This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug stdio/17269] _IO_wstr_overflow integer overflow
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 25 Feb 2016 19:06:39 +0000
- Subject: [Bug stdio/17269] _IO_wstr_overflow integer overflow
- Auto-submitted: auto-generated
- References: <bug-17269-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=17269
--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.20/master has been updated
via d5a4840c6b4025302f485b9271e4c72d315221f5 (commit)
via eda498975dd49f616d8af26e5224ca39c8feeb8c (commit)
via 6ef92b982aef69f05a3faa481c34699bfa55f1dd (commit)
via d5ef25a8d894fa5833854588afaacdf8771972a8 (commit)
via 9f108bbbeb8064a746cd2e1e7079f58fe3508485 (commit)
from ed99e5f9cc6471745488f269d16ee5b127944a85 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5a4840c6b4025302f485b9271e4c72d315221f5
commit d5a4840c6b4025302f485b9271e4c72d315221f5
Author: Carlos O'Donell <carlos@systemhalted.org>
Date: Tue Feb 16 21:26:37 2016 -0500
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
(cherry picked from commit 16d0a0ce7613552301786bf05d7eba8784b5732c)
Conflicts:
NEWS
resolv/res_send.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eda498975dd49f616d8af26e5224ca39c8feeb8c
commit eda498975dd49f616d8af26e5224ca39c8feeb8c
Author: Andreas Schwab <schwab@suse.de>
Date: Thu Feb 26 14:55:24 2015 +0100
Fix read past end of pattern in fnmatch (bug 18032)
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ef92b982aef69f05a3faa481c34699bfa55f1dd
commit 6ef92b982aef69f05a3faa481c34699bfa55f1dd
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sun Feb 22 12:01:47 2015 -0800
Fix BZ #17269 -- _IO_wstr_overflow integer overflow
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5ef25a8d894fa5833854588afaacdf8771972a8
commit d5ef25a8d894fa5833854588afaacdf8771972a8
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Oct 6 13:12:36 2015 +0200
Harden tls_dtor_list with pointer mangling [BZ #19018]
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9f108bbbeb8064a746cd2e1e7079f58fe3508485
commit 9f108bbbeb8064a746cd2e1e7079f58fe3508485
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Oct 15 09:23:07 2015 +0200
Always enable pointer guard [BZ #18928]
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
Conflicts:
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 45 +++++++
NEWS | 21 +++-
elf/rtld.c | 15 +--
libio/wstrops.c | 8 +-
posix/fnmatch_loop.c | 5 +-
posix/tst-fnmatch3.c | 8 +-
resolv/nss_dns/dns-host.c | 111 +++++++++++++++++-
resolv/res_query.c | 3 +
resolv/res_send.c | 257 ++++++++++++++++++++++++++++++---------
stdlib/cxa_thread_atexit_impl.c | 12 ++-
sysdeps/generic/ldsodefs.h | 3 -
11 files changed, 401 insertions(+), 87 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.