This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.19/master updated. glibc-2.19-55-ga02f3e7
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 27 Apr 2016 15:25:41 -0000
- Subject: GNU C Library master sources branch release/2.19/master updated. glibc-2.19-55-ga02f3e7
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.19/master has been updated
via a02f3e795993ae0f80242b488061b74666605625 (commit)
from 78c76f7374df7f3caff43840a01247bb7d25597e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a02f3e795993ae0f80242b488061b74666605625
commit a02f3e795993ae0f80242b488061b74666605625
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Mar 29 12:57:56 2016 +0200
CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]
The defensive copy is not needed because the name may not alias the
output buffer.
(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
diff --git a/ChangeLog b/ChangeLog
index 9907019..685dd90 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-04-01 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #19879]
+ CVE-2016-3075
+ * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
+ copy name.
+
2016-02-12 Florian Weimer <fweimer@redhat.com>
* misc/bug18240.c (do_test): Set RLIMIT_AS.
diff --git a/NEWS b/NEWS
index 0d1952c..d7da53f 100644
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,7 @@ Version 2.19.1
15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
- 18032, 18240, 18287, 18905.
+ 18032, 18240, 18287, 18905, 19879.
* A buffer overflow in gethostbyname_r and related functions performing DNS
requests has been fixed. If the NSS functions were called with a
@@ -63,6 +63,11 @@ Version 2.19.1
the get*ent functions if any of the query functions for the same database
are used during the iteration, causing a denial-of-service condition in
some applications.
+
+* The getnetbyname implementation in nss_dns had a potentially unbounded
+ alloca call (in the form of a call to strdupa), leading to a stack
+ overflow (stack exhaustion) and a crash if getnetbyname is invoked
+ on a very long name. (CVE-2016-3075)
�
Version 2.19
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 13ad38c..37de664 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
} net_buffer;
querybuf *orig_net_buffer;
int anslen;
- char *qbuf;
enum nss_status status;
if (__res_maybe_init (&_res, 0) == -1)
return NSS_STATUS_UNAVAIL;
- qbuf = strdupa (name);
-
net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
if (anslen < 0)
{
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 7 +++++++
NEWS | 7 ++++++-
resolv/nss_dns/dns-network.c | 5 +----
3 files changed, 14 insertions(+), 5 deletions(-)
hooks/post-receive
--
GNU C Library master sources