This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug network/20010] getaddrinfo: Stack overflow in hostent translation (CVE-2016-3706)


https://sourceware.org/bugzilla/show_bug.cgi?id=20010

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  762aafec34478bcef01a16acf1959732ab8bb2b6 (commit)
       via  e97fb84811238c627f93e5e703a11eb841601947 (commit)
       via  5ae82aa4bf45cdaafeb1c25e09897eabff210de9 (commit)
      from  05cc5bbd3cf037daee848c11792a6471de01298d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=762aafec34478bcef01a16acf1959732ab8bb2b6

commit 762aafec34478bcef01a16acf1959732ab8bb2b6
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Apr 29 10:35:34 2016 +0200

    CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ
#20010]

    When converting a struct hostent response to struct gaih_addrtuple, the
    gethosts macro (which is called from gaih_inet) used alloca, without
    malloc fallback for large responses.  This commit changes this code to
    use calloc unconditionally.

    This commit also consolidated a second hostent-to-gaih_addrtuple
    conversion loop (in gaih_inet) to use the new conversion function.

    (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e97fb84811238c627f93e5e703a11eb841601947

commit e97fb84811238c627f93e5e703a11eb841601947
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 4 12:09:35 2016 +0200

    CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]

    Instead, we store the data we need from the return value of
    readdir in an object of the new type struct readdir_result.
    This type is independent of the layout of struct dirent.

    (cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ae82aa4bf45cdaafeb1c25e09897eabff210de9

commit 5ae82aa4bf45cdaafeb1c25e09897eabff210de9
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Apr 29 09:33:07 2016 +0200

    glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir

    Previously, application code had to set up the d_namlen member if
    the target supported it, involving conditional compilation.  After
    this change, glob will use the length of the string in d_name instead
    of d_namlen to determine the file name length.  All glibc targets
    provide the d_type and d_ino members, and setting them as needed for
    gl_readdir is straightforward.

    Changing the behavior with regards to d_ino is left to a future
    cleanup.

    (cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                             |   46 ++++++
 NEWS                                  |   11 ++-
 manual/examples/mkdirent.c            |   42 ++++++
 manual/pattern.texi                   |   39 +++++-
 posix/bug-glob2.c                     |   16 ++-
 posix/glob.c                          |  243 +++++++++++++++++----------------
 posix/tst-gnuglob.c                   |    2 +-
 sysdeps/posix/getaddrinfo.c           |  130 +++++++++--------
 sysdeps/unix/sysv/linux/i386/glob64.c |   22 +++
 9 files changed, 367 insertions(+), 184 deletions(-)
 create mode 100644 manual/examples/mkdirent.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]