summarylogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.SRCINFO35
-rw-r--r--PKGBUILD120
-rw-r--r--glibc-2.17-getaddrinfo-stack-overflow.patch47
-rw-r--r--glibc-2.17-regexp-matcher-overrun.patch137
-rw-r--r--glibc-2.17-sync-with-linux37.patch130
-rw-r--r--glibc-2.18-getaddrinfo-CVE-2013-4458.patch41
-rw-r--r--glibc-2.18-getaddrinfo-assertion.patch39
-rw-r--r--glibc-2.18-make-4.patch45
-rw-r--r--glibc-2.18-malloc-corrupt-CVE-2013-4332.patch54
-rw-r--r--glibc-2.18-ptr-mangle-CVE-2013-4788.patch485
-rw-r--r--glibc-2.18-readdir_r-CVE-2013-4237.patch281
-rw-r--r--glibc-2.18-scanf-parse-0e-0.patch67
-rw-r--r--glibc-2.18-strcoll-CVE-2012-4412+4424.patch1004
-rw-r--r--glibc-2.18-strstr-hackfix.patch13
-rw-r--r--glibc-2.18-xattr-compat-hack.patch19
15 files changed, 2158 insertions, 359 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 70cda4b47f26..b43afb677cc2 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
pkgbase = libx32-glibc
pkgdesc = GNU C Library for x32 ABI
- pkgver = 2.17_5
+ pkgver = 2.18_12
pkgrel = 1
url = http://www.gnu.org/software/libc
arch = x86_64
@@ -11,17 +11,32 @@ pkgbase = libx32-glibc
conflicts = glibc-x32-seed
options = !strip
options = !emptydirs
- source = http://ftp.gnu.org/gnu/libc/glibc-2.17.tar.xz
- source = http://ftp.gnu.org/gnu/libc/glibc-2.17.tar.xz.sig
- source = glibc-2.17-sync-with-linux37.patch
- source = glibc-2.17-getaddrinfo-stack-overflow.patch
- source = glibc-2.17-regexp-matcher-overrun.patch
+ options = staticlibs
+ source = http://ftp.gnu.org/gnu/libc/glibc-2.18.tar.xz
+ source = http://ftp.gnu.org/gnu/libc/glibc-2.18.tar.xz.sig
+ source = glibc-2.18-make-4.patch
+ source = glibc-2.18-readdir_r-CVE-2013-4237.patch
+ source = glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
+ source = glibc-2.18-strcoll-CVE-2012-4412+4424.patch
+ source = glibc-2.18-ptr-mangle-CVE-2013-4788.patch
+ source = glibc-2.18-getaddrinfo-CVE-2013-4458.patch
+ source = glibc-2.18-getaddrinfo-assertion.patch
+ source = glibc-2.18-scanf-parse-0e-0.patch
+ source = glibc-2.18-strstr-hackfix.patch
+ source = glibc-2.18-xattr-compat-hack.patch
source = libx32-glibc.conf
- md5sums = 87bf675c8ee523ebda4803e8e1cec638
+ md5sums = 88fbbceafee809e82efd52efa1e3c58f
md5sums = SKIP
- md5sums = fb99380d94598cc76d793deebf630022
- md5sums = 56d5f2c09503a348281a20ae404b7de3
- md5sums = 200acc05961b084ee00dde919e64f82d
+ md5sums = e1883c2d1b01ff73650db5f5bb5a5a52
+ md5sums = 154da6bf5a5248f42a7bf5bf08e01a47
+ md5sums = b79561ab9dce900e9bbeaf0d49927c2b
+ md5sums = c7264b99d0f7e51922a4d3126182c40a
+ md5sums = 9749ba386b08a8fe53e7ecede9bf2dfb
+ md5sums = 71329fccb8eb583fb0d67b55f1e8df68
+ md5sums = d4d86add33f22125777e0ecff06bc9bb
+ md5sums = 01d19fe9b2aea489cf5651530e0369f2
+ md5sums = 4441f6dfe7d75ced1fa75e54dd21d36e
+ md5sums = 7ca96c68a37f2a4ab91792bfa0160a24
md5sums = 34a4169d2bdc5a3eb83676a0831aae57
pkgname = libx32-glibc
diff --git a/PKGBUILD b/PKGBUILD
index 31cd162e9c80..b921b068484e 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,4 +1,4 @@
-# $Id$
+# $Id: PKGBUILD 103537 2014-01-07 13:27:35Z heftig $
# Maintainer: Fantix King <fantix.king@gmail.com>
# Upstream Maintainer: Jan Alexander Steffens (heftig) <jan.steffens@gmail.com>
# Contributor: Jan de Groot <jgc@archlinux.org>
@@ -9,7 +9,7 @@
_pkgbasename=glibc
pkgname=libx32-$_pkgbasename
-pkgver=2.17_5
+pkgver=2.18_12
pkgrel=1
pkgdesc="GNU C Library for x32 ABI"
arch=('x86_64')
@@ -18,34 +18,71 @@ license=('GPL' 'LGPL')
makedepends=('gcc-multilib-x32>=4.7')
conflicts=('glibc-x32-seed')
provides=('glibc-x32-seed')
-options=('!strip' '!emptydirs')
+options=('!strip' '!emptydirs' 'staticlibs')
source=(http://ftp.gnu.org/gnu/libc/${_pkgbasename}-${pkgver%_*}.tar.xz{,.sig}
- glibc-2.17-sync-with-linux37.patch
- glibc-2.17-getaddrinfo-stack-overflow.patch
- glibc-2.17-regexp-matcher-overrun.patch
+ glibc-2.18-make-4.patch
+ glibc-2.18-readdir_r-CVE-2013-4237.patch
+ glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
+ glibc-2.18-strcoll-CVE-2012-4412+4424.patch
+ glibc-2.18-ptr-mangle-CVE-2013-4788.patch
+ glibc-2.18-getaddrinfo-CVE-2013-4458.patch
+ glibc-2.18-getaddrinfo-assertion.patch
+ glibc-2.18-scanf-parse-0e-0.patch
+ glibc-2.18-strstr-hackfix.patch
+ glibc-2.18-xattr-compat-hack.patch
libx32-glibc.conf)
-md5sums=('87bf675c8ee523ebda4803e8e1cec638'
+md5sums=('88fbbceafee809e82efd52efa1e3c58f'
'SKIP'
- 'fb99380d94598cc76d793deebf630022'
- '56d5f2c09503a348281a20ae404b7de3'
- '200acc05961b084ee00dde919e64f82d'
+ 'e1883c2d1b01ff73650db5f5bb5a5a52'
+ '154da6bf5a5248f42a7bf5bf08e01a47'
+ 'b79561ab9dce900e9bbeaf0d49927c2b'
+ 'c7264b99d0f7e51922a4d3126182c40a'
+ '9749ba386b08a8fe53e7ecede9bf2dfb'
+ '71329fccb8eb583fb0d67b55f1e8df68'
+ 'd4d86add33f22125777e0ecff06bc9bb'
+ '01d19fe9b2aea489cf5651530e0369f2'
+ '4441f6dfe7d75ced1fa75e54dd21d36e'
+ '7ca96c68a37f2a4ab91792bfa0160a24'
'34a4169d2bdc5a3eb83676a0831aae57')
-build() {
+prepare() {
cd ${srcdir}/${_pkgbasename}-${pkgver%_*}
- # combination of upstream commits 318cd0b, b540704 and fc1abbe
- patch -p1 -i ${srcdir}/glibc-2.17-sync-with-linux37.patch
+ # compatibility with make-4.0 (submitted upstream)
+ patch -p1 -i $srcdir/glibc-2.18-make-4.patch
+
+ # upstream commit 91ce4085
+ patch -p1 -i $srcdir/glibc-2.18-readdir_r-CVE-2013-4237.patch
+
+ # upstream commits 1159a193, 55e17aad and b73ed247
+ patch -p1 -i $srcdir/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
+
+ # upstream commits 1326ba1a, 141f3a77 and 303e567a
+ patch -p1 -i $srcdir/glibc-2.18-strcoll-CVE-2012-4412+4424.patch
+
+ # upstream commits c61b4d41 and 0b1f8e35
+ patch -p1 -i $srcdir/glibc-2.18-ptr-mangle-CVE-2013-4788.patch
- # CVE-2013-1914 - upstream commit 1cef1b19
- patch -p1 -i ${srcdir}/glibc-2.17-getaddrinfo-stack-overflow.patch
+ # upstream commit 7cbcdb36
+ patch -p1 -i $srcdir/glibc-2.18-getaddrinfo-CVE-2013-4458.patch
- # CVE-2013-0242 - upstream commit a445af0b
- patch -p1 -i ${srcdir}/glibc-2.17-regexp-matcher-overrun.patch
+ # upstream commit 894f3f10
+ patch -p1 -i $srcdir/glibc-2.18-getaddrinfo-assertion.patch
- cd ${srcdir}
- mkdir glibc-build
- cd glibc-build
+ # upstream commit a4966c61
+ patch -p1 -i $srcdir/glibc-2.18-scanf-parse-0e-0.patch
+
+ # hack fix for strstr issues on x86
+ patch -p1 -i $srcdir/glibc-2.18-strstr-hackfix.patch
+
+ # hack fix for {linux,sys}/xattr.h incompatibility
+ patch -p1 -i $srcdir/glibc-2.18-xattr-compat-hack.patch
+
+ mkdir ${srcdir}/glibc-build
+}
+
+build() {
+ cd ${srcdir}/glibc-build
#if [[ ${CARCH} = "i686" ]]; then
# Hack to fix NPTL issues with Xen, only required on 32bit platforms
@@ -64,6 +101,8 @@ build() {
export CXX="g++ -mx32"
fi
echo "slibdir=/usr/libx32" >> configparms
+ echo "sbindir=/usr/bin" >> configparms
+ echo "rootsbindir=/usr/bin" >> configparms
# remove hardening options for building libraries
CFLAGS=${CFLAGS/-fstack-protector/}
@@ -78,13 +117,14 @@ build() {
--enable-kernel=2.6.32 \
--enable-bind-now --disable-profile \
--enable-stackguard-randomization \
+ --enable-lock-elision \
--target=x86_64-x32-linux --build=x86_64-linux --host=x86_64-x32-linux \
--enable-multi-arch x86_64-x32-linux
# build libraries with hardening disabled
echo "build-programs=no" >> configparms
make
-
+
# re-enable hardening for programs
sed -i "/build-programs=/s#no#yes#" configparms
echo "CC += -fstack-protector -D_FORTIFY_SOURCE=2" >> configparms
@@ -92,11 +132,11 @@ build() {
make
# remove harding in preparation to run test-suite
- sed -i '2,4d' configparms
+ sed -i '4,6d' configparms
}
check() {
- # bug to file - the linker commands need to be reordered
+ # the linker commands need to be reordered - fixed in 2.19
LDFLAGS=${LDFLAGS/--as-needed,/}
cd ${srcdir}/glibc-build
@@ -116,6 +156,22 @@ package() {
# We need one x32 ABI specific header file
find ${pkgdir}/usr/include -type f -not -name stubs-x32.h -delete
+
+ # Dynamic linker
+ mkdir ${pkgdir}/usr/lib
+ ln -s ../libx32/ld-linux-x32.so.2 ${pkgdir}/usr/lib/
+
+ # Add libx32 paths to the default library search path
+ install -Dm644 "$srcdir/libx32-glibc.conf" "$pkgdir/etc/ld.so.conf.d/libx32-glibc.conf"
+
+ # Symlink /usr/libx32/locale to /usr/lib/locale
+ ln -s ../lib/locale "$pkgdir/usr/libx32/locale"
+
+ # remove the static libraries that have a shared counterpart
+ # libc, libdl, libm and libpthread are required for toolchain testsuites
+ # in addition libcrypt appears widely required
+ rm $pkgdir/usr/libx32/lib{anl,BrokenLocale,nsl,resolv,rt,util}.a
+
# Do not strip the following files for improved debugging support
# ("improved" as in not breaking gdb and valgrind...):
# ld-${pkgver}.so
@@ -124,7 +180,11 @@ package() {
# libthread_db-1.0.so
cd $pkgdir
- strip $STRIP_BINARIES usr/libx32/getconf/*
+ strip $STRIP_BINARIES \
+ \
+ \
+ usr/libx32/getconf/*
+
strip $STRIP_STATIC usr/libx32/*.a
@@ -132,17 +192,7 @@ package() {
usr/libx32/libnss_{compat,db,dns,files,hesiod,nis,nisplus}-*.so \
usr/libx32/{libdl,libm,libnsl,libresolv,librt,libutil}-*.so \
usr/libx32/{libmemusage,libpcprofile,libSegFault}.so \
- usr/libx32/{pt_chown,{audit,gconv}/*.so}
-
- # Dynamic linker
- mkdir ${pkgdir}/usr/lib
- ln -s ../libx32/ld-linux-x32.so.2 ${pkgdir}/usr/lib/
-
- # Add libx32 paths to the default library search path
- install -Dm644 "$srcdir/libx32-glibc.conf" "$pkgdir/etc/ld.so.conf.d/libx32-glibc.conf"
-
- # Symlink /usr/libx32/locale to /usr/lib/locale
- ln -s ../lib/locale "$pkgdir/usr/libx32/locale"
+ usr/libx32/{audit,gconv}/*.so
# Fix issue that core/glibc didn't fix the path to /lib/ld-linux-x32.so.2
ln -s /usr/lib ${pkgdir}/libx32
diff --git a/glibc-2.17-getaddrinfo-stack-overflow.patch b/glibc-2.17-getaddrinfo-stack-overflow.patch
deleted file mode 100644
index aa916ac2c2e1..000000000000
--- a/glibc-2.17-getaddrinfo-stack-overflow.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
-index d95c2d1..2309281 100644
---- a/sysdeps/posix/getaddrinfo.c
-+++ b/sysdeps/posix/getaddrinfo.c
-@@ -2489,11 +2489,27 @@ getaddrinfo (const char *name, const char *service,
- __typeof (once) old_once = once;
- __libc_once (once, gaiconf_init);
- /* Sort results according to RFC 3484. */
-- struct sort_result results[nresults];
-- size_t order[nresults];
-+ struct sort_result *results;
-+ size_t *order;
- struct addrinfo *q;
- struct addrinfo *last = NULL;
- char *canonname = NULL;
-+ bool malloc_results;
-+
-+ malloc_results
-+ = !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t)));
-+ if (malloc_results)
-+ {
-+ results = malloc (nresults * (sizeof (*results) + sizeof (size_t)));
-+ if (results == NULL)
-+ {
-+ __free_in6ai (in6ai);
-+ return EAI_MEMORY;
-+ }
-+ }
-+ else
-+ results = alloca (nresults * (sizeof (*results) + sizeof (size_t)));
-+ order = (size_t *) (results + nresults);
-
- /* Now we definitely need the interface information. */
- if (! check_pf_called)
-@@ -2664,6 +2680,9 @@ getaddrinfo (const char *name, const char *service,
-
- /* Fill in the canonical name into the new first entry. */
- p->ai_canonname = canonname;
-+
-+ if (malloc_results)
-+ free (results);
- }
-
- __free_in6ai (in6ai);
---
-1.7.1
-
diff --git a/glibc-2.17-regexp-matcher-overrun.patch b/glibc-2.17-regexp-matcher-overrun.patch
deleted file mode 100644
index b108f9d425f7..000000000000
--- a/glibc-2.17-regexp-matcher-overrun.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-diff --git a/posix/Makefile b/posix/Makefile
-index 88d409f..2cacd21 100644
---- a/posix/Makefile
-+++ b/posix/Makefile
-@@ -86,7 +86,7 @@ tests := tstgetopt testfnm runtests runptests \
- tst-rfc3484-3 \
- tst-getaddrinfo3 tst-fnmatch2 tst-cpucount tst-cpuset \
- bug-getopt1 bug-getopt2 bug-getopt3 bug-getopt4 \
-- bug-getopt5 tst-getopt_long1
-+ bug-getopt5 tst-getopt_long1 bug-regex34
- xtests := bug-ga2
- ifeq (yes,$(build-shared))
- test-srcs := globtest
-@@ -199,5 +199,6 @@ bug-regex26-ENV = LOCPATH=$(common-objpfx)localedata
- bug-regex30-ENV = LOCPATH=$(common-objpfx)localedata
- bug-regex32-ENV = LOCPATH=$(common-objpfx)localedata
- bug-regex33-ENV = LOCPATH=$(common-objpfx)localedata
-+bug-regex34-ENV = LOCPATH=$(common-objpfx)localedata
- tst-rxspencer-ARGS = --utf8 rxspencer/tests
- tst-rxspencer-ENV = LOCPATH=$(common-objpfx)localedata
-diff --git a/posix/bug-regex34.c b/posix/bug-regex34.c
-new file mode 100644
-index 0000000..bb3b613
---- /dev/null
-+++ b/posix/bug-regex34.c
-@@ -0,0 +1,46 @@
-+/* Test re_search with multi-byte characters in UTF-8.
-+ Copyright (C) 2013 Free Software Foundation, Inc.
-+ This file is part of the GNU C Library.
-+
-+ The GNU C Library is free software; you can redistribute it and/or
-+ modify it under the terms of the GNU Lesser General Public
-+ License as published by the Free Software Foundation; either
-+ version 2.1 of the License, or (at your option) any later version.
-+
-+ The GNU C Library is distributed in the hope that it will be useful,
-+ but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ Lesser General Public License for more details.
-+
-+ You should have received a copy of the GNU Lesser General Public
-+ License along with the GNU C Library; if not, see
-+ <http://www.gnu.org/licenses/>. */
-+
-+#define _GNU_SOURCE 1
-+#include <stdio.h>
-+#include <string.h>
-+#include <locale.h>
-+#include <regex.h>
-+
-+static int
-+do_test (void)
-+{
-+ struct re_pattern_buffer r;
-+ /* ကျွန်ုပ်x */
-+ const char *s = "\xe1\x80\x80\xe1\x80\xbb\xe1\x80\xbd\xe1\x80\x94\xe1\x80\xba\xe1\x80\xaf\xe1\x80\x95\xe1\x80\xbax";
-+
-+ if (setlocale (LC_ALL, "en_US.UTF-8") == NULL)
-+ {
-+ puts ("setlocale failed");
-+ return 1;
-+ }
-+ memset (&r, 0, sizeof (r));
-+
-+ re_compile_pattern ("[^x]x", 5, &r);
-+ /* This was triggering a buffer overflow. */
-+ re_search (&r, s, strlen (s), 0, strlen (s), 0);
-+ return 0;
-+}
-+
-+#define TEST_FUNCTION do_test ()
-+#include "../test-skeleton.c"
-diff --git a/posix/regexec.c b/posix/regexec.c
-index 7f2de85..5ca2bf6 100644
---- a/posix/regexec.c
-+++ b/posix/regexec.c
-@@ -197,7 +197,7 @@ static int group_nodes_into_DFAstates (const re_dfa_t *dfa,
- static int check_node_accept (const re_match_context_t *mctx,
- const re_token_t *node, int idx)
- internal_function;
--static reg_errcode_t extend_buffers (re_match_context_t *mctx)
-+static reg_errcode_t extend_buffers (re_match_context_t *mctx, int min_len)
- internal_function;
-
- /* Entry point for POSIX code. */
-@@ -1160,7 +1160,7 @@ check_matching (re_match_context_t *mctx, int fl_longest_match,
- || (BE (next_char_idx >= mctx->input.valid_len, 0)
- && mctx->input.valid_len < mctx->input.len))
- {
-- err = extend_buffers (mctx);
-+ err = extend_buffers (mctx, next_char_idx + 1);
- if (BE (err != REG_NOERROR, 0))
- {
- assert (err == REG_ESPACE);
-@@ -1738,7 +1738,7 @@ clean_state_log_if_needed (re_match_context_t *mctx, int next_state_log_idx)
- && mctx->input.valid_len < mctx->input.len))
- {
- reg_errcode_t err;
-- err = extend_buffers (mctx);
-+ err = extend_buffers (mctx, next_state_log_idx + 1);
- if (BE (err != REG_NOERROR, 0))
- return err;
- }
-@@ -2792,7 +2792,7 @@ get_subexp (re_match_context_t *mctx, int bkref_node, int bkref_str_idx)
- if (bkref_str_off >= mctx->input.len)
- break;
-
-- err = extend_buffers (mctx);
-+ err = extend_buffers (mctx, bkref_str_off + 1);
- if (BE (err != REG_NOERROR, 0))
- return err;
-
-@@ -4102,7 +4102,7 @@ check_node_accept (const re_match_context_t *mctx, const re_token_t *node,
-
- static reg_errcode_t
- internal_function __attribute_warn_unused_result__
--extend_buffers (re_match_context_t *mctx)
-+extend_buffers (re_match_context_t *mctx, int min_len)
- {
- reg_errcode_t ret;
- re_string_t *pstr = &mctx->input;
-@@ -4111,8 +4111,10 @@ extend_buffers (re_match_context_t *mctx)
- if (BE (INT_MAX / 2 / sizeof (re_dfastate_t *) <= pstr->bufs_len, 0))
- return REG_ESPACE;
-
-- /* Double the lengthes of the buffers. */
-- ret = re_string_realloc_buffers (pstr, MIN (pstr->len, pstr->bufs_len * 2));
-+ /* Double the lengthes of the buffers, but allocate at least MIN_LEN. */
-+ ret = re_string_realloc_buffers (pstr,
-+ MAX (min_len,
-+ MIN (pstr->len, pstr->bufs_len * 2)));
- if (BE (ret != REG_NOERROR, 0))
- return ret;
-
---
-1.7.1
-
diff --git a/glibc-2.17-sync-with-linux37.patch b/glibc-2.17-sync-with-linux37.patch
deleted file mode 100644
index 24b25c997097..000000000000
--- a/glibc-2.17-sync-with-linux37.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-diff --git a/sysdeps/gnu/netinet/tcp.h b/sysdeps/gnu/netinet/tcp.h
-index 06e8414..b62a696 100644
---- a/sysdeps/gnu/netinet/tcp.h
-+++ b/sysdeps/gnu/netinet/tcp.h
-@@ -37,20 +37,29 @@
- /*
- * User-settable options (used with setsockopt).
- */
--#define TCP_NODELAY 1 /* Don't delay send to coalesce packets */
--#define TCP_MAXSEG 2 /* Set maximum segment size */
--#define TCP_CORK 3 /* Control sending of partial frames */
--#define TCP_KEEPIDLE 4 /* Start keeplives after this period */
--#define TCP_KEEPINTVL 5 /* Interval between keepalives */
--#define TCP_KEEPCNT 6 /* Number of keepalives before death */
--#define TCP_SYNCNT 7 /* Number of SYN retransmits */
--#define TCP_LINGER2 8 /* Life time of orphaned FIN-WAIT-2 state */
--#define TCP_DEFER_ACCEPT 9 /* Wake up listener only when data arrive */
--#define TCP_WINDOW_CLAMP 10 /* Bound advertised window */
--#define TCP_INFO 11 /* Information about this connection. */
--#define TCP_QUICKACK 12 /* Bock/reenable quick ACKs. */
--#define TCP_CONGESTION 13 /* Congestion control algorithm. */
--#define TCP_MD5SIG 14 /* TCP MD5 Signature (RFC2385) */
-+#define TCP_NODELAY 1 /* Don't delay send to coalesce packets */
-+#define TCP_MAXSEG 2 /* Set maximum segment size */
-+#define TCP_CORK 3 /* Control sending of partial frames */
-+#define TCP_KEEPIDLE 4 /* Start keeplives after this period */
-+#define TCP_KEEPINTVL 5 /* Interval between keepalives */
-+#define TCP_KEEPCNT 6 /* Number of keepalives before death */
-+#define TCP_SYNCNT 7 /* Number of SYN retransmits */
-+#define TCP_LINGER2 8 /* Life time of orphaned FIN-WAIT-2 state */
-+#define TCP_DEFER_ACCEPT 9 /* Wake up listener only when data arrive */
-+#define TCP_WINDOW_CLAMP 10 /* Bound advertised window */
-+#define TCP_INFO 11 /* Information about this connection. */
-+#define TCP_QUICKACK 12 /* Bock/reenable quick ACKs. */
-+#define TCP_CONGESTION 13 /* Congestion control algorithm. */
-+#define TCP_MD5SIG 14 /* TCP MD5 Signature (RFC2385) */
-+#define TCP_COOKIE_TRANSACTIONS 15 /* TCP Cookie Transactions */
-+#define TCP_THIN_LINEAR_TIMEOUTS 16 /* Use linear timeouts for thin streams*/
-+#define TCP_THIN_DUPACK 17 /* Fast retrans. after 1 dupack */
-+#define TCP_USER_TIMEOUT 18 /* How long for loss retry before timeout */
-+#define TCP_REPAIR 19 /* TCP sock is under repair right now */
-+#define TCP_REPAIR_QUEUE 20 /* Set TCP queue to repair */
-+#define TCP_QUEUE_SEQ 21 /* Set sequence number of repaired queue. */
-+#define TCP_REPAIR_OPTIONS 22 /* Repair TCP connection options */
-+#define TCP_FASTOPEN 23 /* Enable FastOpen on listeners */
-
- #ifdef __USE_MISC
- # include <sys/types.h>
-@@ -173,7 +182,9 @@ enum
- # define TCPI_OPT_TIMESTAMPS 1
- # define TCPI_OPT_SACK 2
- # define TCPI_OPT_WSCALE 4
--# define TCPI_OPT_ECN 8
-+# define TCPI_OPT_ECN 8 /* ECN was negociated at TCP session init */
-+# define TCPI_OPT_ECN_SEEN 16 /* we received at least one packet with ECT */
-+# define TCPI_OPT_SYN_DATA 32 /* SYN-ACK acked data in SYN sent or rcvd */
-
- /* Values for tcpi_state. */
- enum tcp_ca_state
-@@ -241,6 +252,49 @@ struct tcp_md5sig
- u_int8_t tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* Key (binary). */
- };
-
-+/* For socket repair options. */
-+struct tcp_repair_opt
-+{
-+ u_int32_t opt_code;
-+ u_int32_t opt_val;
-+};
-+
-+/* Queue to repair, for TCP_REPAIR_QUEUE. */
-+enum
-+{
-+ TCP_NO_QUEUE,
-+ TCP_RECV_QUEUE,
-+ TCP_SEND_QUEUE,
-+ TCP_QUEUES_NR,
-+};
-+
-+/* For cookie transactions socket options. */
-+#define TCP_COOKIE_MIN 8 /* 64-bits */
-+#define TCP_COOKIE_MAX 16 /* 128-bits */
-+#define TCP_COOKIE_PAIR_SIZE (2*TCP_COOKIE_MAX)
-+
-+/* Flags for both getsockopt and setsockopt */
-+#define TCP_COOKIE_IN_ALWAYS (1 << 0) /* Discard SYN without cookie */
-+#define TCP_COOKIE_OUT_NEVER (1 << 1) /* Prohibit outgoing cookies,
-+ * supercedes everything. */
-+
-+/* Flags for getsockopt */
-+#define TCP_S_DATA_IN (1 << 2) /* Was data received? */
-+#define TCP_S_DATA_OUT (1 << 3) /* Was data sent? */
-+
-+#define TCP_MSS_DEFAULT 536U /* IPv4 (RFC1122, RFC2581) */
-+#define TCP_MSS_DESIRED 1220U /* IPv6 (tunneled), EDNS0 (RFC3226) */
-+
-+struct tcp_cookie_transactions
-+{
-+ u_int16_t tcpct_flags;
-+ u_int8_t __tcpct_pad1;
-+ u_int8_t tcpct_cookie_desired;
-+ u_int16_t tcpct_s_data_desired;
-+ u_int16_t tcpct_used;
-+ u_int8_t tcpct_value[TCP_MSS_DEFAULT];
-+};
-+
- #endif /* Misc. */
-
- #endif /* netinet/tcp.h */
-diff --git a/sysdeps/unix/sysv/linux/bits/socket.h b/sysdeps/unix/sysv/linux/bits/socket.h
-index df8f167..eadd7d9 100644
---- a/sysdeps/unix/sysv/linux/bits/socket.h
-+++ b/sysdeps/unix/sysv/linux/bits/socket.h
-@@ -1,6 +1,5 @@
- /* System-specific socket constants and types. Linux version.
-- Copyright (C) 1991, 1992, 1994-2001, 2004, 2006-2010, 2011, 2012
-- Free Software Foundation, Inc.
-+ Copyright (C) 1991-2013 Free Software Foundation, Inc.
- This file is part of the GNU C Library.
-
- The GNU C Library is free software; you can redistribute it and/or
-@@ -208,6 +207,8 @@ enum
- #define MSG_MORE MSG_MORE
- MSG_WAITFORONE = 0x10000, /* Wait for at least one packet to return.*/
- #define MSG_WAITFORONE MSG_WAITFORONE
-+ MSG_FASTOPEN = 0x20000000, /* Send data in TCP SYN. */
-+#define MSG_FASTOPEN MSG_FASTOPEN
-
- MSG_CMSG_CLOEXEC = 0x40000000 /* Set close_on_exit for file
- descriptor received through
diff --git a/glibc-2.18-getaddrinfo-CVE-2013-4458.patch b/glibc-2.18-getaddrinfo-CVE-2013-4458.patch
new file mode 100644
index 000000000000..a7bc67c6f26c
--- /dev/null
+++ b/glibc-2.18-getaddrinfo-CVE-2013-4458.patch
@@ -0,0 +1,41 @@
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index e6ce4cf..8ff74b4 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
+ &rc, &herrno, NULL, &localcanon)); \
+ if (rc != ERANGE || herrno != NETDB_INTERNAL) \
+ break; \
+- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
++ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
++ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
++ alloca_used); \
++ else \
++ { \
++ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
++ 2 * tmpbuflen); \
++ if (newp == NULL) \
++ { \
++ result = -EAI_MEMORY; \
++ goto free_and_return; \
++ } \
++ tmpbuf = newp; \
++ malloc_tmpbuf = true; \
++ tmpbuflen = 2 * tmpbuflen; \
++ } \
+ } \
+ if (status == NSS_STATUS_SUCCESS && rc == 0) \
+ h = &th; \
+@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
+ { \
+ __set_h_errno (herrno); \
+ _res.options |= old_res_options & RES_USE_INET6; \
+- return -EAI_SYSTEM; \
++ result = -EAI_SYSTEM; \
++ goto free_and_return; \
+ } \
+ if (herrno == TRY_AGAIN) \
+ no_data = EAI_AGAIN; \
+--
+1.8.4.1
+
diff --git a/glibc-2.18-getaddrinfo-assertion.patch b/glibc-2.18-getaddrinfo-assertion.patch
new file mode 100644
index 000000000000..2f1f7c694d4e
--- /dev/null
+++ b/glibc-2.18-getaddrinfo-assertion.patch
@@ -0,0 +1,39 @@
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index 0f4b885..e6ce4cf 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -1666,13 +1666,13 @@ rfc3484_sort (const void *p1, const void *p2, void *arg)
+
+ /* Fill in the results in all the records. */
+ for (int i = 0; i < src->nresults; ++i)
+- if (src->results[i].index == a1_index)
++ if (a1_index != -1 && src->results[i].index == a1_index)
+ {
+ assert (src->results[i].native == -1
+ || src->results[i].native == a1_native);
+ src->results[i].native = a1_native;
+ }
+- else if (src->results[i].index == a2_index)
++ else if (a2_index != -1 && src->results[i].index == a2_index)
+ {
+ assert (src->results[i].native == -1
+ || src->results[i].native == a2_native);
+@@ -2532,7 +2532,14 @@ getaddrinfo (const char *name, const char *service,
+ tmp.addr[0] = 0;
+ tmp.addr[1] = 0;
+ tmp.addr[2] = htonl (0xffff);
+- tmp.addr[3] = sinp->sin_addr.s_addr;
++ /* Special case for lo interface, the source address
++ being possibly different than the interface
++ address. */
++ if ((ntohl(sinp->sin_addr.s_addr) & 0xff000000)
++ == 0x7f000000)
++ tmp.addr[3] = htonl(0x7f000001);
++ else
++ tmp.addr[3] = sinp->sin_addr.s_addr;
+ }
+ else
+ {
+--
+1.8.4.1
+
diff --git a/glibc-2.18-make-4.patch b/glibc-2.18-make-4.patch
new file mode 100644
index 000000000000..374933464443
--- /dev/null
+++ b/glibc-2.18-make-4.patch
@@ -0,0 +1,45 @@
+From dc76f0c32dae689a08aa21a1d206d4cd62adb278 Mon Sep 17 00:00:00 2001
+From: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
+Date: Thu, 10 Oct 2013 14:26:12 +0900
+Subject: [PATCH] configure: allow building with GNU Make 4
+
+Currently, configure errors telling make 4 is too old
+since it does not match our regexp.
+
+configure.in: allow GNU Make 4.*
+
+Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
+---
+ configure | 2 +-
+ configure.in | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/configure b/configure
+index 5e2f4d0..e139bf0 100755
+--- a/configure
++++ b/configure
+@@ -4761,7 +4761,7 @@ $as_echo_n "checking version of $MAKE... " >&6; }
+ ac_prog_version=`$MAKE --version 2>&1 | sed -n 's/^.*GNU Make[^0-9]*\([0-9][0-9.]*\).*$/\1/p'`
+ case $ac_prog_version in
+ '') ac_prog_version="v. ?.??, bad"; ac_verc_fail=yes;;
+- 3.79* | 3.[89]*)
++ 3.79* | 3.[89]* | 4.*)
+ ac_prog_version="$ac_prog_version, ok"; ac_verc_fail=no;;
+ *) ac_prog_version="$ac_prog_version, bad"; ac_verc_fail=yes;;
+
+diff --git a/configure.in b/configure.in
+index a7f9881..95c36b6 100644
+--- a/configure.in
++++ b/configure.in
+@@ -984,7 +984,7 @@ AC_CHECK_PROG_VER(CC, ${ac_tool_prefix}gcc ${ac_tool_prefix}cc, -v,
+ critic_missing="$critic_missing gcc")
+ AC_CHECK_PROG_VER(MAKE, gnumake gmake make, --version,
+ [GNU Make[^0-9]*\([0-9][0-9.]*\)],
+- [3.79* | 3.[89]*], critic_missing="$critic_missing make")
++ [3.79* | 3.[89]* | 4.*], critic_missing="$critic_missing make")
+
+ AC_CHECK_PROG_VER(MSGFMT, gnumsgfmt gmsgfmt msgfmt, --version,
+ [GNU gettext.* \([0-9]*\.[0-9.]*\)],
+--
+1.8.4.1
+
diff --git a/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch b/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
new file mode 100644
index 000000000000..093db86c90b3
--- /dev/null
+++ b/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch
@@ -0,0 +1,54 @@
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index dd295f5..7f43ba3 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
+ size_t page_mask = GLRO(dl_pagesize) - 1;
+ size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ void *(*hook) (size_t, size_t, const void *) =
+ force_reg (__memalign_hook);
+ if (__builtin_expect (hook != NULL, 0))
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 7f43ba3..3148c5f 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
+
+ size_t pagesz = GLRO(dl_pagesize);
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - pagesz - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ void *(*hook) (size_t, size_t, const void *) =
+ force_reg (__memalign_hook);
+ if (__builtin_expect (hook != NULL, 0))
+diff --git a/malloc/malloc.c b/malloc/malloc.c
+index 3148c5f..f7718a9 100644
+--- a/malloc/malloc.c
++++ b/malloc/malloc.c
+@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
+ /* Otherwise, ensure that it is at least a minimum chunk size */
+ if (alignment < MINSIZE) alignment = MINSIZE;
+
++ /* Check for overflow. */
++ if (bytes > SIZE_MAX - alignment - MINSIZE)
++ {
++ __set_errno (ENOMEM);
++ return 0;
++ }
++
+ arena_get(ar_ptr, bytes + alignment + MINSIZE);
+ if(!ar_ptr)
+ return 0;
diff --git a/glibc-2.18-ptr-mangle-CVE-2013-4788.patch b/glibc-2.18-ptr-mangle-CVE-2013-4788.patch
new file mode 100644
index 000000000000..09a4394405c9
--- /dev/null
+++ b/glibc-2.18-ptr-mangle-CVE-2013-4788.patch
@@ -0,0 +1,485 @@
+diff --git a/csu/libc-start.c b/csu/libc-start.c
+index e5da3ef..c898d06 100644
+--- a/csu/libc-start.c
++++ b/csu/libc-start.c
+@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void);
+ in thread local area. */
+ uintptr_t __stack_chk_guard attribute_relro;
+ # endif
++# ifndef THREAD_SET_POINTER_GUARD
++/* Only exported for architectures that don't store the pointer guard
++ value in thread local area. */
++uintptr_t __pointer_chk_guard_local
++ attribute_relro attribute_hidden __attribute__ ((nocommon));
++# endif
+ #endif
+
+ #ifdef HAVE_PTR_NTHREADS
+@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
+ # else
+ __stack_chk_guard = stack_chk_guard;
+ # endif
++
++ /* Set up the pointer guard value. */
++ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
++ stack_chk_guard);
++# ifdef THREAD_SET_POINTER_GUARD
++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++# else
++ __pointer_chk_guard_local = pointer_chk_guard;
++# endif
++
+ #endif
+
+ /* Register the destructor of the dynamic linker if there is any. */
+diff --git a/elf/Makefile b/elf/Makefile
+index aaa9534..cb8da93 100644
+--- a/elf/Makefile
++++ b/elf/Makefile
+@@ -121,7 +121,8 @@ endif
+ tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \
+ tst-array1 tst-array2 tst-array3 tst-array4 tst-array5
+ tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \
+- tst-leaks1-static tst-array1-static tst-array5-static
++ tst-leaks1-static tst-array1-static tst-array5-static \
++ tst-ptrguard1-static
+ ifeq (yes,$(build-shared))
+ tests-static += tst-tls9-static
+ tst-tls9-static-ENV = \
+@@ -145,7 +146,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \
+ tst-audit1 tst-audit2 tst-audit8 \
+ tst-stackguard1 tst-addr1 tst-thrlock \
+ tst-unique1 tst-unique2 tst-unique3 tst-unique4 \
+- tst-initorder tst-initorder2 tst-relsort1 tst-null-argv
++ tst-initorder tst-initorder2 tst-relsort1 tst-null-argv \
++ tst-ptrguard1
+ # reldep9
+ test-srcs = tst-pathopt
+ selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null)
+@@ -1016,6 +1018,9 @@ LDFLAGS-order2mod2.so = $(no-as-needed)
+ tst-stackguard1-ARGS = --command "$(host-test-program-cmd) --child"
+ tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
+
++tst-ptrguard1-ARGS = --command "$(host-test-program-cmd) --child"
++tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
++
+ $(objpfx)tst-leaks1: $(libdl)
+ $(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@
+diff --git a/elf/tst-ptrguard1-static.c b/elf/tst-ptrguard1-static.c
+new file mode 100644
+index 0000000..7aff3b7
+--- /dev/null
++++ b/elf/tst-ptrguard1-static.c
+@@ -0,0 +1 @@
++#include "tst-ptrguard1.c"
+diff --git a/elf/tst-ptrguard1.c b/elf/tst-ptrguard1.c
+new file mode 100644
+index 0000000..c344a04
+--- /dev/null
++++ b/elf/tst-ptrguard1.c
+@@ -0,0 +1,202 @@
++/* Copyright (C) 2013 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/wait.h>
++#include <stackguard-macros.h>
++#include <tls.h>
++#include <unistd.h>
++
++#ifndef POINTER_CHK_GUARD
++extern uintptr_t __pointer_chk_guard;
++# define POINTER_CHK_GUARD __pointer_chk_guard
++#endif
++
++static const char *command;
++static bool child;
++static uintptr_t ptr_chk_guard_copy;
++static bool ptr_chk_guard_copy_set;
++static int fds[2];
++
++static void __attribute__ ((constructor))
++con (void)
++{
++ ptr_chk_guard_copy = POINTER_CHK_GUARD;
++ ptr_chk_guard_copy_set = true;
++}
++
++static int
++uintptr_t_cmp (const void *a, const void *b)
++{
++ if (*(uintptr_t *) a < *(uintptr_t *) b)
++ return 1;
++ if (*(uintptr_t *) a > *(uintptr_t *) b)
++ return -1;
++ return 0;
++}
++
++static int
++do_test (void)
++{
++ if (!ptr_chk_guard_copy_set)
++ {
++ puts ("constructor has not been run");
++ return 1;
++ }
++
++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
++ {
++ puts ("POINTER_CHK_GUARD changed between constructor and do_test");
++ return 1;
++ }
++
++ if (child)
++ {
++ write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy));
++ return 0;
++ }
++
++ if (command == NULL)
++ {
++ puts ("missing --command or --child argument");
++ return 1;
++ }
++
++#define N 16
++ uintptr_t child_ptr_chk_guards[N + 1];
++ child_ptr_chk_guards[N] = ptr_chk_guard_copy;
++ int i;
++ for (i = 0; i < N; ++i)
++ {
++ if (pipe (fds) < 0)
++ {
++ printf ("couldn't create pipe: %m\n");
++ return 1;
++ }
++
++ pid_t pid = fork ();
++ if (pid < 0)
++ {
++ printf ("fork failed: %m\n");
++ return 1;
++ }
++
++ if (!pid)
++ {
++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
++ {
++ puts ("POINTER_CHK_GUARD changed after fork");
++ exit (1);
++ }
++
++ close (fds[0]);
++ close (2);
++ dup2 (fds[1], 2);
++ close (fds[1]);
++
++ system (command);
++ exit (0);
++ }
++
++ close (fds[1]);
++
++ if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i],
++ sizeof (uintptr_t))) != sizeof (uintptr_t))
++ {
++ puts ("could not read ptr_chk_guard value from child");
++ return 1;
++ }
++
++ close (fds[0]);
++
++ pid_t termpid;
++ int status;
++ termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
++ if (termpid == -1)
++ {
++ printf ("waitpid failed: %m\n");
++ return 1;
++ }
++ else if (termpid != pid)
++ {
++ printf ("waitpid returned %ld != %ld\n",
++ (long int) termpid, (long int) pid);
++ return 1;
++ }
++ else if (!WIFEXITED (status) || WEXITSTATUS (status))
++ {
++ puts ("child hasn't exited with exit status 0");
++ return 1;
++ }
++ }
++
++ qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp);
++
++ /* The default pointer guard is the same as the default stack guard.
++ They are only set to default if dl_random is NULL. */
++ uintptr_t default_guard = 0;
++ unsigned char *p = (unsigned char *) &default_guard;
++ p[sizeof (uintptr_t) - 1] = 255;
++ p[sizeof (uintptr_t) - 2] = '\n';
++ p[0] = 0;
++
++ /* Test if the pointer guard canaries are either randomized,
++ or equal to the default pointer guard value.
++ Even with randomized pointer guards it might happen
++ that the random number generator generates the same
++ values, but if that happens in more than half from
++ the 16 runs, something is very wrong. */
++ int ndifferences = 0;
++ int ndefaults = 0;
++ for (i = 0; i < N; ++i)
++ {
++ if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1])
++ ndifferences++;
++ else if (child_ptr_chk_guards[i] == default_guard)
++ ndefaults++;
++ }
++
++ printf ("differences %d defaults %d\n", ndifferences, ndefaults);
++
++ if (ndifferences < N / 2 && ndefaults < N / 2)
++ {
++ puts ("pointer guard values are not randomized enough");
++ puts ("nor equal to the default value");
++ return 1;
++ }
++
++ return 0;
++}
++
++#define OPT_COMMAND 10000
++#define OPT_CHILD 10001
++#define CMDLINE_OPTIONS \
++ { "command", required_argument, NULL, OPT_COMMAND }, \
++ { "child", no_argument, NULL, OPT_CHILD },
++#define CMDLINE_PROCESS \
++ case OPT_COMMAND: \
++ command = optarg; \
++ break; \
++ case OPT_CHILD: \
++ child = true; \
++ break;
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h
+index dc683c2..3907293 100644
+--- a/ports/sysdeps/ia64/stackguard-macros.h
++++ b/ports/sysdeps/ia64/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
+diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h
+index 589ea2b..f2e041b 100644
+--- a/ports/sysdeps/tile/stackguard-macros.h
++++ b/ports/sysdeps/tile/stackguard-macros.h
+@@ -4,11 +4,17 @@
+ # if __WORDSIZE == 64
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })
++# define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; })
+ # else
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })
++# define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; })
+ # endif
+ #else
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })
++# define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; })
+ #endif
+diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h
+index ababf65..4fa3d96 100644
+--- a/sysdeps/generic/stackguard-macros.h
++++ b/sysdeps/generic/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ extern uintptr_t __stack_chk_guard;
+ #define STACK_CHK_GUARD __stack_chk_guard
++
++extern uintptr_t __pointer_chk_guard_local;
++#define POINTER_CHK_GUARD __pointer_chk_guard_local
+diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h
+index 8c31e19..0397629 100644
+--- a/sysdeps/i386/stackguard-macros.h
++++ b/sysdeps/i386/stackguard-macros.h
+@@ -2,3 +2,11 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("movl %%gs:%c1, %0" : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard))); \
++ x; \
++ })
+diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h
+index 839f6a4..b3d0af8 100644
+--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h
++++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h
+@@ -2,3 +2,13 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("lwz %0,%1(2)" \
++ : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
++ ); \
++ x; \
++ })
+diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h
+index 9da879c..4620f96 100644
+--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h
++++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h
+@@ -2,3 +2,13 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ld %0,%1(2)" \
++ : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
++ ); \
++ x; \
++ })
+diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h
+index b74c579..449e8d4 100644
+--- a/sysdeps/s390/s390-32/stackguard-macros.h
++++ b/sysdeps/s390/s390-32/stackguard-macros.h
+@@ -2,3 +2,14 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
++
++/* On s390/s390x there is no unique pointer guard, instead we use the
++ same value as the stack guard. */
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ear %0,%%a0; l %0,%1(%0)" \
++ : "=a" (x) \
++ : "i" (offsetof (tcbhead_t, stack_guard))); \
++ x; \
++ })
+diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h
+index 0cebb5f..c8270fb 100644
+--- a/sysdeps/s390/s390-64/stackguard-macros.h
++++ b/sysdeps/s390/s390-64/stackguard-macros.h
+@@ -2,3 +2,17 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
++
++/* On s390/s390x there is no unique pointer guard, instead we use the
++ same value as the stack guard. */
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ear %0,%%a0;" \
++ "sllg %0,%0,32;" \
++ "ear %0,%%a1;" \
++ "lg %0,%1(%0)" \
++ : "=a" (x) \
++ : "i" (offsetof (tcbhead_t, stack_guard))); \
++ x; \
++ })
+diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h
+index c0b02b0..1eef0f1 100644
+--- a/sysdeps/sparc/sparc32/stackguard-macros.h
++++ b/sysdeps/sparc/sparc32/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })
+diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h
+index 80f0635..cc0c12c 100644
+--- a/sysdeps/sparc/sparc64/stackguard-macros.h
++++ b/sysdeps/sparc/sparc64/stackguard-macros.h
+@@ -2,3 +2,6 @@
+
+ #define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })
+diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h
+index d7fedb3..1948800 100644
+--- a/sysdeps/x86_64/stackguard-macros.h
++++ b/sysdeps/x86_64/stackguard-macros.h
+@@ -4,3 +4,8 @@
+ ({ uintptr_t x; \
+ asm ("mov %%fs:%c1, %0" : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, stack_guard))); x; })
++
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; \
++ asm ("mov %%fs:%c1, %0" : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
+diff --git a/elf/Makefile b/elf/Makefile
+index cb8da93..27d249b 100644
+--- a/elf/Makefile
++++ b/elf/Makefile
+@@ -1019,6 +1019,9 @@ tst-stackguard1-ARGS = --command "$(host-test-program-cmd) --child"
+ tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
+
+ tst-ptrguard1-ARGS = --command "$(host-test-program-cmd) --child"
++# When built statically, the pointer guard interface uses
++# __pointer_chk_guard_local.
++CFLAGS-tst-ptrguard1-static.c = -DPTRGUARD_LOCAL
+ tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
+
+ $(objpfx)tst-leaks1: $(libdl)
+diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h
+index 4fa3d96..b4a6b23 100644
+--- a/sysdeps/generic/stackguard-macros.h
++++ b/sysdeps/generic/stackguard-macros.h
+@@ -3,5 +3,10 @@
+ extern uintptr_t __stack_chk_guard;
+ #define STACK_CHK_GUARD __stack_chk_guard
+
++#ifdef PTRGUARD_LOCAL
+ extern uintptr_t __pointer_chk_guard_local;
+-#define POINTER_CHK_GUARD __pointer_chk_guard_local
++# define POINTER_CHK_GUARD __pointer_chk_guard_local
++#else
++extern uintptr_t __pointer_chk_guard;
++# define POINTER_CHK_GUARD __pointer_chk_guard
++#endif
diff --git a/glibc-2.18-readdir_r-CVE-2013-4237.patch b/glibc-2.18-readdir_r-CVE-2013-4237.patch
new file mode 100644
index 000000000000..7277ca22964d
--- /dev/null
+++ b/glibc-2.18-readdir_r-CVE-2013-4237.patch
@@ -0,0 +1,281 @@
+diff --git a/manual/conf.texi b/manual/conf.texi
+index 7eb8b36..c720063 100644
+--- a/manual/conf.texi
++++ b/manual/conf.texi
+@@ -1149,6 +1149,9 @@ typed ahead as input. @xref{I/O Queues}.
+ @deftypevr Macro int NAME_MAX
+ The uniform system limit (if any) for the length of a file name component, not
+ including the terminating null character.
++
++@strong{Portability Note:} On some systems, @theglibc{} defines
++@code{NAME_MAX}, but does not actually enforce this limit.
+ @end deftypevr
+
+ @comment limits.h
+@@ -1157,6 +1160,9 @@ including the terminating null character.
+ The uniform system limit (if any) for the length of an entire file name (that
+ is, the argument given to system calls such as @code{open}), including the
+ terminating null character.
++
++@strong{Portability Note:} @Theglibc{} does not enforce this limit
++even if @code{PATH_MAX} is defined.
+ @end deftypevr
+
+ @cindex limits, pipe buffer size
+@@ -1476,6 +1482,9 @@ Inquire about the value of @code{POSIX_REC_MIN_XFER_SIZE}.
+ Inquire about the value of @code{POSIX_REC_XFER_ALIGN}.
+ @end table
+
++@strong{Portability Note:} On some systems, @theglibc{} does not
++enforce @code{_PC_NAME_MAX} or @code{_PC_PATH_MAX} limits.
++
+ @node Utility Limits
+ @section Utility Program Capacity Limits
+
+diff --git a/manual/filesys.texi b/manual/filesys.texi
+index 1df9cf2..814c210 100644
+--- a/manual/filesys.texi
++++ b/manual/filesys.texi
+@@ -444,9 +444,9 @@ symbols are declared in the header file @file{dirent.h}.
+ @comment POSIX.1
+ @deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
+ This function reads the next entry from the directory. It normally
+-returns a pointer to a structure containing information about the file.
+-This structure is statically allocated and can be rewritten by a
+-subsequent call.
++returns a pointer to a structure containing information about the
++file. This structure is associated with the @var{dirstream} handle
++and can be rewritten by a subsequent call.
+
+ @strong{Portability Note:} On some systems @code{readdir} may not
+ return entries for @file{.} and @file{..}, even though these are always
+@@ -461,19 +461,61 @@ conditions are defined for this function:
+ The @var{dirstream} argument is not valid.
+ @end table
+
+-@code{readdir} is not thread safe. Multiple threads using
+-@code{readdir} on the same @var{dirstream} may overwrite the return
+-value. Use @code{readdir_r} when this is critical.
++To distinguish between an end-of-directory condition or an error, you
++must set @code{errno} to zero before calling @code{readdir}. To avoid
++entering an infinite loop, you should stop reading from the directory
++after the first error.
++
++In POSIX.1-2008, @code{readdir} is not thread-safe. In @theglibc{}
++implementation, it is safe to call @code{readdir} concurrently on
++different @var{dirstream}s, but multiple threads accessing the same
++@var{dirstream} result in undefined behavior. @code{readdir_r} is a
++fully thread-safe alternative, but suffers from poor portability (see
++below). It is recommended that you use @code{readdir}, with external
++locking if multiple threads access the same @var{dirstream}.
+ @end deftypefun
+
+ @comment dirent.h
+ @comment GNU
+ @deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
+-This function is the reentrant version of @code{readdir}. Like
+-@code{readdir} it returns the next entry from the directory. But to
+-prevent conflicts between simultaneously running threads the result is
+-not stored in statically allocated memory. Instead the argument
+-@var{entry} points to a place to store the result.
++This function is a version of @code{readdir} which performs internal
++locking. Like @code{readdir} it returns the next entry from the
++directory. To prevent conflicts between simultaneously running
++threads the result is stored inside the @var{entry} object.
++
++@strong{Portability Note:} It is recommended to use @code{readdir}
++instead of @code{readdir_r} for the following reasons:
++
++@itemize @bullet
++@item
++On systems which do not define @code{NAME_MAX}, it may not be possible
++to use @code{readdir_r} safely because the caller does not specify the
++length of the buffer for the directory entry.
++
++@item
++On some systems, @code{readdir_r} cannot read directory entries with
++very long names. If such a name is encountered, @theglibc{}
++implementation of @code{readdir_r} returns with an error code of
++@code{ENAMETOOLONG} after the final directory entry has been read. On
++other systems, @code{readdir_r} may return successfully, but the
++@code{d_name} member may not be NUL-terminated or may be truncated.
++
++@item
++POSIX-1.2008 does not guarantee that @code{readdir} is thread-safe,
++even when access to the same @var{dirstream} is serialized. But in
++current implementations (including @theglibc{}), it is safe to call
++@code{readdir} concurrently on different @var{dirstream}s, so there is
++no need to use @code{readdir_r} in most multi-threaded programs. In
++the rare case that multiple threads need to read from the same
++@var{dirstream}, it is still better to use @code{readdir} and external
++synchronization.
++
++@item
++It is expected that future versions of POSIX will obsolete
++@code{readdir_r} and mandate the level of thread safety for
++@code{readdir} which is provided by @theglibc{} and other
++implementations today.
++@end itemize
+
+ Normally @code{readdir_r} returns zero and sets @code{*@var{result}}
+ to @var{entry}. If there are no more entries in the directory or an
+@@ -481,15 +523,6 @@ error is detected, @code{readdir_r} sets @code{*@var{result}} to a
+ null pointer and returns a nonzero error code, also stored in
+ @code{errno}, as described for @code{readdir}.
+
+-@strong{Portability Note:} On some systems @code{readdir_r} may not
+-return a NUL terminated string for the file name, even when there is no
+-@code{d_reclen} field in @code{struct dirent} and the file
+-name is the maximum allowed size. Modern systems all have the
+-@code{d_reclen} field, and on old systems multi-threading is not
+-critical. In any case there is no such problem with the @code{readdir}
+-function, so that even on systems without the @code{d_reclen} member one
+-could use multiple threads by using external locking.
+-
+ It is also important to look at the definition of the @code{struct
+ dirent} type. Simply passing a pointer to an object of this type for
+ the second parameter of @code{readdir_r} might not be enough. Some
+diff --git a/sysdeps/posix/dirstream.h b/sysdeps/posix/dirstream.h
+index a7a074d..8e8570d 100644
+--- a/sysdeps/posix/dirstream.h
++++ b/sysdeps/posix/dirstream.h
+@@ -39,6 +39,8 @@ struct __dirstream
+
+ off_t filepos; /* Position of next entry to read. */
+
++ int errcode; /* Delayed error code. */
++
+ /* Directory block. */
+ char data[0] __attribute__ ((aligned (__alignof__ (void*))));
+ };
+diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
+index ddfc3a7..fc05b0f 100644
+--- a/sysdeps/posix/opendir.c
++++ b/sysdeps/posix/opendir.c
+@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
+ dirp->size = 0;
+ dirp->offset = 0;
+ dirp->filepos = 0;
++ dirp->errcode = 0;
+
+ return dirp;
+ }
+diff --git a/sysdeps/posix/readdir_r.c b/sysdeps/posix/readdir_r.c
+index b5a8e2e..8ed5c3f 100644
+--- a/sysdeps/posix/readdir_r.c
++++ b/sysdeps/posix/readdir_r.c
+@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
+ DIRENT_TYPE *dp;
+ size_t reclen;
+ const int saved_errno = errno;
++ int ret;
+
+ __libc_lock_lock (dirp->lock);
+
+@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
+ bytes = 0;
+ __set_errno (saved_errno);
+ }
++ if (bytes < 0)
++ dirp->errcode = errno;
+
+ dp = NULL;
+- /* Reclen != 0 signals that an error occurred. */
+- reclen = bytes != 0;
+ break;
+ }
+ dirp->size = (size_t) bytes;
+@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
+ dirp->filepos += reclen;
+ #endif
+
+- /* Skip deleted files. */
++#ifdef NAME_MAX
++ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
++ {
++ /* The record is very long. It could still fit into the
++ caller-supplied buffer if we can skip padding at the
++ end. */
++ size_t namelen = _D_EXACT_NAMLEN (dp);
++ if (namelen <= NAME_MAX)
++ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
++ else
++ {
++ /* The name is too long. Ignore this file. */
++ dirp->errcode = ENAMETOOLONG;
++ dp->d_ino = 0;
++ continue;
++ }
++ }
++#endif
++
++ /* Skip deleted and ignored files. */
+ }
+ while (dp->d_ino == 0);
+
+ if (dp != NULL)
+ {
+-#ifdef GETDENTS_64BIT_ALIGNED
+- /* The d_reclen value might include padding which is not part of
+- the DIRENT_TYPE data structure. */
+- reclen = MIN (reclen,
+- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
+-#endif
+ *result = memcpy (entry, dp, reclen);
+-#ifdef GETDENTS_64BIT_ALIGNED
++#ifdef _DIRENT_HAVE_D_RECLEN
+ entry->d_reclen = reclen;
+ #endif
++ ret = 0;
+ }
+ else
+- *result = NULL;
++ {
++ *result = NULL;
++ ret = dirp->errcode;
++ }
+
+ __libc_lock_unlock (dirp->lock);
+
+- return dp != NULL ? 0 : reclen ? errno : 0;
++ return ret;
+ }
+
+ #ifdef __READDIR_R_ALIAS
+diff --git a/sysdeps/posix/rewinddir.c b/sysdeps/posix/rewinddir.c
+index 2935a8e..d4991ad 100644
+--- a/sysdeps/posix/rewinddir.c
++++ b/sysdeps/posix/rewinddir.c
+@@ -33,6 +33,7 @@ rewinddir (dirp)
+ dirp->filepos = 0;
+ dirp->offset = 0;
+ dirp->size = 0;
++ dirp->errcode = 0;
+ #ifndef NOT_IN_libc
+ __libc_lock_unlock (dirp->lock);
+ #endif
+diff --git a/sysdeps/unix/sysv/linux/i386/readdir64_r.c b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+index 8ebbcfd..a7d114e 100644
+--- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c
++++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
+@@ -18,7 +18,6 @@
+ #define __READDIR_R __readdir64_r
+ #define __GETDENTS __getdents64
+ #define DIRENT_TYPE struct dirent64
+-#define GETDENTS_64BIT_ALIGNED 1
+
+ #include <sysdeps/posix/readdir_r.c>
+
+diff --git a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+index 5ed8e95..290f2c8 100644
+--- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
++++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
+@@ -1,5 +1,4 @@
+ #define readdir64_r __no_readdir64_r_decl
+-#define GETDENTS_64BIT_ALIGNED 1
+ #include <sysdeps/posix/readdir_r.c>
+ #undef readdir64_r
+ weak_alias (__readdir_r, readdir64_r)
+--
+1.8.3.4
+
diff --git a/glibc-2.18-scanf-parse-0e-0.patch b/glibc-2.18-scanf-parse-0e-0.patch
new file mode 100644
index 000000000000..651e56590f4a
--- /dev/null
+++ b/glibc-2.18-scanf-parse-0e-0.patch
@@ -0,0 +1,67 @@
+diff --git a/stdio-common/tst-sscanf.c b/stdio-common/tst-sscanf.c
+index 1edb227..3c34f58 100644
+--- a/stdio-common/tst-sscanf.c
++++ b/stdio-common/tst-sscanf.c
+@@ -109,6 +109,19 @@ struct test double_tests[] =
+ { L("-inf"), L("%g"), 1 }
+ };
+
++struct test2
++{
++ const CHAR *str;
++ const CHAR *fmt;
++ int retval;
++ char residual;
++} double_tests2[] =
++{
++ { L("0e+0"), L("%g%c"), 1, 0 },
++ { L("0xe+0"), L("%g%c"), 2, '+' },
++ { L("0x.e+0"), L("%g%c"), 2, '+' },
++};
++
+ int
+ main (void)
+ {
+@@ -196,5 +209,26 @@ main (void)
+ }
+ }
+
++ for (i = 0; i < sizeof (double_tests2) / sizeof (double_tests2[0]); ++i)
++ {
++ double dummy;
++ int ret;
++ char c = 0;
++
++ if ((ret = SSCANF (double_tests2[i].str, double_tests2[i].fmt,
++ &dummy, &c)) != double_tests2[i].retval)
++ {
++ printf ("double_tests2[%d] returned %d != %d\n",
++ i, ret, double_tests2[i].retval);
++ result = 1;
++ }
++ else if (ret == 2 && c != double_tests2[i].residual)
++ {
++ printf ("double_tests2[%d] stopped at '%c' != '%c'\n",
++ i, c, double_tests2[i].residual);
++ result = 1;
++ }
++ }
++
+ return result;
+ }
+diff --git a/stdio-common/vfscanf.c b/stdio-common/vfscanf.c
+index 78dc2fc..e6fa8f3 100644
+--- a/stdio-common/vfscanf.c
++++ b/stdio-common/vfscanf.c
+@@ -1966,6 +1966,8 @@ _IO_vfscanf_internal (_IO_FILE *s, const char *format, _IO_va_list argptr,
+ if (width > 0)
+ --width;
+ }
++ else
++ got_digit = 1;
+ }
+
+ while (1)
+--
+1.8.4.2
+
diff --git a/glibc-2.18-strcoll-CVE-2012-4412+4424.patch b/glibc-2.18-strcoll-CVE-2012-4412+4424.patch
new file mode 100644
index 000000000000..5558c1fe984d
--- /dev/null
+++ b/glibc-2.18-strcoll-CVE-2012-4412+4424.patch
@@ -0,0 +1,1004 @@
+diff --git a/string/strcoll_l.c b/string/strcoll_l.c
+index ecda08f..bb34a72 100644
+--- a/string/strcoll_l.c
++++ b/string/strcoll_l.c
+@@ -41,11 +41,434 @@
+
+ #include "../locale/localeinfo.h"
+
++/* Track status while looking for sequences in a string. */
++typedef struct
++{
++ int len; /* Length of the current sequence. */
++ size_t val; /* Position of the sequence relative to the
++ previous non-ignored sequence. */
++ size_t idxnow; /* Current index in sequences. */
++ size_t idxmax; /* Maximum index in sequences. */
++ size_t idxcnt; /* Current count of indices. */
++ size_t backw; /* Current Backward sequence index. */
++ size_t backw_stop; /* Index where the backward sequences stop. */
++ const USTRING_TYPE *us; /* The string. */
++ int32_t *idxarr; /* Array to cache weight indices. */
++ unsigned char *rulearr; /* Array to cache rules. */
++ unsigned char rule; /* Saved rule for the first sequence. */
++ int32_t idx; /* Index to weight of the current sequence. */
++ int32_t save_idx; /* Save looked up index of a forward
++ sequence after the last backward
++ sequence. */
++ const USTRING_TYPE *back_us; /* Beginning of the backward sequence. */
++} coll_seq;
++
++/* Get next sequence. The weight indices are cached, so we don't need to
++ traverse the string. */
++static void
++get_next_seq_cached (coll_seq *seq, int nrules, int pass,
++ const unsigned char *rulesets,
++ const USTRING_TYPE *weights)
++{
++ size_t val = seq->val = 0;
++ int len = seq->len;
++ size_t backw_stop = seq->backw_stop;
++ size_t backw = seq->backw;
++ size_t idxcnt = seq->idxcnt;
++ size_t idxmax = seq->idxmax;
++ size_t idxnow = seq->idxnow;
++ unsigned char *rulearr = seq->rulearr;
++ int32_t *idxarr = seq->idxarr;
++
++ while (len == 0)
++ {
++ ++val;
++ if (backw_stop != ~0ul)
++ {
++ /* There is something pushed. */
++ if (backw == backw_stop)
++ {
++ /* The last pushed character was handled. Continue
++ with forward characters. */
++ if (idxcnt < idxmax)
++ {
++ idxnow = idxcnt;
++ backw_stop = ~0ul;
++ }
++ else
++ {
++ /* Nothing any more. The backward sequence
++ ended with the last sequence in the string. */
++ idxnow = ~0ul;
++ break;
++ }
++ }
++ else
++ idxnow = --backw;
++ }
++ else
++ {
++ backw_stop = idxcnt;
++
++ while (idxcnt < idxmax)
++ {
++ if ((rulesets[rulearr[idxcnt] * nrules + pass]
++ & sort_backward) == 0)
++ /* No more backward characters to push. */
++ break;
++ ++idxcnt;
++ }
++
++ if (backw_stop == idxcnt)
++ {
++ /* No sequence at all or just one. */
++ if (idxcnt == idxmax)
++ /* Note that LEN is still zero. */
++ break;
++
++ backw_stop = ~0ul;
++ idxnow = idxcnt++;
++ }
++ else
++ /* We pushed backward sequences. */
++ idxnow = backw = idxcnt - 1;
++ }
++ len = weights[idxarr[idxnow]++];
++ }
++
++ /* Update the structure. */
++ seq->val = val;
++ seq->len = len;
++ seq->backw_stop = backw_stop;
++ seq->backw = backw;
++ seq->idxcnt = idxcnt;
++ seq->idxnow = idxnow;
++}
++
++/* Get next sequence. Traverse the string as required. */
++static void
++get_next_seq (coll_seq *seq, int nrules, const unsigned char *rulesets,
++ const USTRING_TYPE *weights, const int32_t *table,
++ const USTRING_TYPE *extra, const int32_t *indirect)
++{
++#include WEIGHT_H
++ size_t val = seq->val = 0;
++ int len = seq->len;
++ size_t backw_stop = seq->backw_stop;
++ size_t backw = seq->backw;
++ size_t idxcnt = seq->idxcnt;
++ size_t idxmax = seq->idxmax;
++ size_t idxnow = seq->idxnow;
++ unsigned char *rulearr = seq->rulearr;
++ int32_t *idxarr = seq->idxarr;
++ const USTRING_TYPE *us = seq->us;
++
++ while (len == 0)
++ {
++ ++val;
++ if (backw_stop != ~0ul)
++ {
++ /* There is something pushed. */
++ if (backw == backw_stop)
++ {
++ /* The last pushed character was handled. Continue
++ with forward characters. */
++ if (idxcnt < idxmax)
++ {
++ idxnow = idxcnt;
++ backw_stop = ~0ul;
++ }
++ else
++ /* Nothing any more. The backward sequence ended with
++ the last sequence in the string. Note that LEN
++ is still zero. */
++ break;
++ }
++ else
++ idxnow = --backw;
++ }
++ else
++ {
++ backw_stop = idxmax;
++
++ while (*us != L('\0'))
++ {
++ int32_t tmp = findidx (&us, -1);
++ rulearr[idxmax] = tmp >> 24;
++ idxarr[idxmax] = tmp & 0xffffff;
++ idxcnt = idxmax++;
++
++ if ((rulesets[rulearr[idxcnt] * nrules]
++ & sort_backward) == 0)
++ /* No more backward characters to push. */
++ break;
++ ++idxcnt;
++ }
++
++ if (backw_stop >= idxcnt)
++ {
++ /* No sequence at all or just one. */
++ if (idxcnt == idxmax || backw_stop > idxcnt)
++ /* Note that LEN is still zero. */
++ break;
++
++ backw_stop = ~0ul;
++ idxnow = idxcnt;
++ }
++ else
++ /* We pushed backward sequences. */
++ idxnow = backw = idxcnt - 1;
++ }
++ len = weights[idxarr[idxnow]++];
++ }
++
++ /* Update the structure. */
++ seq->val = val;
++ seq->len = len;
++ seq->backw_stop = backw_stop;
++ seq->backw = backw;
++ seq->idxcnt = idxcnt;
++ seq->idxmax = idxmax;
++ seq->idxnow = idxnow;
++ seq->us = us;
++}
++
++/* Get next sequence. Traverse the string as required. This function does not
++ set or use any index or rule cache. */
++static void
++get_next_seq_nocache (coll_seq *seq, int nrules, const unsigned char *rulesets,
++ const USTRING_TYPE *weights, const int32_t *table,
++ const USTRING_TYPE *extra, const int32_t *indirect,
++ int pass)
++{
++#include WEIGHT_H
++ size_t val = seq->val = 0;
++ int len = seq->len;
++ size_t backw_stop = seq->backw_stop;
++ size_t backw = seq->backw;
++ size_t idxcnt = seq->idxcnt;
++ size_t idxmax = seq->idxmax;
++ int32_t idx = seq->idx;
++ const USTRING_TYPE *us = seq->us;
++
++ while (len == 0)
++ {
++ ++val;
++ if (backw_stop != ~0ul)
++ {
++ /* There is something pushed. */
++ if (backw == backw_stop)
++ {
++ /* The last pushed character was handled. Continue
++ with forward characters. */
++ if (idxcnt < idxmax)
++ {
++ idx = seq->save_idx;
++ backw_stop = ~0ul;
++ }
++ else
++ {
++ /* Nothing anymore. The backward sequence ended with
++ the last sequence in the string. Note that len is
++ still zero. */
++ idx = 0;
++ break;
++ }
++ }
++ else
++ {
++ /* XXX Traverse BACKW sequences from the beginning of
++ BACKW_STOP to get the next sequence. Is ther a quicker way
++ to do this? */
++ size_t i = backw_stop;
++ us = seq->back_us;
++ while (i < backw)
++ {
++ int32_t tmp = findidx (&us, -1);
++ idx = tmp & 0xffffff;
++ i++;
++ }
++ --backw;
++ us = seq->us;
++ }
++ }
++ else
++ {
++ backw_stop = idxmax;
++ int32_t prev_idx = idx;
++
++ while (*us != L('\0'))
++ {
++ int32_t tmp = findidx (&us, -1);
++ unsigned char rule = tmp >> 24;
++ prev_idx = idx;
++ idx = tmp & 0xffffff;
++ idxcnt = idxmax++;
++
++ /* Save the rule for the first sequence. */
++ if (__glibc_unlikely (idxcnt == 0))
++ seq->rule = rule;
++
++ if ((rulesets[rule * nrules + pass]
++ & sort_backward) == 0)
++ /* No more backward characters to push. */
++ break;
++ ++idxcnt;
++ }
++
++ if (backw_stop >= idxcnt)
++ {
++ /* No sequence at all or just one. */
++ if (idxcnt == idxmax || backw_stop > idxcnt)
++ /* Note that len is still zero. */
++ break;
++
++ backw_stop = ~0ul;
++ }
++ else
++ {
++ /* We pushed backward sequences. If the stream ended with the
++ backward sequence, then we process the last sequence we
++ found. Otherwise we process the sequence before the last
++ one since the last one was a forward sequence. */
++ seq->back_us = seq->us;
++ seq->us = us;
++ backw = idxcnt;
++ if (idxmax > idxcnt)
++ {
++ backw--;
++ seq->save_idx = idx;
++ idx = prev_idx;
++ }
++ if (backw > backw_stop)
++ backw--;
++ }
++ }
++
++ len = weights[idx++];
++ /* Skip over indices of previous levels. */
++ for (int i = 0; i < pass; i++)
++ {
++ idx += len;
++ len = weights[idx];
++ idx++;
++ }
++ }
++
++ /* Update the structure. */
++ seq->val = val;
++ seq->len = len;
++ seq->backw_stop = backw_stop;
++ seq->backw = backw;
++ seq->idxcnt = idxcnt;
++ seq->idxmax = idxmax;
++ seq->us = us;
++ seq->idx = idx;
++}
++
++/* Compare two sequences. This version does not use the index and rules
++ cache. */
++static int
++do_compare_nocache (coll_seq *seq1, coll_seq *seq2, int position,
++ const USTRING_TYPE *weights)
++{
++ int seq1len = seq1->len;
++ int seq2len = seq2->len;
++ size_t val1 = seq1->val;
++ size_t val2 = seq2->val;
++ int idx1 = seq1->idx;
++ int idx2 = seq2->idx;
++ int result = 0;
++
++ /* Test for position if necessary. */
++ if (position && val1 != val2)
++ {
++ result = val1 > val2 ? 1 : -1;
++ goto out;
++ }
++
++ /* Compare the two sequences. */
++ do
++ {
++ if (weights[idx1] != weights[idx2])
++ {
++ /* The sequences differ. */
++ result = weights[idx1] - weights[idx2];
++ goto out;
++ }
++
++ /* Increment the offsets. */
++ ++idx1;
++ ++idx2;
++
++ --seq1len;
++ --seq2len;
++ }
++ while (seq1len > 0 && seq2len > 0);
++
++ if (position && seq1len != seq2len)
++ result = seq1len - seq2len;
++
++out:
++ seq1->len = seq1len;
++ seq2->len = seq2len;
++ seq1->idx = idx1;
++ seq2->idx = idx2;
++ return result;
++}
++
++/* Compare two sequences using the index cache. */
++static int
++do_compare (coll_seq *seq1, coll_seq *seq2, int position,
++ const USTRING_TYPE *weights)
++{
++ int seq1len = seq1->len;
++ int seq2len = seq2->len;
++ size_t val1 = seq1->val;
++ size_t val2 = seq2->val;
++ int32_t *idx1arr = seq1->idxarr;
++ int32_t *idx2arr = seq2->idxarr;
++ int idx1now = seq1->idxnow;
++ int idx2now = seq2->idxnow;
++ int result = 0;
++
++ /* Test for position if necessary. */
++ if (position && val1 != val2)
++ {
++ result = val1 > val2 ? 1 : -1;
++ goto out;
++ }
++
++ /* Compare the two sequences. */
++ do
++ {
++ if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]])
++ {
++ /* The sequences differ. */
++ result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]];
++ goto out;
++ }
++
++ /* Increment the offsets. */
++ ++idx1arr[idx1now];
++ ++idx2arr[idx2now];
++
++ --seq1len;
++ --seq2len;
++ }
++ while (seq1len > 0 && seq2len > 0);
++
++ if (position && seq1len != seq2len)
++ result = seq1len - seq2len;
++
++out:
++ seq1->len = seq1len;
++ seq2->len = seq2len;
++ return result;
++}
++
+ int
+-STRCOLL (s1, s2, l)
+- const STRING_TYPE *s1;
+- const STRING_TYPE *s2;
+- __locale_t l;
++STRCOLL (const STRING_TYPE *s1, const STRING_TYPE *s2, __locale_t l)
+ {
+ struct __locale_data *current = l->__locales[LC_COLLATE];
+ uint_fast32_t nrules = current->values[_NL_ITEM_INDEX (_NL_COLLATE_NRULES)].word;
+@@ -56,34 +479,6 @@ STRCOLL (s1, s2, l)
+ const USTRING_TYPE *weights;
+ const USTRING_TYPE *extra;
+ const int32_t *indirect;
+- uint_fast32_t pass;
+- int result = 0;
+- const USTRING_TYPE *us1;
+- const USTRING_TYPE *us2;
+- size_t s1len;
+- size_t s2len;
+- int32_t *idx1arr;
+- int32_t *idx2arr;
+- unsigned char *rule1arr;
+- unsigned char *rule2arr;
+- size_t idx1max;
+- size_t idx2max;
+- size_t idx1cnt;
+- size_t idx2cnt;
+- size_t idx1now;
+- size_t idx2now;
+- size_t backw1_stop;
+- size_t backw2_stop;
+- size_t backw1;
+- size_t backw2;
+- int val1;
+- int val2;
+- int position;
+- int seq1len;
+- int seq2len;
+- int use_malloc;
+-
+-#include WEIGHT_H
+
+ if (nrules == 0)
+ return STRCMP (s1, s2);
+@@ -98,7 +493,6 @@ STRCOLL (s1, s2, l)
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_EXTRA,SUFFIX))].string;
+ indirect = (const int32_t *)
+ current->values[_NL_ITEM_INDEX (CONCAT(_NL_COLLATE_INDIRECT,SUFFIX))].string;
+- use_malloc = 0;
+
+ assert (((uintptr_t) table) % __alignof__ (table[0]) == 0);
+ assert (((uintptr_t) weights) % __alignof__ (weights[0]) == 0);
+@@ -106,18 +500,13 @@ STRCOLL (s1, s2, l)
+ assert (((uintptr_t) indirect) % __alignof__ (indirect[0]) == 0);
+
+ /* We need this a few times. */
+- s1len = STRLEN (s1);
+- s2len = STRLEN (s2);
++ size_t s1len = STRLEN (s1);
++ size_t s2len = STRLEN (s2);
+
+ /* Catch empty strings. */
+- if (__builtin_expect (s1len == 0, 0) || __builtin_expect (s2len == 0, 0))
++ if (__glibc_unlikely (s1len == 0) || __glibc_unlikely (s2len == 0))
+ return (s1len != 0) - (s2len != 0);
+
+- /* We need the elements of the strings as unsigned values since they
+- are used as indeces. */
+- us1 = (const USTRING_TYPE *) s1;
+- us2 = (const USTRING_TYPE *) s2;
+-
+ /* Perform the first pass over the string and while doing this find
+ and store the weights for each character. Since we want this to
+ be as fast as possible we are using `alloca' to store the temporary
+@@ -127,411 +516,124 @@ STRCOLL (s1, s2, l)
+
+ Please note that the localedef programs makes sure that `position'
+ is not used at the first level. */
+- if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
+- {
+- idx1arr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
+- idx2arr = &idx1arr[s1len];
+- rule1arr = (unsigned char *) &idx2arr[s2len];
+- rule2arr = &rule1arr[s1len];
+-
+- if (idx1arr == NULL)
+- /* No memory. Well, go with the stack then.
+-
+- XXX Once this implementation is stable we will handle this
+- differently. Instead of precomputing the indeces we will
+- do this in time. This means, though, that this happens for
+- every pass again. */
+- goto try_stack;
+- use_malloc = 1;
+- }
+- else
+- {
+- try_stack:
+- idx1arr = (int32_t *) alloca (s1len * sizeof (int32_t));
+- idx2arr = (int32_t *) alloca (s2len * sizeof (int32_t));
+- rule1arr = (unsigned char *) alloca (s1len);
+- rule2arr = (unsigned char *) alloca (s2len);
+- }
+
+- idx1cnt = 0;
+- idx2cnt = 0;
+- idx1max = 0;
+- idx2max = 0;
+- idx1now = 0;
+- idx2now = 0;
+- backw1_stop = ~0ul;
+- backw2_stop = ~0ul;
+- backw1 = ~0ul;
+- backw2 = ~0ul;
+- seq1len = 0;
+- seq2len = 0;
+- position = rulesets[0] & sort_position;
+- while (1)
+- {
+- val1 = 0;
+- val2 = 0;
+-
+- /* Get the next non-IGNOREd element for string `s1'. */
+- if (seq1len == 0)
+- do
+- {
+- ++val1;
+-
+- if (backw1_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw1 == backw1_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx1cnt < idx1max)
+- {
+- idx1now = idx1cnt;
+- backw1_stop = ~0ul;
+- }
+- else
+- /* Nothing anymore. The backward sequence ended with
+- the last sequence in the string. Note that seq1len
+- is still zero. */
+- break;
+- }
+- else
+- idx1now = --backw1;
+- }
+- else
+- {
+- backw1_stop = idx1max;
+-
+- while (*us1 != L('\0'))
+- {
+- int32_t tmp = findidx (&us1, -1);
+- rule1arr[idx1max] = tmp >> 24;
+- idx1arr[idx1max] = tmp & 0xffffff;
+- idx1cnt = idx1max++;
+-
+- if ((rulesets[rule1arr[idx1cnt] * nrules]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx1cnt;
+- }
+-
+- if (backw1_stop >= idx1cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx1cnt == idx1max || backw1_stop > idx1cnt)
+- /* Note that seq1len is still zero. */
+- break;
+-
+- backw1_stop = ~0ul;
+- idx1now = idx1cnt;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx1now = backw1 = idx1cnt - 1;
+- }
+- }
+- while ((seq1len = weights[idx1arr[idx1now]++]) == 0);
+-
+- /* And the same for string `s2'. */
+- if (seq2len == 0)
+- do
+- {
+- ++val2;
+-
+- if (backw2_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw2 == backw2_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx2cnt < idx2max)
+- {
+- idx2now = idx2cnt;
+- backw2_stop = ~0ul;
+- }
+- else
+- /* Nothing anymore. The backward sequence ended with
+- the last sequence in the string. Note that seq2len
+- is still zero. */
+- break;
+- }
+- else
+- idx2now = --backw2;
+- }
+- else
+- {
+- backw2_stop = idx2max;
+-
+- while (*us2 != L('\0'))
+- {
+- int32_t tmp = findidx (&us2, -1);
+- rule2arr[idx2max] = tmp >> 24;
+- idx2arr[idx2max] = tmp & 0xffffff;
+- idx2cnt = idx2max++;
+-
+- if ((rulesets[rule2arr[idx2cnt] * nrules]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx2cnt;
+- }
+-
+- if (backw2_stop >= idx2cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx2cnt == idx2max || backw2_stop > idx2cnt)
+- /* Note that seq1len is still zero. */
+- break;
+-
+- backw2_stop = ~0ul;
+- idx2now = idx2cnt;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx2now = backw2 = idx2cnt - 1;
+- }
+- }
+- while ((seq2len = weights[idx2arr[idx2now]++]) == 0);
+-
+- /* See whether any or both strings are empty. */
+- if (seq1len == 0 || seq2len == 0)
+- {
+- if (seq1len == seq2len)
+- /* Both ended. So far so good, both strings are equal at the
+- first level. */
+- break;
+-
+- /* This means one string is shorter than the other. Find out
+- which one and return an appropriate value. */
+- result = seq1len == 0 ? -1 : 1;
+- goto free_and_return;
+- }
++ coll_seq seq1, seq2;
++ bool use_malloc = false;
++ int result = 0;
+
+- /* Test for position if necessary. */
+- if (position && val1 != val2)
+- {
+- result = val1 - val2;
+- goto free_and_return;
+- }
++ memset (&seq1, 0, sizeof (seq1));
++ seq2 = seq1;
+
+- /* Compare the two sequences. */
+- do
+- {
+- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]])
+- {
+- /* The sequences differ. */
+- result = weights[idx1arr[idx1now]] - weights[idx2arr[idx2now]];
+- goto free_and_return;
+- }
++ size_t size_max = SIZE_MAX / (sizeof (int32_t) + 1);
+
+- /* Increment the offsets. */
+- ++idx1arr[idx1now];
+- ++idx2arr[idx2now];
++ /* If the strings are long enough to cause overflow in the size request, then
++ skip the allocation and proceed with the non-cached routines. */
++ if (MIN (s1len, s2len) > size_max
++ || MAX (s1len, s2len) > size_max - MIN (s1len, s2len))
++ goto begin_collate;
+
+- --seq1len;
+- --seq2len;
+- }
+- while (seq1len > 0 && seq2len > 0);
++ if (! __libc_use_alloca ((s1len + s2len) * (sizeof (int32_t) + 1)))
++ {
++ seq1.idxarr = (int32_t *) malloc ((s1len + s2len) * (sizeof (int32_t) + 1));
+
+- if (position && seq1len != seq2len)
++ /* If we failed to allocate memory, we leave everything as NULL so that
++ we use the nocache version of traversal and comparison functions. */
++ if (seq1.idxarr != NULL)
+ {
+- result = seq1len - seq2len;
+- goto free_and_return;
++ seq2.idxarr = &seq1.idxarr[s1len];
++ seq1.rulearr = (unsigned char *) &seq2.idxarr[s2len];
++ seq2.rulearr = &seq1.rulearr[s1len];
++ use_malloc = true;
+ }
+ }
++ else
++ {
++ seq1.idxarr = (int32_t *) alloca (s1len * sizeof (int32_t));
++ seq2.idxarr = (int32_t *) alloca (s2len * sizeof (int32_t));
++ seq1.rulearr = (unsigned char *) alloca (s1len);
++ seq2.rulearr = (unsigned char *) alloca (s2len);
++ }
+
+- /* Now the remaining passes over the weights. We now use the
+- indeces we found before. */
+- for (pass = 1; pass < nrules; ++pass)
++ int rule;
++
++ begin_collate:
++ rule = 0;
++ /* Cache values in the first pass and if needed, use them in subsequent
++ passes. */
++ for (int pass = 0; pass < nrules; ++pass)
+ {
++ seq1.idxcnt = 0;
++ seq1.idx = 0;
++ seq2.idx = 0;
++ seq1.backw_stop = ~0ul;
++ seq1.backw = ~0ul;
++ seq2.idxcnt = 0;
++ seq2.backw_stop = ~0ul;
++ seq2.backw = ~0ul;
++
++ /* We need the elements of the strings as unsigned values since they
++ are used as indices. */
++ seq1.us = (const USTRING_TYPE *) s1;
++ seq2.us = (const USTRING_TYPE *) s2;
++
+ /* We assume that if a rule has defined `position' in one section
+ this is true for all of them. */
+- idx1cnt = 0;
+- idx2cnt = 0;
+- backw1_stop = ~0ul;
+- backw2_stop = ~0ul;
+- backw1 = ~0ul;
+- backw2 = ~0ul;
+- position = rulesets[rule1arr[0] * nrules + pass] & sort_position;
++ int position = rulesets[rule * nrules + pass] & sort_position;
+
+ while (1)
+ {
+- val1 = 0;
+- val2 = 0;
+-
+- /* Get the next non-IGNOREd element for string `s1'. */
+- if (seq1len == 0)
+- do
+- {
+- ++val1;
+-
+- if (backw1_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw1 == backw1_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx1cnt < idx1max)
+- {
+- idx1now = idx1cnt;
+- backw1_stop = ~0ul;
+- }
+- else
+- {
+- /* Nothing anymore. The backward sequence
+- ended with the last sequence in the string. */
+- idx1now = ~0ul;
+- break;
+- }
+- }
+- else
+- idx1now = --backw1;
+- }
+- else
+- {
+- backw1_stop = idx1cnt;
+-
+- while (idx1cnt < idx1max)
+- {
+- if ((rulesets[rule1arr[idx1cnt] * nrules + pass]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx1cnt;
+- }
+-
+- if (backw1_stop == idx1cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx1cnt == idx1max)
+- /* Note that seq1len is still zero. */
+- break;
+-
+- backw1_stop = ~0ul;
+- idx1now = idx1cnt++;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx1now = backw1 = idx1cnt - 1;
+- }
+- }
+- while ((seq1len = weights[idx1arr[idx1now]++]) == 0);
+-
+- /* And the same for string `s2'. */
+- if (seq2len == 0)
+- do
+- {
+- ++val2;
+-
+- if (backw2_stop != ~0ul)
+- {
+- /* The is something pushed. */
+- if (backw2 == backw2_stop)
+- {
+- /* The last pushed character was handled. Continue
+- with forward characters. */
+- if (idx2cnt < idx2max)
+- {
+- idx2now = idx2cnt;
+- backw2_stop = ~0ul;
+- }
+- else
+- {
+- /* Nothing anymore. The backward sequence
+- ended with the last sequence in the string. */
+- idx2now = ~0ul;
+- break;
+- }
+- }
+- else
+- idx2now = --backw2;
+- }
+- else
+- {
+- backw2_stop = idx2cnt;
+-
+- while (idx2cnt < idx2max)
+- {
+- if ((rulesets[rule2arr[idx2cnt] * nrules + pass]
+- & sort_backward) == 0)
+- /* No more backward characters to push. */
+- break;
+- ++idx2cnt;
+- }
+-
+- if (backw2_stop == idx2cnt)
+- {
+- /* No sequence at all or just one. */
+- if (idx2cnt == idx2max)
+- /* Note that seq2len is still zero. */
+- break;
+-
+- backw2_stop = ~0ul;
+- idx2now = idx2cnt++;
+- }
+- else
+- /* We pushed backward sequences. */
+- idx2now = backw2 = idx2cnt - 1;
+- }
+- }
+- while ((seq2len = weights[idx2arr[idx2now]++]) == 0);
++ if (__glibc_unlikely (seq1.idxarr == NULL))
++ {
++ get_next_seq_nocache (&seq1, nrules, rulesets, weights, table,
++ extra, indirect, pass);
++ get_next_seq_nocache (&seq2, nrules, rulesets, weights, table,
++ extra, indirect, pass);
++ }
++ else if (pass == 0)
++ {
++ get_next_seq (&seq1, nrules, rulesets, weights, table, extra,
++ indirect);
++ get_next_seq (&seq2, nrules, rulesets, weights, table, extra,
++ indirect);
++ }
++ else
++ {
++ get_next_seq_cached (&seq1, nrules, pass, rulesets, weights);
++ get_next_seq_cached (&seq2, nrules, pass, rulesets, weights);
++ }
+
+ /* See whether any or both strings are empty. */
+- if (seq1len == 0 || seq2len == 0)
++ if (seq1.len == 0 || seq2.len == 0)
+ {
+- if (seq1len == seq2len)
++ if (seq1.len == seq2.len)
+ /* Both ended. So far so good, both strings are equal
+ at this level. */
+ break;
+
+ /* This means one string is shorter than the other. Find out
+ which one and return an appropriate value. */
+- result = seq1len == 0 ? -1 : 1;
++ result = seq1.len == 0 ? -1 : 1;
+ goto free_and_return;
+ }
+
+- /* Test for position if necessary. */
+- if (position && val1 != val2)
+- {
+- result = val1 - val2;
+- goto free_and_return;
+- }
+-
+- /* Compare the two sequences. */
+- do
+- {
+- if (weights[idx1arr[idx1now]] != weights[idx2arr[idx2now]])
+- {
+- /* The sequences differ. */
+- result = (weights[idx1arr[idx1now]]
+- - weights[idx2arr[idx2now]]);
+- goto free_and_return;
+- }
+-
+- /* Increment the offsets. */
+- ++idx1arr[idx1now];
+- ++idx2arr[idx2now];
+-
+- --seq1len;
+- --seq2len;
+- }
+- while (seq1len > 0 && seq2len > 0);
+-
+- if (position && seq1len != seq2len)
+- {
+- result = seq1len - seq2len;
+- goto free_and_return;
+- }
++ if (__glibc_unlikely (seq1.idxarr == NULL))
++ result = do_compare_nocache (&seq1, &seq2, position, weights);
++ else
++ result = do_compare (&seq1, &seq2, position, weights);
++ if (result != 0)
++ goto free_and_return;
+ }
++
++ if (__glibc_likely (seq1.rulearr != NULL))
++ rule = seq1.rulearr[0];
++ else
++ rule = seq1.rule;
+ }
+
+ /* Free the memory if needed. */
+ free_and_return:
+ if (use_malloc)
+- free (idx1arr);
++ free (seq1.idxarr);
+
+ return result;
+ }
diff --git a/glibc-2.18-strstr-hackfix.patch b/glibc-2.18-strstr-hackfix.patch
new file mode 100644
index 000000000000..6149f88bc6fa
--- /dev/null
+++ b/glibc-2.18-strstr-hackfix.patch
@@ -0,0 +1,13 @@
+diff --git a/sysdeps/x86_64/multiarch/strstr.c b/sysdeps/x86_64/multiarch/strstr.c
+index cd63b68..03d8b9a 100644
+--- a/sysdeps/x86_64/multiarch/strstr.c
++++ b/sysdeps/x86_64/multiarch/strstr.c
+@@ -86,7 +86,7 @@
+ /* Simple replacement of movdqu to address 4KB boundary cross issue.
+ If EOS occurs within less than 16B before 4KB boundary, we don't
+ cross to next page. */
+-static __m128i
++static inline __m128i
+ __m128i_strloadu (const unsigned char * p, __m128i zero)
+ {
+ if (__builtin_expect ((int) ((size_t) p & 0xfff) > 0xff0, 0))
diff --git a/glibc-2.18-xattr-compat-hack.patch b/glibc-2.18-xattr-compat-hack.patch
new file mode 100644
index 000000000000..7486922d7306
--- /dev/null
+++ b/glibc-2.18-xattr-compat-hack.patch
@@ -0,0 +1,19 @@
+diff -Naur glibc-2.18-orig/misc/sys/xattr.h glibc-2.18/misc/sys/xattr.h
+--- glibc-2.18-orig/misc/sys/xattr.h 2013-08-11 08:52:55.000000000 +1000
++++ glibc-2.18/misc/sys/xattr.h 2014-01-07 15:45:50.533969040 +1000
+@@ -26,13 +26,8 @@
+
+ /* The following constants should be used for the fifth parameter of
+ `*setxattr'. */
+-enum
+-{
+- XATTR_CREATE = 1, /* set value, fail if attr already exists. */
+-#define XATTR_CREATE XATTR_CREATE
+- XATTR_REPLACE = 2 /* set value, fail if attr does not exist. */
+-#define XATTR_REPLACE XATTR_REPLACE
+-};
++#define XATTR_CREATE 1
++#define XATTR_REPLACE 2
+
+ /* Set the attribute NAME of the file pointed to by PATH to VALUE (which
+ is SIZE bytes long). Return 0 on success, -1 for errors. */