This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch ibm/2.18/master updated. glibc-2.18-166-g3c7fb25
- From: tuliom at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 29 Apr 2015 17:50:07 -0000
- Subject: GNU C Library master sources branch ibm/2.18/master updated. glibc-2.18-166-g3c7fb25
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.18/master has been updated
via 3c7fb252298c48ef424e65fe63ea818d688f1088 (commit)
from fec49d52bbe7af00c80f014a76357f56293e42bd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3c7fb252298c48ef424e65fe63ea818d688f1088
commit 3c7fb252298c48ef424e65fe63ea818d688f1088
Author: Arjun Shankar <arjun.is@lostca.se>
Date: Tue Apr 21 14:06:31 2015 +0200
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
Conflicts:
NEWS
diff --git a/ChangeLog b/ChangeLog
index f302131..f006275 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
2014-06-03 Andreas Schwab <schwab@suse.de>
[BZ #15946]
diff --git a/NEWS b/NEWS
index ecccd4b..48bd9ed 100644
--- a/NEWS
+++ b/NEWS
@@ -13,7 +13,14 @@ Version 2.18.1
15723, 15734, 15735, 15797, 15892, 15895, 15909, 15915, 15917, 15946,
15996, 16072, 16150, 16169, 16387, 16414, 16430, 16431, 16510, 16617,
16618, 16885, 16916, 16943, 16958, 17048, 17137, 17187, 17325, 17625,
- 17630, 18104.
+ 17630, 18104, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
+ misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account. This could result in application crashes or,
+ potentially arbitrary code execution, using crafted, but syntactically
+ valid DNS responses. (CVE-2015-1781)
* Support for powerpc64le has been added.
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index 9018bb9..0c9d6dc 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -613,7 +613,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__builtin_expect (buflen < sizeof (struct host_data), 0))
{
/* The buffer is too small. */
too_small:
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 9 ++++++++-
resolv/nss_dns/dns-host.c | 3 ++-
3 files changed, 16 insertions(+), 2 deletions(-)
hooks/post-receive
--
GNU C Library master sources