This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch release/2.23/master updated. glibc-2.23-21-g146b58d

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.23/master has been updated
       via  146b58d11fddbef15b888906e3be4f33900c416f (commit)
      from  0eb234232eaf925fe4dca3bd60a3e1b4a7ab2882 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------;a=commitdiff;h=146b58d11fddbef15b888906e3be4f33900c416f

commit 146b58d11fddbef15b888906e3be4f33900c416f
Author: Florian Weimer <>
Date:   Tue Mar 29 12:57:56 2016 +0200

    CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]
    The defensive copy is not needed because the name may not alias the
    output buffer.
    (cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
    (cherry picked from commit 883dceebc8f11921a9890211a4e202e5be17562f)

diff --git a/ChangeLog b/ChangeLog
index 64a2746..4a0461d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2016-04-01  Florian Weimer  <>
+	[BZ #19879]
+	CVE-2016-3075
+	* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
+	copy name.
 2016-04-01  Stefan Liebler  <>
 	* sysdeps/s390/bits/link.h: (La_s390_vr) New typedef.
diff --git a/NEWS b/NEWS
index 674d217..a08f96b 100644
--- a/NEWS
+++ b/NEWS
@@ -9,7 +9,10 @@ Version 2.23.1
 Security related changes:
-  [Add security related changes here]
+* The getnetbyname implementation in nss_dns had a potentially unbounded
+  alloca call (in the form of a call to strdupa), leading to a stack
+  overflow (stack exhaustion) and a crash if getnetbyname is invoked
+  on a very long name.  (CVE-2016-3075)
 The following bugs are resolved with this release:
@@ -17,9 +20,12 @@ The following bugs are resolved with this release:
   [19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS
   [19759] Don't inline mempcpy for x86
   [19762] Use HAS_ARCH_FEATURE with Fast_Rep_String
-  [19791] Assertion failure in res_query.c with un-connectable name server addresses
+  [19791] Assertion failure in res_query.c with un-connectable name server
+    addresses
   [19792] MIPS: backtrace yields infinite backtrace with makecontext
   [19822] install clobbers old version
+  [19879] network: nss_dns: Stack overflow in getnetbyname implementation
+    (CVE-2016-3075)
 Version 2.23
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 2eb2f67..8f301a7 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
   } net_buffer;
   querybuf *orig_net_buffer;
   int anslen;
-  char *qbuf;
   enum nss_status status;
   if (__res_maybe_init (&_res, 0) == -1)
-  qbuf = strdupa (name);
   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
-  anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+  anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
 			       1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
   if (anslen < 0)


Summary of changes:
 ChangeLog                    |    7 +++++++
 NEWS                         |   10 ++++++++--
 resolv/nss_dns/dns-network.c |    5 +----
 3 files changed, 16 insertions(+), 6 deletions(-)

GNU C Library master sources

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]