Merge commit '9480bae337095fd24f61380bce3174fdfe926a00'

This is the last nixos-unstable release before 13b2903169f, which I'm a
bit nervous about.  So I want the update including that one to be as
small as possible, hence going to this one first.

2 files changed, 64 insertions, 2 deletions

diff --git a/nixpkgs/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch b/nixpkgs/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch
new file mode 100644
index 000000000000..75d874b93d09
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/glibc/2.30-cve-2020-1752.patch
@@ -0,0 +1,62 @@
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 19 Feb 2020 16:21:46 +0000 (+0100)
+Subject: Fix use-after-free in glob when expanding ~user (bug 25414)
+X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=da97c6b88eb03fb834e92964b0895c2ac8d61f63;hp=dd34bce38c822b67fcc42e73969bf6699d6874b6
+
+Fix use-after-free in glob when expanding ~user (bug 25414)
+
+The value of `end_name' points into the value of `dirname', thus don't
+deallocate the latter before the last use of the former.
+
+(cherry picked from commit ddc650e9b3dc916eab417ce9f79e67337b05035c)
+---
+
+diff --git a/posix/glob.c b/posix/glob.c
+index e73e35c510..c6cbd0eb43 100644
+--- a/posix/glob.c
++++ b/posix/glob.c
+@@ -827,31 +827,32 @@ __glob (const char *pattern, int flags, int (*errfunc) (const char *, int),
+ 	      {
+ 		size_t home_len = strlen (p->pw_dir);
+ 		size_t rest_len = end_name == NULL ? 0 : strlen (end_name);
+-		char *d;
++		char *d, *newp;
++		bool use_alloca = glob_use_alloca (alloca_used,
++						   home_len + rest_len + 1);
+ 
+-		if (__glibc_unlikely (malloc_dirname))
+-		  free (dirname);
+-		malloc_dirname = 0;
+-
+-		if (glob_use_alloca (alloca_used, home_len + rest_len + 1))
+-		  dirname = alloca_account (home_len + rest_len + 1,
+-					    alloca_used);
++		if (use_alloca)
++		  newp = alloca_account (home_len + rest_len + 1, alloca_used);
+ 		else
+ 		  {
+-		    dirname = malloc (home_len + rest_len + 1);
+-		    if (dirname == NULL)
++		    newp = malloc (home_len + rest_len + 1);
++		    if (newp == NULL)
+ 		      {
+ 			scratch_buffer_free (&pwtmpbuf);
+ 			retval = GLOB_NOSPACE;
+ 			goto out;
+ 		      }
+-		    malloc_dirname = 1;
+ 		  }
+-		d = mempcpy (dirname, p->pw_dir, home_len);
++		d = mempcpy (newp, p->pw_dir, home_len);
+ 		if (end_name != NULL)
+ 		  d = mempcpy (d, end_name, rest_len);
+ 		*d = '\0';
+ 
++		if (__glibc_unlikely (malloc_dirname))
++		  free (dirname);
++		dirname = newp;
++		malloc_dirname = !use_alloca;
++
+ 		dirlen = home_len + rest_len;
+ 		dirname_modified = 1;
+ 	      }
diff --git a/nixpkgs/pkgs/development/libraries/glibc/common.nix b/nixpkgs/pkgs/development/libraries/glibc/common.nix
index 0429c7295fb8..36b6bea61cd4 100644
--- a/nixpkgs/pkgs/development/libraries/glibc/common.nix
+++ b/nixpkgs/pkgs/development/libraries/glibc/common.nix
@@ -106,10 +106,10 @@ stdenv.mkDerivation ({
         url = "https://salsa.debian.org/glibc-team/glibc/raw/49767c9f7de4828220b691b29de0baf60d8a54ec/debian/patches/localedata/locale-C.diff";
         sha256 = "0irj60hs2i91ilwg5w7sqrxb695c93xg0ik7yhhq9irprd7fidn4";
       })
-    ]
-    ++ lib.optionals stdenv.isx86_64 [
+
       ./fix-x64-abi.patch
       ./2.27-CVE-2019-19126.patch
+      ./2.30-cve-2020-1752.patch
     ]
     ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch
     ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;