This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 26 May 2015 20:54:53 +0000
- Subject: [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
- Auto-submitted: auto-generated
- References: <bug-18007-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.18/master has been updated
via 335863ea7cbc2c4c2a1947039565b781cf488a8f (commit)
via 53d405329ab189725e72b317f18cd939c6ad240a (commit)
from 3c7fb252298c48ef424e65fe63ea818d688f1088 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=335863ea7cbc2c4c2a1947039565b781cf488a8f
commit 335863ea7cbc2c4c2a1947039565b781cf488a8f
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Mar 25 16:35:46 2015 +0100
Separate internal state between getXXent and getXXbyYY NSS calls (bug
18007)
Conflicts:
NEWS
nss/nss_files/files-hosts.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=53d405329ab189725e72b317f18cd939c6ad240a
commit 53d405329ab189725e72b317f18cd939c6ad240a
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
â
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
â
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
Conflicts:
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 46 ++++++++++++++++
NEWS | 6 ++-
nis/nss_compat/compat-grp.c | 6 +-
nis/nss_compat/compat-pwd.c | 6 +-
nis/nss_compat/compat-spwd.c | 16 +++---
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 109 ++++++++++-----------------------------
nss/nss_files/files-alias.c | 90 ++++++++++----------------------
nss/nss_files/files-hosts.c | 44 +++++----------
nss/tst-nss-getpwent.c | 118 ++++++++++++++++++++++++++++++++++++++++++
10 files changed, 255 insertions(+), 188 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.