This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.19/master updated. glibc-2.19-37-g126e130
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 28 Aug 2015 20:59:13 -0000
- Subject: GNU C Library master sources branch release/2.19/master updated. glibc-2.19-37-g126e130
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.19/master has been updated
via 126e13008672dddfc757f7260cb8d6ff7c77a4b5 (commit)
from 323e41a8d8168dac0338bf95c12a8de5b0dfc56e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=126e13008672dddfc757f7260cb8d6ff7c77a4b5
commit 126e13008672dddfc757f7260cb8d6ff7c77a4b5
Author: Arjun Shankar <arjun.is@lostca.se>
Date: Tue Apr 21 14:06:31 2015 +0200
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
(cherry picked from commit 2959eda9272a033863c271aff62095abd01bd4e3)
diff --git a/ChangeLog b/ChangeLog
index b88cd04..0eb6c3f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
2014-12-11 Andreas Schwab <schwab@suse.de>
[BZ #16657]
diff --git a/NEWS b/NEWS
index 6f240cd..7f9388f 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,15 @@ Version 2.19.1
* The following bugs are resolved with this release:
15946, 16545, 16574, 16623, 16657, 16695, 16878, 16882, 16885, 16916,
- 16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555.
+ 16932, 16943, 16958, 17048, 17069, 17137, 17213, 17263, 17325, 17555,
+ 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
+ misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account. This could result in application crashes or,
+ potentially arbitrary code execution, using crafted, but syntactically
+ valid DNS responses. (CVE-2015-1781)
* Reverted change of ABI data structures for s390 and s390x:
On s390 and s390x the size of struct ucontext and jmp_buf was increased in
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f0b4b17..f36d28b 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__builtin_expect (buflen < sizeof (struct host_data), 0))
{
/* The buffer is too small. */
too_small:
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 10 +++++++++-
resolv/nss_dns/dns-host.c | 3 ++-
3 files changed, 17 insertions(+), 2 deletions(-)
hooks/post-receive
--
GNU C Library master sources