This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug network/18665] In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547)
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 17 Feb 2016 03:52:35 +0000
- Subject: [Bug network/18665] In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547)
- Auto-submitted: auto-generated
- References: <bug-18665-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, gentoo/2.21 has been updated
via 33f372c7df351d49db04aab021931f32ef2ef612 (commit)
from d7bd567cf1395a16da490a7716962966b9d702c3 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=33f372c7df351d49db04aab021931f32ef2ef612
commit 33f372c7df351d49db04aab021931f32ef2ef612
Author: Carlos O'Donell <carlos@systemhalted.org>
Date: Tue Feb 16 21:26:37 2016 -0500
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)
See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
(cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
(cherry picked from commit 16d0a0ce7613552301786bf05d7eba8784b5732c)
-----------------------------------------------------------------------
Summary of changes:
resolv/nss_dns/dns-host.c | 111 +++++++++++++++++++-
resolv/res_query.c | 3 +
resolv/res_send.c | 264 +++++++++++++++++++++++++++++++++------------
3 files changed, 309 insertions(+), 69 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.