This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] CVE-2014-8121: Fix nss_files file management [BZ#18007]
- From: Florian Weimer <fw at deneb dot enyo dot de>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: libc-alpha at sourceware dot org
- Date: Wed, 25 Mar 2015 13:54:50 +0100
- Subject: Re: [PATCH] CVE-2014-8121: Fix nss_files file management [BZ#18007]
- Authentication-results: sourceware.org; auth=none
- References: <54EB120A dot 1010202 at redhat dot com> <5506F010 dot 1090608 at redhat dot com> <mvmlhil1n5g dot fsf at hawking dot suse dot de> <871tkdtg89 dot fsf at mid dot deneb dot enyo dot de> <mvmbnjh1c3v dot fsf at hawking dot suse dot de>
* Andreas Schwab:
> Florian Weimer <email@example.com> writes:
>> Sorry, I don't see how this can be retrofitted on top of the existing
>> NSS API. It assumes that the NSS module keeps the iteration state in
>> a per-module global variable.
> That's the bug.
Maybe. But we cannot remove the old API (there are external NSS
modules, after all). Therefore, such a change would only increase
If we had tests, I think a better first step would be to reduce code
duplication between the NSS modules glibc ships, and clean up the
#include file mess. But without tests, such changes offer a poor
>> The fix I proposed builds on Ulrich's original patch which attempted
>> to separate the state for lookup and iteration, but failed to do so
>> because of that incorrectly initialized variable.
> There is no "incorrectly initialized variable".
Ahem, I think the commit message of my patch explains this quite
clearly. The code Ulrich added to deal with this corner case didn't
work as intended because a flag was not set correctly.