This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug network/18665] In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547)


https://sourceware.org/bugzilla/show_bug.cgi?id=18665

--- Comment #13 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.22 has been updated
       via  258e9043d8f1a2dafac3754c651b46da1ccb7dba (commit)
      from  306df6aa9518318ddd740ebfe016e73e31e08857 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=258e9043d8f1a2dafac3754c651b46da1ccb7dba

commit 258e9043d8f1a2dafac3754c651b46da1ccb7dba
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).

    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)

    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html

    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
    (cherry picked from commit b995d95a5943785be3ab862b2d3276f3b4a22481)

-----------------------------------------------------------------------

Summary of changes:
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  264 +++++++++++++++++++++++++++++++++------------
 3 files changed, 309 insertions(+), 69 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]