@ -415,10 +421,12 @@ send_again:
- cmsg = CMSG_NXTHDR (&msg, cmsg))
- if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
- {
-+ free (cbuf);
- e = (struct sock_extended_err *) CMSG_DATA(cmsg);
- cu->cu_error.re_errno = e->ee_errno;
- return (cu->cu_error.re_status = RPC_CANTRECV);
- }
-+ free (cbuf);
- }
- #endif
- do
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch
deleted file mode 100644
index 71e80968be..0000000000
--- a/gnu/packages/patches/glibc-CVE-2017-1000366-pt1.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Mon, 19 Jun 2017 17:09:55 +0200
-Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
- programs [BZ #21624]
-
-LD_LIBRARY_PATH can only be used to reorder system search paths, which
-is not useful functionality.
-
-This makes an exploitable unbounded alloca in _dl_init_paths unreachable
-for AT_SECURE=1 programs.
-
-patch from:
-https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
----
- ChangeLog | 7 +++++++
- elf/rtld.c | 3 ++-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/elf/rtld.c b/elf/rtld.c
-index 2446a87..2269dbe 100644
---- a/elf/rtld.c
-+++ b/elf/rtld.c
-@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
-
- case 12:
- /* The library search path. */
-- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
-+ if (!__libc_enable_secure
-+ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
- {
- library_path = &envline[13];
- break;
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch
deleted file mode 100644
index 4b859c4bfd..0000000000
--- a/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch
+++ /dev/null
@@ -1,124 +0,0 @@
-From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Mon, 19 Jun 2017 22:31:04 +0200
-Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
-
-patch from:
-https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8
-
----
- ChangeLog | 7 ++++++
- elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
- 2 files changed, 73 insertions(+), 16 deletions(-)
-
-diff --git a/elf/rtld.c b/elf/rtld.c
-index 2269dbe..86ae20c 100644
---- a/elf/rtld.c
-+++ b/elf/rtld.c
-@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
- strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
- #endif
-
-+/* Length limits for names and paths, to protect the dynamic linker,
-+ particularly when __libc_enable_secure is active. */
-+#ifdef NAME_MAX
-+# define SECURE_NAME_LIMIT NAME_MAX
-+#else
-+# define SECURE_NAME_LIMIT 255
-+#endif
-+#ifdef PATH_MAX
-+# define SECURE_PATH_LIMIT PATH_MAX
-+#else
-+# define SECURE_PATH_LIMIT 1024
-+#endif
-+
-+/* Check that AT_SECURE=0, or that the passed name does not contain
-+ directories and is not overly long. Reject empty names
-+ unconditionally. */
-+static bool
-+dso_name_valid_for_suid (const char *p)
-+{
-+ if (__glibc_unlikely (__libc_enable_secure))
-+ {
-+ /* Ignore pathnames with directories for AT_SECURE=1
-+ programs, and also skip overlong names. */
-+ size_t len = strlen (p);
-+ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL)
-+ return false;
-+ }
-+ return *p != '\0';
-+}
-
- /* List of auditing DSOs. */
- static struct audit_list
-@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro;
- /* Nonzero if information about versions has to be printed. */
- static int version_info attribute_relro;
-
-+/* The LD_PRELOAD environment variable gives list of libraries
-+ separated by white space or colons that are loaded before the
-+ executable's dependencies and prepended to the global scope list.
-+ (If the binary is running setuid all elements containing a '/' are
-+ ignored since it is insecure.) Return the number of preloads
-+ performed. */
-+unsigned int
-+handle_ld_preload (const char *preloadlist, struct link_map *main_map)
-+{
-+ unsigned int npreloads = 0;
-+ const char *p = preloadlist;
-+ char fname[SECURE_PATH_LIMIT];
-+
-+ while (*p != '\0')
-+ {
-+ /* Split preload list at space/colon. */
-+ size_t len = strcspn (p, " :");
-+ if (len > 0 && len < sizeof (fname))
-+ {
-+ memcpy (fname, p, len);
-+ fname[len] = '\0';
-+ }
-+ else
-+ fname[0] = '\0';
-+
-+ /* Skip over the substring and the following delimiter. */
-+ p += len;
-+ if (*p != '\0')
-+ ++p;
-+
-+ if (dso_name_valid_for_suid (fname))
-+ npreloads += do_preload (fname, main_map, "LD_PRELOAD");
-+ }
-+ return npreloads;
-+}
-+
- static void
- dl_main (const ElfW(Phdr) *phdr,
- ElfW(Word) phnum,
-@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
-
- if (__glibc_unlikely (preloadlist != NULL))
- {
-- /* The LD_PRELOAD environment variable gives list of libraries
-- separated by white space or colons that are loaded before the
-- executable's dependencies and prepended to the global scope
-- list. If the binary is running setuid all elements
-- containing a '/' are ignored since it is insecure. */
-- char *list = strdupa (preloadlist);
-- char *p;
--
- HP_TIMING_NOW (start);
--
-- /* Prevent optimizing strsep. Speed is not important here. */
-- while ((p = (strsep) (&list, " :")) != NULL)
-- if (p[0] != '\0'
-- && (__builtin_expect (! __libc_enable_secure, 1)
-- || strchr (p, '/') == NULL))
-- npreloads += do_preload (p, main_map, "LD_PRELOAD");
--
-+ npreloads += handle_ld_preload (preloadlist, main_map);
- HP_TIMING_NOW (stop);
- HP_TIMING_DIFF (diff, start, stop);
- HP_TIMING_ACCUM_NT (load_time, diff);
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch
deleted file mode 100644
index 3d8f6d2bf8..0000000000
--- a/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch
+++ /dev/null
@@ -1,206 +0,0 @@
-From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001
-From: Florian Weimer <fweimer@redhat.com>
-Date: Mon, 19 Jun 2017 22:32:12 +0200
-Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
-
-Also only process the last LD_AUDIT entry.
-
-patch from:
-https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
-
----
- ChangeLog | 11 +++++++
- elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
- 2 files changed, 106 insertions(+), 15 deletions(-)
-
-diff --git a/elf/rtld.c b/elf/rtld.c
-index 86ae20c..65647fb 100644
---- a/elf/rtld.c
-+++ b/elf/rtld.c
-@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
- return *p != '\0';
- }
-
--/* List of auditing DSOs. */
-+/* LD_AUDIT variable contents. Must be processed before the
-+ audit_list below. */
-+const char *audit_list_string;
-+
-+/* Cyclic list of auditing DSOs. audit_list->next is the first
-+ element. */
- static struct audit_list
- {
- const char *name;
- struct audit_list *next;
- } *audit_list;
-
-+/* Iterator for audit_list_string followed by audit_list. */
-+struct audit_list_iter
-+{
-+ /* Tail of audit_list_string still needing processing, or NULL. */
-+ const char *audit_list_tail;
-+
-+ /* The list element returned in the previous iteration. NULL before
-+ the first element. */
-+ struct audit_list *previous;
-+
-+ /* Scratch buffer for returning a name which is part of
-+ audit_list_string. */
-+ char fname[SECURE_NAME_LIMIT];
-+};
-+
-+/* Initialize an audit list iterator. */
-+static void
-+audit_list_iter_init (struct audit_list_iter *iter)
-+{
-+ iter->audit_list_tail = audit_list_string;
-+ iter->previous = NULL;
-+}
-+
-+/* Iterate through both audit_list_string and audit_list. */
-+static const char *
-+audit_list_iter_next (struct audit_list_iter *iter)
-+{
-+ if (iter->audit_list_tail != NULL)
-+ {
-+ /* First iterate over audit_list_string. */
-+ while (*iter->audit_list_tail != '\0')
-+ {
-+ /* Split audit list at colon. */
-+ size_t len = strcspn (iter->audit_list_tail, ":");
-+ if (len > 0 && len < sizeof (iter->fname))
-+ {
-+ memcpy (iter->fname, iter->audit_list_tail, len);
-+ iter->fname[len] = '\0';
-+ }
-+ else
-+ /* Do not return this name to the caller. */
-+ iter->fname[0] = '\0';
-+
-+ /* Skip over the substring and the following delimiter. */
-+ iter->audit_list_tail += len;
-+ if (*iter->audit_list_tail == ':')
-+ ++iter->audit_list_tail;
-+
-+ /* If the name is valid, return it. */
-+ if (dso_name_valid_for_suid (iter->fname))
-+ return iter->fname;
-+ /* Otherwise, wrap around and try the next name. */
-+ }
-+ /* Fall through to the procesing of audit_list. */
-+ }
-+
-+ if (iter->previous == NULL)
-+ {
-+ if (audit_list == NULL)
-+ /* No pre-parsed audit list. */
-+ return NULL;
-+ /* Start of audit list. The first list element is at
-+ audit_list->next (cyclic list). */
-+ iter->previous = audit_list->next;
-+ return iter->previous->name;
-+ }
-+ if (iter->previous == audit_list)
-+ /* Cyclic list wrap-around. */
-+ return NULL;
-+ iter->previous = iter->previous->next;
-+ return iter->previous->name;
-+}
-+
- #ifndef HAVE_INLINED_SYSCALLS
- /* Set nonzero during loading and initialization of executable and
- libraries, cleared before the executable's entry point runs. This
-@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\
- GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
-
- /* If we have auditing DSOs to load, do it now. */
-- if (__glibc_unlikely (audit_list != NULL))
-+ bool need_security_init = true;
-+ if (__glibc_unlikely (audit_list != NULL)
-+ || __glibc_unlikely (audit_list_string != NULL))
- {
-- /* Iterate over all entries in the list. The order is important. */
- struct audit_ifaces *last_audit = NULL;
-- struct audit_list *al = audit_list->next;
-+ struct audit_list_iter al_iter;
-+ audit_list_iter_init (&al_iter);
-
- /* Since we start using the auditing DSOs right away we need to
- initialize the data structures now. */
-@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\
- use different values (especially the pointer guard) and will
- fail later on. */
- security_init ();
-+ need_security_init = false;
-
-- do
-+ while (true)
- {
-+ const char *name = audit_list_iter_next (&al_iter);
-+ if (name == NULL)
-+ break;
-+
- int tls_idx = GL(dl_tls_max_dtv_idx);
-
- /* Now it is time to determine the layout of the static TLS
-@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\
- no DF_STATIC_TLS bit is set. The reason is that we know
- glibc will use the static model. */
- struct dlmopen_args dlmargs;
-- dlmargs.fname = al->name;
-+ dlmargs.fname = name;
- dlmargs.map = NULL;
-
- const char *objname;
-@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\
- not_loaded:
- _dl_error_printf ("\
- ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
-- al->name, err_str);
-+ name, err_str);
- if (malloced)
- free ((char *) err_str);
- }
-@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
- goto not_loaded;
- }
- }
--
-- al = al->next;
- }
-- while (al != audit_list->next);
-
- /* If we have any auditing modules, announce that we already
- have two objects loaded. */
-@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
- if (tcbp == NULL)
- tcbp = init_tls ();
-
-- if (__glibc_likely (audit_list == NULL))
-+ if (__glibc_likely (need_security_init))
- /* Initialize security features. But only if we have not done it
- earlier. */
- security_init ();
-@@ -2346,9 +2428,7 @@ process_dl_audit (char *str)
- char *p;
-
- while ((p = (strsep) (&str, ":")) != NULL)
-- if (p[0] != '\0'
-- && (__builtin_expect (! __libc_enable_secure, 1)
-- || strchr (p, '/') == NULL))
-+ if (dso_name_valid_for_suid (p))
- {
- /* This is using the local malloc, not the system malloc. The
- memory can never be freed. */
-@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep)
- break;
- }
- if (memcmp (envline, "AUDIT", 5) == 0)
-- process_dl_audit (&envline[6]);
-+ audit_list_string = &envline[6];
- break;
-
- case 7:
---
-2.9.3
-
diff --git a/gnu/packages/patches/glibc-o-largefile.patch b/gnu/packages/patches/glibc-o-largefile.patch
deleted file mode 100644
index 2b0ae8c8bb..0000000000
--- a/gnu/packages/patches/glibc-o-largefile.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-This fixes <https://sourceware.org/bugzilla/show_bug.cgi?id=18781>
-whereby, on 32-bit platforms, libc 2.22 would fail to pass O_LARGEFILE
-to 'openat'. This was caught by 'tests/sparse03.at' in the tar
-test suite.
-
-commit eb32b0d40308166c4d8f6330cc2958cb1e545075
-Author: Andreas Schwab <schwab@suse.de>
-Date: Mon Aug 10 14:12:47 2015 +0200
-
- Readd O_LARGEFILE flag for openat64 (bug 18781)
-
---- a/sysdeps/unix/sysv/linux/openat.c
-+++ b/sysdeps/unix/sysv/linux/openat.c
-@@ -68,6 +68,11 @@ __OPENAT (int fd, const char *file, int oflag, ...)
- va_end (arg);
- }
-
-+ /* We have to add the O_LARGEFILE flag for openat64. */
-+#ifdef MORE_OFLAGS
-+ oflag |= MORE_OFLAGS;
-+#endif
-+
- return SYSCALL_CANCEL (openat, fd, file, oflag, mode);
- }
- libc_hidden_def (__OPENAT)
diff --git a/gnu/packages/patches/glibc-vectorized-strcspn-guards.patch b/gnu/packages/patches/glibc-vectorized-strcspn-guards.patch
deleted file mode 100644
index 3d6c7749d4..0000000000
--- a/gnu/packages/patches/glibc-vectorized-strcspn-guards.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-Copied from Debian.
-
-2017-06-14 Florian Weimer <fweimer@redhat.com>
-
- * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.
- * sysdeps/i386/i686/multiarch/varshift.c: Likewise.
-
---- a/sysdeps/i386/i686/multiarch/strcspn-c.c
-+++ b/sysdeps/i386/i686/multiarch/strcspn-c.c
-@@ -1,2 +1,4 @@
--#define __strcspn_sse2 __strcspn_ia32
--#include <sysdeps/x86_64/multiarch/strcspn-c.c>
-+#if IS_IN (libc)
-+# define __strcspn_sse2 __strcspn_ia32
-+# include <sysdeps/x86_64/multiarch/strcspn-c.c>
-+#endif
---- a/sysdeps/i386/i686/multiarch/varshift.c
-+++ b/sysdeps/i386/i686/multiarch/varshift.c
-@@ -1 +1,3 @@
--#include <sysdeps/x86_64/multiarch/varshift.c>
-+#if IS_IN (libc)
-+# include <sysdeps/x86_64/multiarch/varshift.c>
-+#endif