This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/17905] catopen() Multiple unbounded stack allocations (CVE-2015-8779)

From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Wed, 25 May 2016 12:23:25 +0000
Subject: [Bug libc/17905] catopen() Multiple unbounded stack allocations (CVE-2015-8779)
Auto-submitted: auto-generated
References: <bug-17905-131 at http dot sourceware dot org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=17905

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.20/master has been updated
       via  916ef0f69613613e11123657bff127bd26104630 (commit)
       via  afc4daae0411d10e5d64646d5bafb05075e16151 (commit)
       via  c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469 (commit)
       via  902072efdbb724cea105f60842c4862070d7862e (commit)
       via  03e3ee42d64388243aed95b7702007640dcdd5b5 (commit)
       via  3822125d1c520d5bb5e33cd9254a902d52d4eb19 (commit)
       via  75cf90eb20d98270ea3903baefb75647ae61fd3f (commit)
       via  1029487ab3b2ef65ec9364cb15c44ee9c571224f (commit)
      from  edbab2450a084a275d418fba871a8c7b48001a71 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=916ef0f69613613e11123657bff127bd26104630

commit 916ef0f69613613e11123657bff127bd26104630
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Mar 29 12:57:56 2016 +0200

    CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]

    The defensive copy is not needed because the name may not alias the
    output buffer.

    (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
    (cherry picked from commit f5b3338d70a7a2c626331ac4589b6deb2f610432)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=afc4daae0411d10e5d64646d5bafb05075e16151

commit afc4daae0411d10e5d64646d5bafb05075e16151
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sat Aug 8 15:53:03 2015 -0700

    Fix BZ #17905

    (cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469

commit c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Feb 12 12:57:40 2016 +0100

    hsearch_r: Apply VM size limit in test case

    (cherry picked from commit f34f146e682d8d529dcf64b3c2781bf3f2f05f6c)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=902072efdbb724cea105f60842c4862070d7862e

commit 902072efdbb724cea105f60842c4862070d7862e
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Jan 28 13:59:11 2016 +0100

    Improve check against integer wraparound in hcreate_r [BZ #18240]

    (cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=03e3ee42d64388243aed95b7702007640dcdd5b5

commit 03e3ee42d64388243aed95b7702007640dcdd5b5
Author: OndÅej BÃlka <neleai@seznam.cz>
Date:   Sat Jul 11 17:44:10 2015 +0200

    Handle overflow in __hcreate_r

    Hi,

    As in bugzilla entry there is overflow in hsearch when looking for prime
    number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
    inputs before looking for prime.

        * misc/hsearch_r.c (__hcreate_r): Handle overflow.

    (cherry picked from commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3822125d1c520d5bb5e33cd9254a902d52d4eb19

commit 3822125d1c520d5bb5e33cd9254a902d52d4eb19
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 4 12:09:35 2016 +0200

    CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]

    Instead, we store the data we need from the return value of
    readdir in an object of the new type struct readdir_result.
    This type is independent of the layout of struct dirent.

    (cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=75cf90eb20d98270ea3903baefb75647ae61fd3f

commit 75cf90eb20d98270ea3903baefb75647ae61fd3f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Apr 29 09:33:07 2016 +0200

    glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir

    Previously, application code had to set up the d_namlen member if
    the target supported it, involving conditional compilation.  After
    this change, glob will use the length of the string in d_name instead
    of d_namlen to determine the file name length.  All glibc targets
    provide the d_type and d_ino members, and setting them as needed for
    gl_readdir is straightforward.

    Changing the behavior with regards to d_ino is left to a future
    cleanup.

    (cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1029487ab3b2ef65ec9364cb15c44ee9c571224f

commit 1029487ab3b2ef65ec9364cb15c44ee9c571224f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Apr 29 10:35:34 2016 +0200

    CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ
#20010]

    When converting a struct hostent response to struct gaih_addrtuple, the
    gethosts macro (which is called from gaih_inet) used alloca, without
    malloc fallback for large responses.  This commit changes this code to
    use calloc unconditionally.

    This commit also consolidated a second hostent-to-gaih_addrtuple
    conversion loop (in gaih_inet) to use the new conversion function.

    (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                             |   87 ++++++++++++
 NEWS                                  |   17 ++-
 catgets/Makefile                      |    9 +-
 catgets/catgets.c                     |   19 ++-
 catgets/open_catalog.c                |   23 ++--
 catgets/tst-catgets.c                 |   31 ++++
 manual/examples/mkdirent.c            |   42 ++++++
 manual/pattern.texi                   |   39 +++++-
 misc/Makefile                         |    3 +-
 misc/bug18240.c                       |   97 +++++++++++++
 misc/hsearch_r.c                      |   30 +++--
 posix/bug-glob2.c                     |   16 ++-
 posix/glob.c                          |  243 +++++++++++++++++----------------
 posix/tst-gnuglob.c                   |    2 +-
 resolv/nss_dns/dns-network.c          |    5 +-
 sysdeps/posix/getaddrinfo.c           |  130 +++++++++--------
 sysdeps/unix/sysv/linux/i386/glob64.c |   22 +++
 17 files changed, 596 insertions(+), 219 deletions(-)
 create mode 100644 manual/examples/mkdirent.c
 create mode 100644 misc/bug18240.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]