This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug nptl/19018] Mangle function pointers in tls_dtor_list


https://sourceware.org/bugzilla/show_bug.cgi?id=19018

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.20/master has been updated
       via  d5a4840c6b4025302f485b9271e4c72d315221f5 (commit)
       via  eda498975dd49f616d8af26e5224ca39c8feeb8c (commit)
       via  6ef92b982aef69f05a3faa481c34699bfa55f1dd (commit)
       via  d5ef25a8d894fa5833854588afaacdf8771972a8 (commit)
       via  9f108bbbeb8064a746cd2e1e7079f58fe3508485 (commit)
      from  ed99e5f9cc6471745488f269d16ee5b127944a85 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5a4840c6b4025302f485b9271e4c72d315221f5

commit d5a4840c6b4025302f485b9271e4c72d315221f5
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).

    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)

    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html

    (cherry picked from commit 16d0a0ce7613552301786bf05d7eba8784b5732c)

    Conflicts:
        NEWS
        resolv/res_send.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eda498975dd49f616d8af26e5224ca39c8feeb8c

commit eda498975dd49f616d8af26e5224ca39c8feeb8c
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 26 14:55:24 2015 +0100

    Fix read past end of pattern in fnmatch (bug 18032)

    (cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ef92b982aef69f05a3faa481c34699bfa55f1dd

commit 6ef92b982aef69f05a3faa481c34699bfa55f1dd
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Feb 22 12:01:47 2015 -0800

    Fix BZ #17269 -- _IO_wstr_overflow integer overflow

    (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5ef25a8d894fa5833854588afaacdf8771972a8

commit d5ef25a8d894fa5833854588afaacdf8771972a8
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Oct 6 13:12:36 2015 +0200

    Harden tls_dtor_list with pointer mangling [BZ #19018]

    (cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)

    Conflicts:
        NEWS
        stdlib/cxa_thread_atexit_impl.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9f108bbbeb8064a746cd2e1e7079f58fe3508485

commit 9f108bbbeb8064a746cd2e1e7079f58fe3508485
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Oct 15 09:23:07 2015 +0200

    Always enable pointer guard [BZ #18928]

    Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
    has security implications.  This commit enables pointer guard
    unconditionally, and the environment variable is now ignored.

            [BZ #18928]
            * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
            _dl_pointer_guard member.
            * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
            initializer.
            (security_init): Always set up pointer guard.
            (process_envvars): Do not process LD_POINTER_GUARD.

    (cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                       |   45 +++++++
 NEWS                            |   21 +++-
 elf/rtld.c                      |   15 +--
 libio/wstrops.c                 |    8 +-
 posix/fnmatch_loop.c            |    5 +-
 posix/tst-fnmatch3.c            |    8 +-
 resolv/nss_dns/dns-host.c       |  111 +++++++++++++++++-
 resolv/res_query.c              |    3 +
 resolv/res_send.c               |  257 ++++++++++++++++++++++++++++++---------
 stdlib/cxa_thread_atexit_impl.c |   12 ++-
 sysdeps/generic/ldsodefs.h      |    3 -
 11 files changed, 401 insertions(+), 87 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]