This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch ibm/2.19/master updated. glibc-2.19-93-g19250b9
- From: tuliom at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 24 Apr 2015 20:01:49 -0000
- Subject: GNU C Library master sources branch ibm/2.19/master updated. glibc-2.19-93-g19250b9
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.19/master has been updated
via 19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208 (commit)
from 7c6f38b4f37d21dbfb016b20748f39c6edb6533e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208
commit 19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208
Author: Arjun Shankar <arjun.is@lostca.se>
Date: Tue Apr 21 14:06:31 2015 +0200
CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
Conflicts:
NEWS
resolv/nss_dns/dns-host.c
diff --git a/ChangeLog b/ChangeLog
index fc104eb..d287261 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-04-21 Arjun Shankar <arjun.is@lostca.se>
+
+ [BZ #18287]
+ * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+ based on padding. (CVE-2015-1781)
+
2015-03-10 Adhemerval Zanella <azanella@linux.vnet.ibm.com>
* sysdeps/ieee754/dbl-64/Makefile (CFLAGS-e_pow.c): Add
diff --git a/NEWS b/NEWS
index 3af0fb6..fbd25a1 100644
--- a/NEWS
+++ b/NEWS
@@ -12,7 +12,14 @@ Version 2.19.1
15946, 16545, 16574, 16617, 16618, 16683, 16689, 16695, 16701, 16706,
16707, 16739, 16815, 16619, 16740, 16878, 16882, 16885, 16916, 16932,
16943, 16958, 17031, 17048, 17069, 17137, 17153, 17187, 17213, 17263,
- 17325, 17555, 17625, 17630, 18104.
+ 17325, 17555, 17625, 17630, 18104, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
+ misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account. This could result in application crashes or,
+ potentially arbitrary code execution, using crafted, but syntactically
+ valid DNS responses. (CVE-2015-1781)
* CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
under certain input conditions resulting in the execution of a shell for
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index f0b4b17..f36d28b 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
int have_to_map = 0;
uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
buffer += pad;
- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
+ buflen = buflen > pad ? buflen - pad : 0;
+ if (__builtin_expect (buflen < sizeof (struct host_data), 0))
{
/* The buffer is too small. */
too_small:
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 9 ++++++++-
resolv/nss_dns/dns-host.c | 3 ++-
3 files changed, 16 insertions(+), 2 deletions(-)
hooks/post-receive
--
GNU C Library master sources