This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug glob/19779] glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 25 May 2016 12:23:26 +0000
- Subject: [Bug glob/19779] glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect NAME_MAX limit assumption (CVE-2016-1234)
- Auto-submitted: auto-generated
- References: <bug-19779-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=19779
--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.20/master has been updated
via 916ef0f69613613e11123657bff127bd26104630 (commit)
via afc4daae0411d10e5d64646d5bafb05075e16151 (commit)
via c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469 (commit)
via 902072efdbb724cea105f60842c4862070d7862e (commit)
via 03e3ee42d64388243aed95b7702007640dcdd5b5 (commit)
via 3822125d1c520d5bb5e33cd9254a902d52d4eb19 (commit)
via 75cf90eb20d98270ea3903baefb75647ae61fd3f (commit)
via 1029487ab3b2ef65ec9364cb15c44ee9c571224f (commit)
from edbab2450a084a275d418fba871a8c7b48001a71 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=916ef0f69613613e11123657bff127bd26104630
commit 916ef0f69613613e11123657bff127bd26104630
Author: Florian Weimer <fweimer@redhat.com>
Date: Tue Mar 29 12:57:56 2016 +0200
CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]
The defensive copy is not needed because the name may not alias the
output buffer.
(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
(cherry picked from commit f5b3338d70a7a2c626331ac4589b6deb2f610432)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=afc4daae0411d10e5d64646d5bafb05075e16151
commit afc4daae0411d10e5d64646d5bafb05075e16151
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Sat Aug 8 15:53:03 2015 -0700
Fix BZ #17905
(cherry picked from commit 0f58539030e436449f79189b6edab17d7479796e)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469
commit c5bbc09ccc07fb9b61b7f0f5bf531d7c8c164469
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Feb 12 12:57:40 2016 +0100
hsearch_r: Apply VM size limit in test case
(cherry picked from commit f34f146e682d8d529dcf64b3c2781bf3f2f05f6c)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=902072efdbb724cea105f60842c4862070d7862e
commit 902072efdbb724cea105f60842c4862070d7862e
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Jan 28 13:59:11 2016 +0100
Improve check against integer wraparound in hcreate_r [BZ #18240]
(cherry picked from commit bae7c7c764413b23e61cb099ce33be4c4ee259bb)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=03e3ee42d64388243aed95b7702007640dcdd5b5
commit 03e3ee42d64388243aed95b7702007640dcdd5b5
Author: OndÅej BÃlka <neleai@seznam.cz>
Date: Sat Jul 11 17:44:10 2015 +0200
Handle overflow in __hcreate_r
Hi,
As in bugzilla entry there is overflow in hsearch when looking for prime
number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
inputs before looking for prime.
* misc/hsearch_r.c (__hcreate_r): Handle overflow.
(cherry picked from commit 2f5c1750558fe64bac361f52d6827ab1bcfe52bc)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3822125d1c520d5bb5e33cd9254a902d52d4eb19
commit 3822125d1c520d5bb5e33cd9254a902d52d4eb19
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed May 4 12:09:35 2016 +0200
CVE-2016-1234: glob: Do not copy d_name field of struct dirent [BZ #19779]
Instead, we store the data we need from the return value of
readdir in an object of the new type struct readdir_result.
This type is independent of the layout of struct dirent.
(cherry picked from commit 5171f3079f2cc53e0548fc4967361f4d1ce9d7ea)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=75cf90eb20d98270ea3903baefb75647ae61fd3f
commit 75cf90eb20d98270ea3903baefb75647ae61fd3f
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Apr 29 09:33:07 2016 +0200
glob: Simplify the interface for the GLOB_ALTDIRFUNC callback gl_readdir
Previously, application code had to set up the d_namlen member if
the target supported it, involving conditional compilation. After
this change, glob will use the length of the string in d_name instead
of d_namlen to determine the file name length. All glibc targets
provide the d_type and d_ino members, and setting them as needed for
gl_readdir is straightforward.
Changing the behavior with regards to d_ino is left to a future
cleanup.
(cherry picked from commit 137fe72eca6923a00381a3ca9f0e7672c1f85e3f)
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1029487ab3b2ef65ec9364cb15c44ee9c571224f
commit 1029487ab3b2ef65ec9364cb15c44ee9c571224f
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Apr 29 10:35:34 2016 +0200
CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ
#20010]
When converting a struct hostent response to struct gaih_addrtuple, the
gethosts macro (which is called from gaih_inet) used alloca, without
malloc fallback for large responses. This commit changes this code to
use calloc unconditionally.
This commit also consolidated a second hostent-to-gaih_addrtuple
conversion loop (in gaih_inet) to use the new conversion function.
(cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 87 ++++++++++++
NEWS | 17 ++-
catgets/Makefile | 9 +-
catgets/catgets.c | 19 ++-
catgets/open_catalog.c | 23 ++--
catgets/tst-catgets.c | 31 ++++
manual/examples/mkdirent.c | 42 ++++++
manual/pattern.texi | 39 +++++-
misc/Makefile | 3 +-
misc/bug18240.c | 97 +++++++++++++
misc/hsearch_r.c | 30 +++--
posix/bug-glob2.c | 16 ++-
posix/glob.c | 243 +++++++++++++++++----------------
posix/tst-gnuglob.c | 2 +-
resolv/nss_dns/dns-network.c | 5 +-
sysdeps/posix/getaddrinfo.c | 130 +++++++++--------
sysdeps/unix/sysv/linux/i386/glob64.c | 22 +++
17 files changed, 596 insertions(+), 219 deletions(-)
create mode 100644 manual/examples/mkdirent.c
create mode 100644 misc/bug18240.c
--
You are receiving this mail because:
You are on the CC list for the bug.