Bug#681145: unblock: libgc/7.1-9

[Christoph Egger]

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: freeze-exception

Please unblock package libgc

This upload fixes CVE-2012-2673. It is only using the patches approved
upstream to fix this issue (the -malloc.diff one backported to out 7.1
package, rest does work as is).

unblock libgc/7.1-9

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.4-trunk-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru libgc-7.1/debian/changelog libgc-7.1/debian/changelog
--- libgc-7.1/debian/changelog	2011-05-29 18:55:21.000000000 +0200
+++ libgc-7.1/debian/changelog	2012-07-11 00:30:07.000000000 +0200
@@ -1,3 +1,9 @@
+libgc (1:7.1-9) unstable; urgency=medium
+
+  * Import patches to fix CVE-2012-2673 from upstream git (Closes: #677195)
+
+ -- Christoph Egger <christ...@debian.org>  Sun, 08 Jul 2012 18:27:48 +0200
+
 libgc (1:7.1-8) unstable; urgency=low
 
   * Import patch by Thorsten Glaser
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-calloc-1.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,29 @@
+From e10c1eb9908c2774c16b3148b30d2f3823d66a9a Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.w...@gmail.com>
+Date: Thu, 15 Mar 2012 04:46:49 +0800
+Subject: [PATCH] Fix calloc() overflow
+
+* malloc.c (calloc): Check multiplication overflow in calloc(),
+assuming REDIRECT_MALLOC.
+---
+ malloc.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2008-03-10 06:33:41.000000000 +0100
++++ libgc/malloc.c	2012-07-08 18:08:40.030368600 +0200
+@@ -344,8 +344,13 @@
+   }
+ #endif
+ 
++#ifndef SIZE_MAX
++#define SIZE_MAX (~(size_t)0)
++#endif
+ void * calloc(size_t n, size_t lb)
+ {
++    if (lb && n > SIZE_MAX / lb)
++      return NULL;
+ #   if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
+ 	/* libpthread allocated some memory that is only pointed to by	*/
+ 	/* mmapped thread stacks.  Make sure it's not collectable.	*/
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-calloc-2.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,36 @@
+From 6a93f8e5bcad22137f41b6c60a1c7384baaec2b3 Mon Sep 17 00:00:00 2001
+From: Ivan Maidanski <iv...@mail.ru>
+Date: Thu, 15 Mar 2012 20:30:11 +0400
+Subject: [PATCH] Fix calloc-related code to prevent SIZE_MAX redefinition in
+ sys headers
+
+* malloc.c: Include limits.h for SIZE_MAX.
+* malloc.c (SIZE_MAX, calloc): Define GC_SIZE_MAX instead of SIZE_MAX.
+---
+ malloc.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2012-07-08 18:08:40.030368600 +0200
++++ libgc/malloc.c	2012-07-08 18:08:45.420373752 +0200
+@@ -344,12 +344,16 @@
+   }
+ #endif
+ 
+-#ifndef SIZE_MAX
+-#define SIZE_MAX (~(size_t)0)
++#include <limits.h>
++#ifdef SIZE_MAX
++# define GC_SIZE_MAX SIZE_MAX
++#else
++# define GC_SIZE_MAX (~(size_t)0)
+ #endif
++
+ void * calloc(size_t n, size_t lb)
+ {
+-    if (lb && n > SIZE_MAX / lb)
++    if (lb && n > GC_SIZE_MAX / lb)
+       return NULL;
+ #   if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
+ 	/* libpthread allocated some memory that is only pointed to by	*/
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-calloc-3.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,31 @@
+From 83231d0ab5ed60015797c3d1ad9056295ac3b2bb Mon Sep 17 00:00:00 2001
+From: Hans Boehm <hans.bo...@hp.com>
+Date: Thu, 15 Mar 2012 21:09:05 +0400
+Subject: [PATCH] Speedup calloc size overflow check by preventing division if
+ small values
+
+* malloc.c (GC_SQRT_SIZE_MAX): New macro.
+* malloc.c (calloc): Add fast initial size overflow check to avoid
+integer division for reasonably small values passed.
+---
+ malloc.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2012-07-08 17:54:21.530370090 +0200
++++ libgc/malloc.c	2012-07-08 17:54:21.000000000 +0200
+@@ -351,9 +351,12 @@
+ # define GC_SIZE_MAX (~(size_t)0)
+ #endif
+ 
++#define GC_SQRT_SIZE_MAX ((1U << (WORDSZ / 2)) - 1)
++
+ void * calloc(size_t n, size_t lb)
+ {
+-    if (lb && n > GC_SIZE_MAX / lb)
++    if ((lb | n) > GC_SQRT_SIZE_MAX /* fast initial test */
++        && lb && n > GC_SIZE_MAX / lb)
+       return NULL;
+ #   if defined(GC_LINUX_THREADS) /* && !defined(USE_PROC_FOR_LIBRARIES) */
+ 	/* libpthread allocated some memory that is only pointed to by	*/
diff -Nru libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff
--- libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff	1970-01-01 01:00:00.000000000 +0100
+++ libgc-7.1/debian/patches/CVE-2012-2673-malloc.diff	2012-07-11 00:26:57.000000000 +0200
@@ -0,0 +1,41 @@
+From be9df82919960214ee4b9d3313523bff44fd99e1 Mon Sep 17 00:00:00 2001
+From: Xi Wang <xi.w...@gmail.com>
+Date: Thu, 15 Mar 2012 04:55:08 +0800
+Subject: [PATCH] Fix allocation size overflows due to rounding.
+
+* malloc.c (GC_generic_malloc): Check if the allocation size is
+rounded to a smaller value.
+* mallocx.c (GC_generic_malloc_ignore_off_page): Likewise.
+---
+ malloc.c  |    2 ++
+ mallocx.c |    2 ++
+ 2 files changed, 4 insertions(+)
+
+Index: libgc/malloc.c
+===================================================================
+--- libgc.orig/malloc.c	2012-07-08 18:23:03.980370526 +0200
++++ libgc/malloc.c	2012-07-08 18:24:58.640366221 +0200
+@@ -165,6 +165,9 @@
+ 	GC_bool init;
+ 	lw = ROUNDED_UP_WORDS(lb);
+ 	lb_rounded = WORDS_TO_BYTES(lw);
++	if (lb_rounded < lb)
++	  return((*GC_oom_fn)(lb));
++
+ 	n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded);
+ 	init = GC_obj_kinds[k].ok_init;
+ 	LOCK();
+Index: libgc/mallocx.c
+===================================================================
+--- libgc.orig/mallocx.c	2012-07-08 18:21:54.800368132 +0200
++++ libgc/mallocx.c	2012-07-08 18:25:13.620365430 +0200
+@@ -179,6 +179,9 @@
+         return(GC_generic_malloc((word)lb, k));
+     lw = ROUNDED_UP_WORDS(lb);
+     lb_rounded = WORDS_TO_BYTES(lw);
++    if (lb_rounded < lb)
++	  return((*GC_oom_fn)(lb));
++
+     n_blocks = OBJ_SZ_TO_BLOCKS(lb_rounded);
+     init = GC_obj_kinds[k].ok_init;
+     if (GC_have_errors) GC_print_all_errors();
diff -Nru libgc-7.1/debian/patches/series libgc-7.1/debian/patches/series
--- libgc-7.1/debian/patches/series	2011-05-29 15:19:45.000000000 +0200
+++ libgc-7.1/debian/patches/series	2012-07-11 00:26:57.000000000 +0200
@@ -5,3 +5,7 @@
 #05-s390-includes.diff
 enable-threads.diff
 06-m68k-no-getcontext.diff
+CVE-2012-2673-calloc-1.diff
+CVE-2012-2673-calloc-2.diff
+CVE-2012-2673-calloc-3.diff
+CVE-2012-2673-malloc.diff