This is the mail archive of the libc-help@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: glibc-2.9 CVE-2015-7547 fix

On Fri, 2016-03-11 at 10:15 -0800, Florian Weimer wrote:
> On 03/08/2016 05:46 PM, Darcy Watkins wrote:
> 
> > Someone who understands what is going on in this part of the library
> 
> > please comment to give me some insight, particularly if this change may
> 
> > be a bad idea for other reasons.
> 
> 
> Are you actually dealing with an unpatched glibc 2.9?

I patched it with backports of a number of Red Hat patches from glibc
2.12 (that is used in el6 and centos6).  I had to cherry pick from some
200+ patches (it wasn't easy).

> That seems to be fairly unlikely because the resolver in that release
> was fairly broken because it was the first one which had the parallel
> lookup feature.

Maybe I am missing some fixes that went in via 2.10 ... 2.12 rather than
via post-release patches.  I'll have to take a look at the git logs to
find these.

> If it's in fact pristine 2.9, it is likely easier to go the other
> direction and patch out the parallel lookup feature.

It was pretty close to pristine 2.9.  That version was released from CVS
rather than GIT.  Do you know how good the CVS history conversion into
GIT was?  If the GIT history conversion was good, I should be able to
find where and how this was added.

> 
> Florian
Thanks!!!

-- 

Regards,

Darcy

---

Darcy Watkins
Staff Engineer, Firmware
Sierra Wireless
13811 Wireless Way, Richmond, BC
Canada, V6V 3A4
[P1]
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]