This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.21-278-g2959eda
- From: fw at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 21 Apr 2015 12:49:42 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.21-278-g2959eda
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 2959eda9272a033863c271aff62095abd01bd4e3 (commit)
from 7bf8fb104226407b75103b95525364c4667c869f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=2959eda9272a033863c271aff62095abd01bd4e3
commit 2959eda9272a033863c271aff62095abd01bd4e3
Author: Arjun Shankar <arjun.is@lostca.se>
Date: Tue Apr 21 14:06:31 2015 +0200
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
diff --git a/ChangeLog b/ChangeLog
index 7c3e625..26dcfc7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
2015-04-20 Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nptl/pthread_cond_timedwait.c: Change include bits/libc-vdso.h to just
diff --git a/NEWS b/NEWS
index 2bbd6a3..ccc4d13 100644
--- a/NEWS
+++ b/NEWS
@@ -16,7 +16,14 @@ Version 2.22
17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020, 18029,
18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047, 18068,
18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185, 18197,
- 18206, 18210, 18211, 18247.
+ 18206, 18210, 18211, 18247, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
+ misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account. This could result in application crashes or,
+ potentially arbitrary code execution, using crafted, but syntactically
+ valid DNS responses. (CVE-2015-1781)
* A powerpc and powerpc64 optimization for TLS, similar to TLS descriptors
for LD and GD on x86 and x86-64, has been implemented. You will need
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index b16b0dd..d8c5579 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__glibc_unlikely (buflen < sizeof (struct host_data)))
{
/* The buffer is too small. */
too_small:
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 9 ++++++++-
resolv/nss_dns/dns-host.c | 3 ++-
3 files changed, 16 insertions(+), 2 deletions(-)
hooks/post-receive
--
GNU C Library master sources