This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug glob/19779] glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 11 May 2016 13:55:39 +0000
- Subject: [Bug glob/19779] glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- Auto-submitted: auto-generated
- References: <bug-19779-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=19779
--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.22/master has been updated
via 9d4fe83c8ccf2a4dcc87f905b474d3053c6c42b7 (commit)
via 46329bea58c143887c7109926d03901c0ccf81ed (commit)
via d14837f6edd39d5c79c4cda7f7775c8f5e0ca20a (commit)
from f95984beb2d3d61c71c14c10cdc5ab8fda321dec (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9d4fe83c8ccf2a4dcc87f905b474d3053c6c42b7
commit 9d4fe83c8ccf2a4dcc87f905b474d3053c6c42b7
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Apr 29 10:35:34 2016 +0200
CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ
#20010]
When converting a struct hostent response to struct gaih_addrtuple, the
gethosts macro (which is called from gaih_inet) used alloca, without
malloc fallback for large responses. This commit changes this code to
use calloc unconditionally.
This commit also consolidated a second hostent-to-gaih_addrtuple
conversion loop (in gaih_inet) to use the new conversion function.
(cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=46329bea58c143887c7109926d03901c0ccf81ed
commit 46329bea58c143887c7109926d03901c0ccf81ed
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed May 4 12:09:35 2016 +0200
CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]
Instead, we store the data we need from the return value of
readdir in an object of the new type struct readdir_result.
This type is independent of the layout of struct dirent.
(cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d14837f6edd39d5c79c4cda7f7775c8f5e0ca20a
commit d14837f6edd39d5c79c4cda7f7775c8f5e0ca20a
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Apr 29 09:33:07 2016 +0200
glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir
Previously, application code had to set up the d_namlen member if
the target supported it, involving conditional compilation. After
this change, glob will use the length of the string in d_name instead
of d_namlen to determine the file name length. All glibc targets
provide the d_type and d_ino members, and setting them as needed for
gl_readdir is straightforward.
Changing the behavior with regards to d_ino is left to a future
cleanup.
(cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 46 ++++++
NEWS | 12 ++-
manual/examples/mkdirent.c | 42 ++++++
manual/pattern.texi | 39 +++++-
posix/bug-glob2.c | 16 ++-
posix/glob.c | 243 +++++++++++++++++----------------
posix/tst-gnuglob.c | 2 +-
sysdeps/posix/getaddrinfo.c | 130 +++++++++--------
sysdeps/unix/sysv/linux/i386/glob64.c | 22 +++
9 files changed, 368 insertions(+), 184 deletions(-)
create mode 100644 manual/examples/mkdirent.c
--
You are receiving this mail because:
You are on the CC list for the bug.