glibc: fix CVE-2020-27618

iconv: Accept redundant shift sequences in IBM1364

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=1893708

(From OE-Core rev: 78a381ec75e48283397a7fe9eaad2afbb070c235)

Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/recipes-core/glibc/glibc/CVE-2020-27618.patch

@@ -0,0 +1,91 @@
+From 20e6c868c29f5a6121cbb88f3387bb9b884a4206 Mon Sep 17 00:00:00 2001
+From: Arjun Shankar <arjun@redhat.com>
+Date: Wed, 4 Nov 2020 12:19:38 +0100
+Subject: [PATCH] iconv: Accept redundant shift sequences in IBM1364 [BZ
+ #26224]
+
+The IBM1364, IBM1371, IBM1388, IBM1390 and IBM1399 character sets
+share converter logic (iconvdata/ibm1364.c) which would reject
+redundant shift sequences when processing input in these character
+sets.  This led to a hang in the iconv program (CVE-2020-27618).
+
+This commit adjusts the converter to ignore redundant shift sequences
+and adds test cases for iconv_prog hangs that would be triggered upon
+their rejection.  This brings the implementation in line with other
+converters that also ignore redundant shift sequences (e.g. IBM930
+etc., fixed in commit 692de4b3960d).
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+
+Upstream-Status: Backport
+[https://sourceware.org/git/?p=glibc.git;a=commit;
+h=9a99c682144bdbd40792ebf822fe9264e0376fb5]
+
+CVE: CVE-2020-27618
+Signed-off-by: Yi Fan Yu <yifan.yu@windriver.com>
+---
+ iconv/tst-iconv_prog.sh | 16 ++++++++++------
+ iconvdata/ibm1364.c     | 14 ++------------
+ 2 files changed, 12 insertions(+), 18 deletions(-)
+
+diff --git a/iconv/tst-iconv_prog.sh b/iconv/tst-iconv_prog.sh
+index 8298136b7f..d8db7b335c 100644
+--- a/iconv/tst-iconv_prog.sh
++++ b/iconv/tst-iconv_prog.sh
+@@ -102,12 +102,16 @@ hangarray=(
+ "\x00\x80;-c;IBM1161;UTF-8//TRANSLIT//IGNORE"
+ "\x00\xdb;-c;IBM1162;UTF-8//TRANSLIT//IGNORE"
+ "\x00\x70;-c;IBM12712;UTF-8//TRANSLIT//IGNORE"
+-# These are known hangs that are yet to be fixed:
+-# "\x00\x0f;-c;IBM1364;UTF-8"
+-# "\x00\x0f;-c;IBM1371;UTF-8"
+-# "\x00\x0f;-c;IBM1388;UTF-8"
+-# "\x00\x0f;-c;IBM1390;UTF-8"
+-# "\x00\x0f;-c;IBM1399;UTF-8"
++"\x00\x0f;-c;IBM1364;UTF-8"
++"\x0e\x0e;-c;IBM1364;UTF-8"
++"\x00\x0f;-c;IBM1371;UTF-8"
++"\x0e\x0e;-c;IBM1371;UTF-8"
++"\x00\x0f;-c;IBM1388;UTF-8"
++"\x0e\x0e;-c;IBM1388;UTF-8"
++"\x00\x0f;-c;IBM1390;UTF-8"
++"\x0e\x0e;-c;IBM1390;UTF-8"
++"\x00\x0f;-c;IBM1399;UTF-8"
++"\x0e\x0e;-c;IBM1399;UTF-8"
+ "\x00\x53;-c;IBM16804;UTF-8//TRANSLIT//IGNORE"
+ "\x00\x41;-c;IBM274;UTF-8//TRANSLIT//IGNORE"
+ "\x00\x41;-c;IBM275;UTF-8//TRANSLIT//IGNORE"
+diff --git a/iconvdata/ibm1364.c b/iconvdata/ibm1364.c
+index 49e7267ab4..521f0825b7 100644
+--- a/iconvdata/ibm1364.c
++++ b/iconvdata/ibm1364.c
+@@ -158,24 +158,14 @@ enum
+ 									      \
+     if (__builtin_expect (ch, 0) == SO)					      \
+       {									      \
+-	/* Shift OUT, change to DBCS converter.  */			      \
+-	if (curcs == db)						      \
+-	  {								      \
+-	    result = __GCONV_ILLEGAL_INPUT;				      \
+-	    break;							      \
+-	  }								      \
++	/* Shift OUT, change to DBCS converter (redundant escape okay).  */   \
+ 	curcs = db;							      \
+ 	++inptr;							      \
+ 	continue;							      \
+       }									      \
+     if (__builtin_expect (ch, 0) == SI)					      \
+       {									      \
+-	/* Shift IN, change to SBCS converter.  */			      \
+-	if (curcs == sb)						      \
+-	  {								      \
+-	    result = __GCONV_ILLEGAL_INPUT;				      \
+-	    break;							      \
+-	  }								      \
++	/* Shift IN, change to SBCS converter (redundant escape okay).  */    \
+ 	curcs = sb;							      \
+ 	++inptr;							      \
+ 	continue;							      \
+-- 
+2.29.2
+

meta/recipes-core/glibc/glibc_2.32.bb

@@ -47,6 +47,7 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://CVE-2020-29562.patch \
            file://CVE-2020-29573.patch \
            file://CVE-2019-25013.patch \
+           file://CVE-2020-27618.patch \
            "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"