Bug 18665 (CVE-2015-7547) - In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547)
Summary: In send_dg, the recvfrom function is NOT always using the buffer size of a ne...
Status: RESOLVED FIXED
Alias: CVE-2015-7547
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: 2.20
: P2 normal
Target Milestone: 2.23
Assignee: Carlos O'Donell
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-13 23:41 UTC by Robert
Modified: 2021-02-10 19:28 UTC (History)
10 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert 2015-07-13 23:41:12 UTC
description:

When the thisanssizp pointer variable on line 1257 is updated, thisanssizp = anssizp2, i.e assigned a new address,
this change causes the thisanssizp pointer variable used in the recvfrom function on line 1282 to use the
wrong size if a new buffer is created after the thisanssizp address has been changed at line 1257.

The size of the buffer used will be what was stored at the address assigned at line 1257, and not the size of the newly created buffer.

The program will crash if the calculated size of the buffer used is 0. The recvfrom function will
not crash, but any further accesses to the buffer where the bytes read was 0 from the recvfrom function
will crash the program. 

Initially at line 1230:
thisanssizp = anssizp;
-the thisanssizp gets assigned the address of anssizp when the send_dg function is first called.

At line 1257:
thisanssizp = anssizp2;
-the thisanssizp address gets updated after we have received a packet.

At line 1273: 
*anssizp = MAXPACKET;
-the size of a new packet is assigned to *anssizp, and not *thisanssizp, when a new buffer is created.

At line 1282:
recvfrom(pfd[0].fd, (char*)*thisansp, *thisanssizp, 
-the recvfrom function uses the size from *thisanssizp which is wrong.
-it can be seen here that thisansp will contain the address of a newly created buffer, but the *thisanssizp, will contain the size from the aligned_resplen, instead of MAXPACKET.

Fix:

Use the size pointer *thisanssizp, instead of *thisansp, when creating the new buffer.

u_char *newp = malloc (MAXPACKET);
			if (newp != NULL) {
				<*anssizp = MAXPACKET;>     :REMOVED LINE:
				*thisanssizp = MAXPACKET;   :ADDED LINE:
				*thisansp = ans = newp;
				if (thisansp == ansp2)
				  *ansp2_malloced = 1;
Comment 1 Robert 2015-07-13 23:44:40 UTC
This issue is referencing the send_dg function in res_send.c 
and referencing lines in res_send.c from glibc-2.21. 
This code is almost exact from what is in 2.20
Comment 2 Carlos O'Donell 2015-07-14 21:14:10 UTC
(In reply to Robert from comment #1)
> This issue is referencing the send_dg function in res_send.c 
> and referencing lines in res_send.c from glibc-2.21. 
> This code is almost exact from what is in 2.20

Thanks for the bug report. Do you have a test case that triggers this scenario? Do you have a patch or suggested fix?
Comment 3 Robert 2015-07-14 21:42:53 UTC
This is my suggested fix for this issue:

Use the size pointer *thisanssizp, instead of *thisansp, when creating the new buffer.

u_char *newp = malloc (MAXPACKET);
			if (newp != NULL) {
				<*anssizp = MAXPACKET;>     :REMOVED LINE:
				*thisanssizp = MAXPACKET;   :ADDED LINE:
				*thisansp = ans = newp;
				if (thisansp == ansp2)
				  *ansp2_malloced = 1;
Comment 4 Robert 2015-07-14 21:54:45 UTC
Overview:

A condition occurs when the recvfrom function receives data using a newly created buffer but
does not use the newly created buffer size then the buffer is accessed and causes the program to
crash. 

In send_dg in res_send.c 
-referencing lines in res_send.c from glibc-2.21

Conditions that create the crash.
1. Receive a packet that fills up the buffer, 2048 bytes, used in the recvfrom function on line 1282.
2. The aligned_resplen calculation, on line 1243, becomes 0. (buffer size - packet size received = 0)
3. The condition on line 1268 is met;  *thisanssizp < *thisresplenp, (the calculated size left < the received size), 0 < 2048,.
   and a new buffer is created at line 1271 with buffer size MAXPACKET; 
4. The recvfrom function on line, 1282, now uses the newly created buffer to receive DNS data,

   ISSUE: The recvfrom function is NOT using the buffer size from the newly created buffer, 
       but from the aligned_resplen calculation which was 0.
       The recvfrom function is reading 0 bytes into the new buffer, and should be reading MAXPACKET bytes into the buffer.

5. The res_queriematch function attempts to use the data read into the buffer: thisansp, at location: thisansp + thisanssizp, 
   these are invalid pointers, and cause the program to crash.
Comment 5 Robert 2015-07-14 22:05:11 UTC
I assume this is happening because this code was never sufficiently tested with large packets. 

I had done some statistics which show typical packet lengths received for DNS queries. 

Received packet lengths:
122, 128, 47, 80, 59, 73, 226, 50, 161 

It looks like the code that allocates more buffer space starting on line
1271, is not used much, so probably does not get a lot of testing, because most of the time the default buffer of 2048 bytes is less than the largest packet I received of 161 bytes.
Comment 6 Florian Weimer 2015-08-22 14:59:40 UTC
Robert, you need to tell us which function you call, with which parameters.  A full backtrace from the crash often shows this information.  A PCAP file created with “tcpdump -n -s 0 -w file.pcap” would be helpful, too.
Comment 7 Florian Weimer 2016-02-16 14:11:42 UTC
This was assigned CVE-2015-7547.  This bug was introduced in glibc 2.9.  For details, please see:

  https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
Comment 8 Frank Ch. Eigler 2016-02-16 17:27:46 UTC
At some sites, a systemtap-based band-aid for this bug may be suitable as a temporary workaround.  The following script interposes at an interior point in the stub resolver, redirecting T_UNSPEC to T_A queries.  This corresponds to the "do not use AF_UNSPEC" mitigating factor from Carlos' email posting, which Florian and Carlos confirmed should also work for TCP.

It requires systemtap of course, and debuginfo for the version(s) of glibc's libresolv.so.  So on a Fedora machine, run "# debuginfo-install glibc", and repeat for the secondary architecture glibc if installed.  (e.g., glibc-debuginfo*.i686 and glibc-debuginfo*.x86_64).

Then, adjusting /lib*/ to the path or wildcard-path where libresolv may be found:

# stap -g -e '
global T_UNSPEC = 62321
global T_A = 1
probe process("/lib*/libresolv.so.*").function("__libc_res_nquery")
{ 
  if ($type == T_UNSPEC ) { $type = T_A }
}
'

will instantly, system-wide, quietly perform this single mitigation, as long as the systemtap script remains running.  For example, but bug18665 test program runs to completion instead of suffering the SEGV.  (Add stap -v or -t and/or printf() statements to trace the mitigation's operation.)

Please test it carefully before deploying it seriously, and remember, it's meant only as a temporary band-aid, until a glibc update is fully deployed.
Comment 9 Sourceware Commits 2016-02-17 02:30:23 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (commit)
      from  2c8f75f79bd6f3f4b3400a9f1a01a75e3086006b (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca

commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |   17 +++-
 NEWS                      |   14 +++
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  260 ++++++++++++++++++++++++++++++++++-----------
 5 files changed, 339 insertions(+), 66 deletions(-)
Comment 10 Carlos O'Donell 2016-02-17 02:32:14 UTC
Fixed for 2.23.
Comment 11 Sourceware Commits 2016-02-17 03:50:56 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.22/master has been updated
       via  b995d95a5943785be3ab862b2d3276f3b4a22481 (commit)
      from  4660fb2714c52dba4addab496b3f1ae8e6c633b3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b995d95a5943785be3ab862b2d3276f3b4a22481

commit b995d95a5943785be3ab862b2d3276f3b4a22481
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |   15 +++
 NEWS                      |   14 +++
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  264 +++++++++++++++++++++++++++++++++------------
 5 files changed, 338 insertions(+), 69 deletions(-)
Comment 12 Sourceware Commits 2016-02-17 03:51:33 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.21/master has been updated
       via  16d0a0ce7613552301786bf05d7eba8784b5732c (commit)
      from  014eaa22077fd4759083b1a4619ded513a181f92 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=16d0a0ce7613552301786bf05d7eba8784b5732c

commit 16d0a0ce7613552301786bf05d7eba8784b5732c
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |   15 +++
 NEWS                      |   14 +++
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  264 +++++++++++++++++++++++++++++++++------------
 5 files changed, 338 insertions(+), 69 deletions(-)
Comment 13 Sourceware Commits 2016-02-17 03:51:54 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.22 has been updated
       via  258e9043d8f1a2dafac3754c651b46da1ccb7dba (commit)
      from  306df6aa9518318ddd740ebfe016e73e31e08857 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=258e9043d8f1a2dafac3754c651b46da1ccb7dba

commit 258e9043d8f1a2dafac3754c651b46da1ccb7dba
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
    (cherry picked from commit b995d95a5943785be3ab862b2d3276f3b4a22481)

-----------------------------------------------------------------------

Summary of changes:
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  264 +++++++++++++++++++++++++++++++++------------
 3 files changed, 309 insertions(+), 69 deletions(-)
Comment 14 Sourceware Commits 2016-02-17 03:52:35 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.21 has been updated
       via  33f372c7df351d49db04aab021931f32ef2ef612 (commit)
      from  d7bd567cf1395a16da490a7716962966b9d702c3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=33f372c7df351d49db04aab021931f32ef2ef612

commit 33f372c7df351d49db04aab021931f32ef2ef612
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)
    (cherry picked from commit 16d0a0ce7613552301786bf05d7eba8784b5732c)

-----------------------------------------------------------------------

Summary of changes:
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  264 +++++++++++++++++++++++++++++++++------------
 3 files changed, 309 insertions(+), 69 deletions(-)
Comment 15 Sourceware Commits 2016-02-18 18:07:30 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The annotated tag, glibc-2.23 has been created
        at  10ed3a0ffbb43ce0b0739da4addc747733be5e63 (tag)
   tagging  ab30899d880f9741a409cbc0d7a28399bdac21bf (commit)
  replaces  glibc-2.22
 tagged by  Adhemerval Zanella
        on  Thu Feb 18 16:04:58 2016 -0200

- Log -----------------------------------------------------------------
The GNU C Library
=================

The GNU C Library version 2.23 is now available.

The GNU C Library is used as *the* C library in the GNU system and
in GNU/Linux systems, as well as many other systems that use Linux
as the kernel.

The GNU C Library is primarily designed to be a portable
and high performance C library.  It follows all relevant
standards including ISO C11 and POSIX.1-2008.  It is also
internationalized and has one of the most complete
internationalization interfaces known.

The GNU C Library webpage is at http://www.gnu.org/software/libc/

Packages for the 2.23 release may be downloaded from:
        http://ftpmirror.gnu.org/libc/
        http://ftp.gnu.org/gnu/libc/

The mirror list is at http://www.gnu.org/order/ftp.html

NEWS for version 2.23
=====================

* Unicode 8.0.0 Support: Character encoding, character type info, and
  transliteration tables are all updated to Unicode 8.0.0, using new
  and/or improved generator scripts contributed by Mike FABIAN (Red Hat).
  These updates cause user visible changes, such as the fixes for bugs
  89, 16061, and 18568.

* sched_setaffinity, pthread_setaffinity_np no longer attempt to guess the
  kernel-internal CPU set size.  This means that requests that change the
  CPU affinity which failed before (for example, an all-ones CPU mask) will
  now succeed.  Applications that need to determine the effective CPU
  affinities need to call sched_getaffinity or pthread_getaffinity_np after
  setting it because the kernel can adjust it (and the previous size check
  would not detect this in the majority of cases).

* The fts.h header can now be used with -D_FILE_OFFSET_BITS=64.  With LFS
  the following new symbols are used: fts64_children, fts64_close,
  fts64_open, fts64_read and fts64_set.

* getaddrinfo now detects certain invalid responses on an internal netlink
  socket.  If such responses are received, an affected process will
  terminate with an error message of "Unexpected error <number> on netlink
  descriptor <number>" or "Unexpected netlink response of size <number> on
  descriptor <number>".  The most likely cause for these errors is a
  multi-threaded application which erroneously closes and reuses the netlink
  file descriptor while it is used by getaddrinfo.

* A defect in the malloc implementation, present since glibc 2.15 (2012) or
  glibc 2.10 via --enable-experimental-malloc (2009), could result in the
  unnecessary serialization of memory allocation requests across threads.
  The defect is now corrected.  Users should see a substantial increase in
  the concurent throughput of allocation requests for applications which
  trigger this bug.  Affected applications typically create create and
  destroy threads frequently.  (Bug 19048 was reported and analyzed by
  Ericsson.)

* There is now a --disable-timezone-tools configure option for disabling the
  building and installing of the timezone related utilities (zic, zdump, and
  tzselect).  This is useful for people who build the timezone data and code
  independent of the GNU C Library.

* The obsolete header <regexp.h> has been removed.  Programs that require
  this header must be updated to use <regex.h> instead.

* The obsolete functions bdflush, create_module, get_kernel_syms,
  query_module and uselib are no longer available to newly linked binaries;
  the header <sys/kdaemon.h> has been removed.  These functions and header
  were specific to systems using the Linux kernel and could not usefully be
  used with the GNU C Library on systems with version 2.6 or later of the
  Linux kernel.

* Optimized string, wcsmbs and memory functions for IBM z13.
  Implemented by Stefan Liebler.

* Newly linked programs that define a variable called signgam will no longer
  have it set by the lgamma, lgammaf and lgammal functions.  Programs that
  require signgam to be set by those functions must ensure that they use the
  variable provided by the GNU C Library and declared in <math.h>, without
  defining their own copy.

* The minimum GCC version that can be used to build this version of the GNU
  C Library is GCC 4.7.  Older GCC versions, and non-GNU compilers, can
  still be used to compile programs using the GNU C Library.

Security related changes:

* An out-of-bounds value in a broken-out struct tm argument to strftime no
  longer causes a crash.  Reported by Adam Nielsen.  (CVE-2015-8776)

* The LD_POINTER_GUARD environment variable can no longer be used to disable
  the pointer guard feature.  It is always enabled.  Previously,
  LD_POINTER_GUARD could be used to disable security hardening in binaries
  running in privileged AT_SECURE mode.  Reported by Hector Marco-Gisbert.
  (CVE-2015-8777)

* An integer overflow in hcreate and hcreate_r could lead to an
  out-of-bounds memory access.  Reported by Szabolcs Nagy.  (CVE-2015-8778)

* The catopen function no longer has unbounded stack usage.  Reported by
  Max.  (CVE-2015-8779)

* The nan, nanf and nanl functions no longer have unbounded stack usage
  depending on the length of the string passed as an argument to the
  functions.  Reported by Joseph Myers.  (CVE-2014-9761)

* A stack-based buffer overflow was found in libresolv when invoked from
  libnss_dns, allowing specially crafted DNS responses to seize control
  of execution flow in the DNS client.  The buffer overflow occurs in
  the functions send_dg (send datagram) and send_vc (send TCP) for the
  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
  family.  The use of AF_UNSPEC triggers the low-level resolver code to
  send out two parallel queries for A and AAAA.  A mismanagement of the
  buffers used for those queries could result in the response of a query
  writing beyond the alloca allocated buffer created by
  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
  the overflow.  Thanks to the Google Security Team and Red Hat for
  reporting the security impact of this issue, and Robert Holiday of
  Ciena for reporting the related bug 18665. (CVE-2015-7547)

The following bugs are resolved with this release:

  [89] localedata: Locales nb_NO and nn_NO should transliterate æøå
  [887] math: Math library function "logb" and "nextafter" inconsistent
  [2542] math: Incorrect return from float gamma (-0X1.FA471547C2FE5P+1)
  [2543] math: Incorrect return from float gamma (-0X1.9260DCP+1)
  [2558] math: Incorrect return from double gamma (-0X1.FA471547C2FE5P+1)
  [2898] libc: [improve]  warning: the use  of `mktemp' is dangerous, better
    use `mkstemp'
  [4404] localedata: German translation of "Alarm clock" is misleading
  [6799] math: nextafter() and nexttoward() doen't set errno on
    overflow/underflow errors
  [6803] math: scalb(), scalbln(), scalbn() do not set errno on
    overflow/underflow
  [10432] nis: _nss_nis_setnetgrent assertion failure
  [11460] libc: fts has no LFS support
  [12926] network: getaddrinfo()/make_request() may spin forever
  [13065] nptl: Race condition in pthread barriers
  [13690] nptl: pthread_mutex_unlock potentially cause invalid access
  [14341] dynamic-link: Dynamic linker crash when DT_JMPREL and DT_REL{,A}
    are not contiguous
  [14551] math: [ldbl-128ibm] strtold overflow handling for IBM long double
  [14912] libc: Rename non-installed bits/*.h headers
  [15002] libc: Avoid undefined behavior in posix_fallocate overflow check
  [15367] math: Let gcc use __builtin_isinf
  [15384] math: One constant fewer in ieee754/dbl-64/wordsize-64/s_finite.c
  [15421] math: lgamma wrongly sets signgam for ISO C
  [15470] math: [arm] On ARM llrintl() and llroundl() do not raise
    FE_INVALID with argument out of range
  [15491] math: [i386/x86_64] x86 nearbyint implementations wrongly clear
    all exceptions
  [15786] dynamic-link: ifunc resolver functions can smash function
    arguments
  [15918] math: Unnecessary check for equality in hypotf()
  [16061] localedata: Review / update transliteration data
  [16068] math: [i386/x86_64] x86 and x86_64 fesetenv exclude state they
    should include
  [16141] time: strptime %z offset restriction
  [16171] math: drem should be alias of remainder
  [16296] math: fegetround is pure?
  [16347] math: [ldbl-128ibm] ldbl-128/e_lgammal_r.c may not be suitable.
  [16364] libc: sleep may leave SIGCHLD blocked on sync cancellation on
    GNU/Linux
  [16399] math: [mips] lrint / llrint / lround / llround missing exceptions
  [16415] math: Clean up ldbl-128 / ldbl-128ibm expm1l for large positive
    arguments
  [16422] math: [powerpc] math-float, math-double failing llrint tests with
    "Exception "Inexact" set" on ppc32
  [16495] localedata: nl_NL: date_fmt: shuffle year/month around
  [16517] math: Missing underflow exception from tanf/tan/tanl
  [16519] math: Missing underflow exception from sinhf
  [16520] math: Missing underflow exception from tanhf
  [16521] math: Missing underflow exception from exp2
  [16620] math: [ldbl-128ibm] exp10l spurious overflows / bad directed
    rounding results
  [16734] stdio: fopen calls mmap to allocate its buffer
  [16961] math: nan function incorrect handling of bad sequences
  [16962] math: nan function unbounded stack allocation (CVE-2014-9761)
  [16973] localedata: Fix lang_lib/lang_term as per ISO 639-2
  [16985] locale: localedef: confusing error message when opening output
    fails
  [17118] math: ctanh(INFINITY + 2 * I) returns incorrect value
  [17197] locale: Redundant shift character in iconv conversion output at
    block boundary
  [17243] libc: trunk/posix/execl.c:53: va_args problem ?
  [17244] libc: trunk/sysdeps/unix/sysv/linux/semctl.c:116: va_args muxup ?
  [17250] dynamic-link: static linking breaks nss loading
    (getaddrinfo/getpwnam/etc...)
  [17404] libc: atomic_exchange_rel lacking a barrier on MIPS16, GCC before
    4.7?
  [17441] math: isnan() should use __builtin_isnan() in GCC
  [17514] nptl: Assert failure unlocking ERRORCHECK mutex after timedlock
    (related to lock elision)
  [17787] manual: Exponent on page 324 of the PDF ends prematurely
  [17886] time: strptime should be able to parse "Z" as a timezone with %z
  [17887] time: strptime should be able to parse "+01:00" style timezones
  [17905] libc: catopen() Multiple unbounded stack allocations
    (CVE-2015-8779)
  [18084] libc: backtrace (..., 0) dumps core on x86
  [18086] libc: nice() sets errno to 0 on success
  [18240] libc: hcreate, hcreate_r should fail with ENOMEM if element count
    is too large (CVE-2015-8778)
  [18251] dynamic-link: SONAME missing when audit modules provides path
  [18265] libc: add attributes for wchar string and memory functions
  [18370] math: csqrt missing underflows
  [18421] libc: [hppa] read-only segment has dynamic relocations
  [18472] libc: Obsolete syscall wrappers should be compat symbols
  [18480] libc: hppa glibc miscompilation in sched_setaffinity()
  [18491] localedata: Update tr_TR LC_CTYPE as part of Unicode updates
  [18525] localedata: Remove locale timezone information
  [18560] libc: [powerpc] spurious bits/ipc.h definitions
  [18568] localedata: Update locale data to Unicode 8.0
  [18589] locale: sort-test.sh fails at random
  [18595] math: ctan, ctanh missing underflows
  [18604] libc: assert macro-expands its argument
  [18610] math: S390: fetestexcept() reports any exception if DXC-code
    contains a vector instruction exception.
  [18611] math: j1, jn missing errno setting on underflow
  [18618] localedata: sync Chechen locale definitions with other *_RU
    locales
  [18647] math: powf(-0x1.000002p0, 0x1p30) returns 0 instead of +inf
  [18661] libc: Some x86-64 assembly codes don't align stack to 16 bytes
  [18665] network: In send_dg, the recvfrom function is NOT always using the
    buffer size of a newly created buffer (CVE-2015-7547)
  [18674] libc: [i386] trunk/sysdeps/i386/tst-auditmod3b.c:84: possible
    missing break ?
  [18675] libc: fpathconf(_PC_NAME_MAX) fails against large filesystems for
    32bit processes
  [18681] libc: regexp.h is obsolete and buggy, and should be desupported
  [18699] math: tilegx cproj() for various complex infinities does not yield
    infinity
  [18724] libc: Harden put*ent functions against data injection
  [18743] nptl: PowerPC: findutils testcase fails with --enable-lock-elision
  [18755] build: build errors with -DNDEBUG
  [18757] stdio: fmemopen fails to set errno on failure
  [18778] dynamic-link: ld.so crashes if failed dlopen causes libpthread to
    be forced unloaded
  [18781] libc: openat64 lacks O_LARGEFILE
  [18787] libc: [hppa] sysdeps/unix/sysv/linux/hppa/bits/atomic.h:71:6:
    error: can’t find a register in class ‘R1_REGS’ while reloading ‘asm’
  [18789] math: [ldbl-128ibm] sinhl inaccurate near 0
  [18790] math: [ldbl-128ibm] tanhl inaccurate
  [18795] libc: stpncpy fortification misses buffer lengths that are
    statically too large
  [18796] build: build fails for --disable-mathvec
  [18803] math: hypot missing underflows
  [18820] stdio: fmemopen may leak memory on failure
  [18823] math: csqrt spurious underflows
  [18824] math: fma spurious underflows
  [18825] math: pow missing underflows
  [18857] math: [ldbl-128ibm] nearbyintl wrongly uses signaling comparisons
  [18868] nptl: pthread_barrier_init typo has in-theory-undefined behavior
  [18870] build: sem_open.c fails to compile with missing symbol
    FUTEX_SHARED
  [18872] stdio: Fix memory leak in printf_positional
  [18873] libc: posix_fallocate overflow check ineffective
  [18875] math: Excess precision leads incorrect libm
  [18877] libc: arm: mmap offset regression
  [18887] libc: memory corruption when using getmntent on blank lines
  [18918] localedata: hu_HU: change time to HH:MM:SS format
  [18921] libc: Regression: extraneous stat() and fstat() performed by
    opendir()
  [18928] dynamic-link: LD_POINTER_GUARD is not ignored for privileged
    binaries (CVE-2015-8777)
  [18951] math: tgamma missing underflows
  [18952] math: [ldbl-128/ldbl-128ibm] lgammal spurious "invalid", incorrect
    signgam
  [18953] localedata: lt_LT: change currency symbol to the euro
  [18956] math: powf inaccuracy
  [18961] math: [i386] exp missing underflows
  [18966] math: [i386] exp10 missing underflows
  [18967] math: math.h XSI POSIX namespace (gamma, isnan, scalb)
  [18969] build: multiple string test failures due to missing locale
    dependencies
  [18970] libc: Reference of pthread_setcancelstate in libc.a
  [18977] math: float / long double Bessel functions not in XSI POSIX
  [18980] math: i386 libm functions return with excess range and precision
  [18981] math: i386 scalb*, ldexp return with excess range and precision
  [18982] stdio: va_list and vprintf
  [18985] time: Passing out of range data to strftime() causes a segfault
    (CVE-2015-8776)
  [19003] math: [x86_64] fma4 version of pow inappropriate contraction
  [19007] libc: FAIL: elf/check-localplt with -z now and binutils 2.26
  [19012] locale: iconv_open leaks memory on error path
  [19016] math: clog, clog10 inaccuracy
  [19018] nptl: Mangle function pointers in tls_dtor_list
  [19032] math: [i386] acosh (-qNaN) spurious "invalid" exception
  [19046] math: ldbl-128 / ldbl-128ibm lgamma bad overflow handling
  [19048] malloc: malloc: arena free list can become cyclic, increasing
    contention
  [19049] math: [powerpc] erfc incorrect zero sign
  [19050] math: [powerpc] log* incorrect zero sign
  [19058] math: [x86_64] Link fail with -fopenmp and -flto
  [19059] math: nexttoward overflow incorrect in non-default rounding modes
  [19071] math: ldbl-96 lroundl incorrect just below powers of 2
  [19074] network: Data race in _res_hconf_reorder_addrs
  [19076] math: [ldbl-128ibm] log1pl (-1) wrong sign of infinity
  [19077] math: [ldbl-128ibm] logl (1) incorrect sign of zero result
  [19078] math: [ldbl-128ibm] expl overflow incorrect in non-default
    rounding modes
  [19079] math: dbl-64/wordsize-64 lround based on llround incorrect for
    ILP32
  [19085] math: ldbl-128 lrintl, lroundl missing exceptions for 32-bit long
  [19086] manual: posix_fallocate64 documented argument order is wrong.
  [19088] math: lround, llround missing exceptions close to overflow
    threshold
  [19094] math: lrint, llrint missing exceptions close to overflow threshold
  [19095] math: dbl-64 lrint incorrect for 64-bit long
  [19122] dynamic-link: Unnecessary PLT relocations in librtld.os
  [19124] dynamic-link: ld.so failed to build with older assmebler
  [19125] math: [powerpc32] llroundf, llround incorrect exceptions
  [19129] dynamic-link: [arm] Concurrent lazy TLSDESC resolution can crash
  [19134] math: [powerpc32] lround, lroundf spurious exceptions
  [19137] libc: i386/epoll_pwait.S doesn't support cancellation
  [19143] nptl: Remove CPU set size checking from sched_setaffinity,
    pthread_setaffinity_np
  [19156] math: [ldbl-128] j0l spurious underflows
  [19164] nptl: tst-getcpu fails with many possible CPUs
  [19168] math: math/test-ildoubl and math/test-ldouble failure
  [19174] nptl: PowerPC: TLE enabled pthread mutex performs poorly.
  [19178] dynamic-link: ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA confuses
    prelink
  [19181] math: [i386/x86_64] fesetenv (FE_DFL_ENV), fesetenv
    (FE_NOMASK_ENV) do not clear SSE exceptions
  [19182] malloc: malloc deadlock between ptmalloc_lock_all and
    _int_new_arena/reused_arena
  [19189] math: [ldbl-128] log1pl (-qNaN) spurious "invalid" exception
  [19201] math: dbl-64 remainder incorrect sign of zero result
  [19205] math: bits/math-finite.h conditions do not match math.h and
    bits/mathcalls.h
  [19209] math: bits/math-finite.h wrongly maps ldexp to scalbn
  [19211] math: lgamma functions do not set signgam for -ffinite-math-only
    for C99-based standards
  [19212] libc: features.h not -Wundef clean
  [19213] math: [i386/x86_64] log* (1) incorrect zero sign for -ffinite-
    math-only
  [19214] libc: Family and model identification for AMD CPU's are incorrect.
  [19219] libc: GLIBC build fails for ia64 with missing __nearbyintl
  [19228] math: [powerpc] nearbyint wrongly clears "inexact", leaves traps
    disabled
  [19235] math: [powerpc64] lround, lroundf, llround, llroundf spurious
    "inexact" exceptions
  [19238] math: [powerpc] round, roundf spurious "inexact" for integer
    arguments
  [19242] libc: strtol incorrect in Turkish locales
  [19243] malloc: reused_arena can pick an arena on the free list, leading
    to an assertion failure and reference count corruption
  [19253] time: tzset() ineffective when temporary TZ did not include DST
    rules
  [19266] math: strtod ("NAN(I)") incorrect in Turkish locales
  [19270] math: [hppa] Shared libm missing __isnanl
  [19285] libc: [hppa] sysdeps/unix/sysv/linux/hppa/bits/mman.h: missing
    MAP_HUGETLB and MAP_STACK defines
  [19313] nptl: Wrong __cpu_mask for x32
  [19347] libc: grantpt: try to force a specific gid even without pt_chown
  [19349] math: [ldbl-128ibm] tanhl inaccurate for small arguments
  [19350] math: [ldbl-128ibm] sinhl spurious overflows
  [19351] math: [ldbl-128ibm] logl inaccurate near 1
  [19363] time: x32: times() return value wrongly truncates/sign extends
    from 32bit
  [19367] dynamic-link: Improve branch prediction on Silvermont
  [19369] network: Default domain name not reset by res_ninit when "search"
    / "domain" entry is removed from resolv.conf
  [19375] math: powerpc: incorrect results for POWER7 logb with negative
    subnormals
  [19385] localedata: bg_BG: time separator should be colon, not comma
  [19408] libc: linux personality syscall wrapper may erroneously return an
    error on 32-bit architectures
  [19415] libc: dladdr returns wrong names on hppa
  [19432] libc: iconv rejects redundant escape sequences in IBM900, IBM903,
    IBM905, IBM907, and IBM909
  [19439] math: Unix98 isinf and isnan functions conflict with C++11
  [19443] build: build failures with -DDEBUG
  [19451] build: Make check fails on test-double-vlen2
  [19462] libc: Glibc failed to build with -Os
  [19465] math: Wrong code with -Os
  [19466] time: time/tst-mktime2.c is compiled into an infinite loop with
    -Os
  [19467] string: Fast_Unaligned_Load needs to be enabled for Excavator core
    CPU's.
  [19475] libc: Glibc 2.22 doesn't build on sparc [PATCH]
  [19486] math: S390: Math tests fail with "Exception Inexact set".
  [19529] libc: [ARM]: FAIL: stdlib/tst-makecontext
  [19550] libc: [mips] mmap negative offset handling inconsistent with other
    architectures
  [19590] math: Fail to build shared objects that use libmvec.so functions.

Contributors
============

This release was made possible by the contributions of many people.
The maintainers are grateful to everyone who has contributed
changes or bug reports.  These include:

Adhemerval Zanella
Alan Modra
Amit Pawar
Andreas Schwab
Andrew Bennett
Andrew Senkevich
Andrew Stubbs
Anton Blanchard
Arjun Shankar
Arslanbek Astemirov
Aurelien Jarno
Brett Neumeier
Carlos Eduardo Seo
Carlos O'Donell
Chris Metcalf
Chung-Lin Tang
Damyan Ivanov
Daniel Marjamäki
David Kastrup
David Lamparter
David S. Miller
Dmitry V. Levin
Egmont Koblinger
Evert
Flavio Cruz
Florian Weimer
Gabriel F. T. Gomes
Geoffrey Thomas
Gleb Fotengauer-Malinovskiy
Gunnar Hjalmarsson
H.J. Lu
Helge Deller
James Perkins
John David Anglin
Joseph Myers
Justus Winter
Khem Raj
Ludovic Courtès
Maciej W. Rozycki
Manolis Ragkousis
Marcin Kościelnicki
Mark Wielaard
Marko Myllynen
Martin Sebor
Maxim Ostapenko
Mike FABIAN
Mike Frysinger
Namhyung Kim
Ondrej Bilka
Ondřej Bílka
Paul E. Murphy
Paul Eggert
Paul Murphy
Paul Pluzhnikov
Petar Jovanovic
Phil Blundell
Rajalakshmi Srinivasaraghavan
Rasmus Villemoes
Richard Henderson
Rob Wu
Roland McGrath
Samuel Thibault
Siddhesh Poyarekar
Stan Shebs
Stefan Liebler
Steve Ellcey
Szabolcs Nagy
Thomas Schwinge
Torvald Riegel
Tulio Magno Quites Machado Filho
Vincent Bernat
Wilco Dijkstra
Zack Weinberg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABCAAGBQJWxgfKAAoJEPpQRMoru+a1Hj0P/0urXX1af98BQBApibOYj0E9
j1hQT0+WFrCSY45kjZY8uHwhbW0IkR5zztnUVMJ0dFM67tnIiKArxF6hS6qSef/c
7q1xeVdiEj4RpiZYeiYB2OKEXr09FAMC91Htn9pFQXeiePkcIDSXZ4WNsOSbJwAI
8eWh4/Q5MZMEreFIKJxI3LJQQAzBjXtpT7WNp0yawMDajX3mqAc011Xqq0aNL8a3
Uh5Y7dw7LfyvNHdEOaXnOX9CPdflKK86vHLBEWIksMN8Igd+2fAs9nIGw0gPJ+25
gLxnss4jvb2svS0hnsneFsR1E+Ro3f81DBEf9I96kH+uhsquoUts34HvBIZPsqNZ
emdWLxwjUKv27cNeK86H2RvRMUKf10UayIOaYBB8cUMfq/FRvqSH6GwTMBtKUeEC
Pgs/wclmyg1ZFHPdHppNYAF8p4HCkkwNduTA6xUpOjL72Tn7yh4nwK3hX9nu9osU
yh1F7UqAnm/yJAeGcQZSa9PMg2fuGWc1YycCkYDAMDl2qTNXG5xMlut5HySxDysE
SPCmi+JzgP8JCOb4NZ+31vNUR60t+FXACmTCqFp9bs6xoUZnY9RMNAEBStFXWrev
w+8WlHC8dYjSJnjcHyGyx0CSqLfCodT0gW1zg8+EDv7EXnAwvWLGKdcKvl2tpkwg
J46W6DhHwprOjfQQ0dyn
=Zx43
-----END PGP SIGNATURE-----

Adhemerval Zanella (18):
      arm: Assembly implementation cleanup
      powerpc: Fix strstr/power7 build
      powerpc: Fix strnlen/power7 build
      powerpc: Use default strcpy optimization for POWER7
      powerpc: Fix PPC64/POWER7 conform tests
      Fix wordsize-32 mmap offset for negative value (BZ#18877)
      Mark lseek/llseek as non-cancellable
      nptl: Add NPTL cases for cancellation failures cases
      Cleanup sync_file_range implementation
      Fix nearbyintl linkage for ia64 (bug 19219)
      Remove signal handling for nanosleep (bug 16364)
      nptl: Fix racy pipe closing in tst-cancel{20,21}
      Fix POWER7 logb results for negative subnormals (bug 19375)
      Fix SYSCALL_CANCEL for empty argumetns
      powerpc: Regenerate libm-test-ulps
      Fix isinf/isnan declaration conflict with C++11
      Update NEWS with fixed bugs for 2.23 release
      Update version.h and include/features.h for 2.23 release

Alan Modra (1):
      hppa: start.S: rework references to fix PIE TEXTRELs [BZ #18421]

Amit Pawar (1):
      Set index_Fast_Unaligned_Load for Excavator family CPUs

Andreas Schwab (17):
      Properly terminate FDE in makecontext for m68k (bug 18635)
      Remove unused variables from timezone/Makefile
      Readd O_LARGEFILE flag for openat64 (bug 18781)
      Remove unused definition of __openat(64)_nocancel
      Add version set GLIBC_2.19 for linux/powerpc
      Remove __ASSUME_IPC64
      Terminate FDE before return trampoline in makecontext for powerpc (bug 18635)
      Add missing va_end calls (bug 17243)
      Remove extra va_start/va_end calls (bug 17244)
      Restore sparc64 implementation of semctl
      Add dependencies on needed locales in each subdir tests (bug 18969)
      Add bug reference
      Always use INTERNAL_SYSCALL_ERRNO with INTERNAL_SYSCALL
      Don't emit invalid extra shift character at block boundary by iconv (bug 17197)
      Force rereading TZDEFRULES after it was used to set DST rules only (bug #19253)
      Don't do lock elision on an error checking mutex (bug 17514)
      Remove unused variables

Andrew Bennett (1):
      MIPS: Only use .set mips* assembler directives when necessary

Andrew Senkevich (10):
      [BZ #18796]
      Mention BZ #18796 fix in NEWS.
      Better workaround for aliases of *_finite symbols in vector math library.
      Corrected path to installed libmvec_nonshared.a
      Utilize x86_64 vector math functions w/o -fopenmp.
      Added memset optimized with AVX512 for KNL hardware.
      Added memcpy/memmove family optimized with AVX512 for KNL hardware.
      Fixed typos in __memcpy_chk.
      Fixed build with assembler w/o AVX-512 support.
      Use PIC relocation in ALIAS_IMPL

Andrew Stubbs (1):
      longlong: add SH FDPIC support

Anton Blanchard (1):
      Eliminate redundant sign extensions in pow()

Arjun Shankar (1):
      Modify several tests to use test-skeleton.c

Arslanbek Astemirov (1):
      locales/ce_RU: sync with other *_RU locales

Aurelien Jarno (6):
      Fix grantpt basename namespace bug
      mips: fix testsuite build for O32 FPXX ABI on pre-R2 CPU
      grantpt: trust the kernel about pty group and permission mode
      Cleanup ARM ioperm implementation
      i386: move ULPs to i686/multiarch and regenerate new ones for i386
      Cleanup ARM ioperm implementation (step 2)

Brett Neumeier (1):
      Fix non-v9 32-bit sparc build.

Carlos Eduardo Seo (11):
      powerpc: Add missing hwcap strings.
      powerpc: make memchr use memchr-power7.
      powerpc: Fix memchr for powerpc32.
      powerpc: Sync hwcap.h with kernel
      powerpc: Fix compiler warning in some syscalls.
      Add AT_PLATFORM to _dl_aux_init ()
      powerpc: Provide __tls_get_addr () in static libc
      powerpc: Add hwcap/hwcap2/platform data to TCB.
      powerpc: Add basic support for POWER9 sans hwcap.
      powerpc: Export __parse_hwcap_and_convert_at_platform to libc.a.
      powerpc: Add hwcap2 bits for POWER9.

Carlos O'Donell (22):
      Open development for 2.23.
      Prevent check-local-headers.sh hang.
      Use ALIGN_DOWN in systrim.
      Use ALIGN_* macros in _dl_map_object_from_fd.
      Fix error messages in elf/tst-dlmopen1.c.
      Files open O_WRONLY not supported in fallocate emulation.
      Fix manual argument order for posix_fallocate64 (Bug 19086).
      malloc: Consistently apply trim_threshold to all heaps (Bug 17195)
      Add BZ#19086 to NEWS.
      strcoll: Remove incorrect STRDIFF-based optimization (Bug 18589).
      strcoll: Add bug-strcoll2 to testsuite (Bug 18589).
      Fix typo in bug-strcoll2 (Bug 18589)
      include/stap-probe.h: Fix formatting.
      Rename localedir to complocaledir (bug 14259).
      Comment on IBM930, IBM933, IBM935, IBM937, IBM939.
      Regenerate locale/C-translit.h.
      Update transliteration support to Unicode 7.0.0.
      Document best practice for disconnected NSS modules.
      Use $(PYTHON) to run benchtests python files.
      Ensure isinff, isinfl, isnanf, and isnanl are defined (Bug 19439)
      Update INSTALL with latest versions tested to work.
      CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).

Chris Metcalf (7):
      tile: avoid preprocessor redefinition warnings
      tile: regenerate libm-test-ulps
      Update NEWS to mention drive-by fix for bug 18699.
      tile: define __NO_LONG_DOUBLE_MATH
      misc/tst-tsearch.c: bump up TIMEOUT to 10 seconds.
      math: add LDBL_CLASSIFY_COMPAT support
      Silence some false positive warnings for gcc 4.7

Chung-Lin Tang (1):
      Maintainence patch for nios2: update ULPS file and localplt.data changes.

Damyan Ivanov (1):
      localedata: bg_BG: use colon as time separator [BZ #19385]

Daniel Marjamäki (1):
      Updated __nonnull annotations for wcscat, wcsncat, wcscmp and wcsncmp [BZ #18265]

David Kastrup (1):
      Don't macro-expand failed assertion expression [BZ #18604]

David Lamparter (1):
      arm: setjmp/longjmp: fix PIC vs SHARED thinkos

David S. Miller (5):
      Update sparc ULPS.
      Fix missing __sqrtl_finite symbol in libm on sparc 32-bit.
      Adjust sparc 32-bit __sqrtl_finite version tag.
      Define __sqrtl_finite on sparc 32-bit with correct symbol version.
      Update localplt.data for 32-bit sparc.

Dmitry V. Levin (2):
      Fix getaddrinfo bug number in ChangeLog and NEWS files
      Fix linux personality syscall wrapper

Egmont Koblinger (1):
      hu_HU: change time separator to colon [BZ #18918]

Evert (1):
      localedata: nl_NL: date_fmt: rewrite to match standards [BZ #16495]

Flavio Cruz (1):
      Fix O_DIRECTORY lookup on trivial translators

Florian Weimer (42):
      nptl: Document crash due to incorrect use of locks
      Amend ChangeLog to reflect deletion of elf/tst-znodelete-zlib.cc
      Add test case for bug 18287
      Test in commit e07aabba73ea62e7dfa0512507c92efb851fbdbe is for bug 17079
      Fix inconsistent passwd compensation in nss/bug17079.c
      Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]
      Harden tls_dtor_list with pointer mangling [BZ #19018]
      nss_nis: Do not call malloc_usable_size [BZ #10432]
      Add a test case for C++11 thread_local support
      iconvdata: Add missing const to lookup table definitions
      Fix double-checked locking in _res_hconf_reorder_addrs [BZ #19074]
      Always enable pointer guard [BZ #18928]
      vfscanf: Use struct scratch_buffer instead of extend_alloca
      The va_list pointer is unspecified after a call to vfprintf [BZ #18982]
      Assume that SOCK_CLOEXEC is available and works
      vfprintf: Rewrite printf_positional to use struct scratch_buffer
      malloc: Rewrite with explicit TLS access using __thread
      sunrpc: Rewrite with explicit TLS access using __thread
      Use the CXX compiler only if it can create dynamic and static programs
      x86_64: Regenerate ulps [BZ #19168]
      malloc: Prevent arena free_list from turning cyclic [BZ #19048]
      _dl_fini: Rewrite to use VLA instead of extend_alloca
      Add bug 18604 to NEWS
      Remove a spurious attribution
      Add bug 18604 to the correct section
      Simplify the abilist format
      Terminate process on invalid netlink response from kernel [BZ #12926]
      ld.so: Add original DSO name if overridden by audit module [BZ #18251]
      Work around conflicting declarations of math functions
      Replace MUTEX_INITIALIZER with _LIBC_LOCK_INITIALIZER in generic code
      Implement "make update-all-abi"
      Remove CPU set size checking from affinity functions [BZ #19143]
      tst-res_hconf_reorder: Set RESOLV_REORDER environment variable
      Revert "tst-res_hconf_reorder: Set RESOLV_REORDER environment variable"
      Fix aliasing violation in tst-rec-dlopen
      malloc: Fix attached thread reference count handling [BZ #19243]
      malloc: Fix list_lock/arena lock deadlock [BZ #19182]
      malloc: Update comment for list_lock
      malloc: Test various special cases related to allocation failures
      Improve check against integer wraparound in hcreate_r [BZ #18240]
      hsearch_r: Apply VM size limit in test case
      NEWS: List additional fixed security bugs

Gabriel F. T. Gomes (3):
      PowerPC: Extend Program Priority Register support
      PowerPC: Fix operand prefixes
      PowerPC: Add comments to optimized strncpy

Geoffrey Thomas (1):
      pt_chown: Clear any signal mask inherited from the parent process.

Gleb Fotengauer-Malinovskiy (2):
      Mention mkdtemp as another secure alternative to mktemp
      malloc: remove redundant getenv call

Gunnar Hjalmarsson (1):
      lt_LT: change currency symbol to the euro [BZ #18953]

H.J. Lu (95):
      Also check dead->data[category] != NULL
      Compile {memcpy,strcmp}-sse2-unaligned.S only for libc
      Align stack to 16 bytes when calling __setcontext
      Align stack to 16 bytes when calling __gettimeofday
      Align stack to 16 bytes when calling __errno_location
      Add a missing break in tst-auditmod3b.c
      Add _dl_x86_cpu_features to rtld_global
      Update x86_64 multiarch functions for <cpu-features.h>
      Update i686 multiarch functions for <cpu-features.h>
      Update libmvec multiarch functions for <cpu-features.h>
      Update x86 elision-conf.c for <cpu-features.h>
      Don't include <cpuid.h> in elision-conf.h
      Check if cpuid is available in init_cpu_features
      Define HAS_CPUID/HAS_I586/HAS_I686 from -march=
      Also check __i586__/__i686__ for HAS_I586/HAS_I686
      Use x86-64 cacheinfo.c and sysconf.c for x86
      Call __setcontext with HIDDEN_JUMPTARGET
      Mark __xstatXX_conv as hidden
      Add BZ #14341 to NEWS
      Remove x86 init-arch.c
      Move x86_64 init-arch.h to sysdeps/x86/init-arch.h
      Remove the unused IFUNC files
      Add missing ChangeLog entry for the last commit
      Add INLINE_SYSCALL_RETURN/INLINE_SYSCALL_ERROR_RETURN
      Fix a typo in linux lxstat.c
      Revert "Fix a typo in linux lxstat.c"
      Revert "Add INLINE_SYSCALL_RETURN/INLINE_SYSCALL_ERROR_RETURN"
      Save and restore vector registers in x86-64 ld.so
      Replace %xmm8 with %xmm0
      Remove x86-64 rtld-xxx.c and rtld-xxx.S
      Replace %xmm[8-12] with %xmm[0-4]
      Don't run tst-getpid2 with LD_BIND_NOW=1
      Use SSE2 optimized strcmp in x86-64 ld.so
      Don't disable SSE in x86-64 ld.so
      Replace MEMPCPY_P/PIC with USE_AS_MEMPCPY/SHARED
      Replace BZERO_P/PIC with USE_AS_BZERO/SHARED
      Remove sysdeps/i386/i486/Versions
      Move i486/bits/atomic.h to bits/atomic.h
      Move i486/htonl.S to htonl.S
      Move i486/string-inlines.c to string-inlines.c
      Move i486/pthread_spin_trylock.S to pthread_spin_trylock.S
      Move i486/strcat.S to strcat.S
      Move i486/strlen.S to strlen.S
      Remove i486 subdirectory
      Add i386 memset and memcpy assembly functions
      Detect and select i586/i686 implementation at run-time
      Mention 15786 in NEWS
      Use __pthread_setcancelstate in libc.a
      Use __libc_ptf_call in _longjmp_unwind
      Remove ignored symbols from nptl/Versions
      Move sysdeps/unix/sysv/linux/i386/i486/*.? to i386
      Update lrint/lrintf/lrintl for x32
      Support x86-64 assmebler without AVX512
      Add INLINE_SYSCALL_ERROR_RETURN_VALUE
      Use INLINE_SYSCALL_ERROR_RETURN_VALUE
      Use INTERNAL_SYSCALL and INLINE_SYSCALL_ERROR_RETURN_VALUE
      Support PLT and GOT references in local PIC check
      Avoid PLT when calling __sched_getaffinity_new
      i386: Remove syscall assembly codes with 6 arguments
      Optimize i386 syscall inlining for GCC 5
      Remove i386/epoll_pwait.S
      Add comments for GCC 5 requirement
      Mark x86 _dl_unmap/_dl_make_tlsdesc_dynamic hidden
      Mark _wordcopy_XXX functions hidden
      Mark internal _dl_XXX functions hidden
      Mark internal _itoa functions hidden
      Mark _dl_catch_error hidden
      Mark internal dirent functions hidden
      Mark internal fcntl functions hidden
      Mark ld.so internel __profile_frequency hidden
      Mark internal setjmp functions hidden
      Mark ld.so internel sigaction functions hidden
      Mark ld.so internel stdlib functions hidden
      Mark ld.so internel string functions hidden
      Mark ld.so internel __uname hidden
      Mark ld.so internel __fxstatat64 hidden
      Apply -fomit-frame-pointer only to .o/.os files
      Disable GCC 5 optimization when PROF is defined
      Build i386 __libc_do_syscall when PROF is defined
      Keep only ELF_RTYPE_CLASS_{PLT|COPY} bits for prelink
      Add a test for prelink output
      Run tst-prelink test for GLOB_DAT reloc
      Update family and model detection for AMD CPUs
      Add __CPU_MASK_TYPE for __cpu_mask
      Enable Silvermont optimizations for Knights Landing
      Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT
      Add missing ChangeLog entries
      Add REGISTERS_CLOBBERED_BY_SYSCALL for x86-64
      Provide x32 times
      Mark ld.so internal mmap functions hidden in ld.so
      Mark internal unistd functions hidden in ld.so
      Update copyright dates committed in 2016
      Use TIME_T_MAX and TIME_T_MIN in tst-mktime2.c
      Call math_opt_barrier inside if
      Add _STRING_INLINE_unaligned and string_private.h

Helge Deller (1):
      hppa: Add MAP_HUGETLB and MAP_STACK defines [BZ #19285]

James Perkins (2):
      strptime %z: fix rounding, extend range to +/-9959 [BZ #16141]
      time/tst-strptime2.c: test full input range +/- 0-9999

John David Anglin (5):
      hppa: Fix reload error with atomic code [BZ #18787]
      hppa: Fix miscompilation of sched_setaffinity() [BZ #18480]
      hppa: Define __NO_LONG_DOUBLE_MATH so headers are consistent with libm build [BZ #19270]
      hppa: fix pthread spinlock
      hppa: fix dladdr [BZ #19415]

Joseph Myers (212):
      Fix powf (close to -1, large) (bug 18647).
      Fix sinh missing underflows (bug 16519).
      Fix tan missing underflows (bug 16517).
      Resort bug numbers in NEWS into ascending order.
      Fix ldbl-128ibm sinhl inaccuracy near 0 (bug 18789).
      Fix ldbl-128ibm tanhl inaccuracy (bug 18790).
      Add more tests of various libm functions.
      Fix tanh missing underflows (bug 16520).
      Add more random libm-test inputs.
      Fix fma spurious underflows (bug 18824).
      Fix csqrt spurious underflows (bug 18823).
      Fix MIPS -Wundef warnings for __mips_isa_rev.
      Fix -Wundef warnings in login/tst-utmp.c.
      Fix -Wundef warnings in elf/tst-execstack.c.
      Fix csqrt missing underflows (bug 18370).
      Fix uninitialized variable use in ldbl-128ibm nearbyintl.
      Don't use -Wno-uninitialized in math/.
      Don't use -Wno-error=undef.
      Don't use -Wno-strict-prototypes in timezone/.
      Note bug 10882 as having been fixed in 2.16.
      Note bug 14941 as having been fixed in 2.18.
      Add more TCP_* values to netinet/tcp.h.
      Add netinet/in.h values from Linux 4.2.
      Don't include <bits/stdio-lock.h> from installed <libio.h>.
      Don't install bits/libc-lock.h or bits/stdio-lock.h.
      Rename bits/libc-tsd.h to libc-tsd.h (bug 14912).
      Rename bits/m68k-vdso.h to m68k-vdso.h (bug 14912).
      Rename bits/stdio-lock.h to stdio-lock.h (bug 14912).
      Rename bits/linkmap.h to linkmap.h (bug 14912).
      Move bits/libc-lock.h and bits/libc-lockP.h out of bits/ (bug 14912).
      Fix lgamma (negative) inaccuracy (bug 2542, bug 2543, bug 2558).
      Add more randomly-generated libm tests.
      Fix ldbl-128/ldbl-128ibm lgamma spurious "invalid", incorrect signgam (bug 18952).
      Update libm-test-ulps for MIPS.
      Move bits/atomic.h to atomic-machine.h (bug 14912).
      Add more random libm test inputs (mainly for ldbl-128).
      Fix exp2 missing underflows (bug 16521).
      Fix i386 exp missing underflows (bug 18961).
      Fix i386 exp10 missing underflows (bug 18966).
      Simplify hypotf infinity handling (bug 15918).
      Fix ctan, ctanh missing underflows (bug 18595).
      Mark fegetround pure (bug 16296).
      Fix ldbl-128ibm nearbyintl use of signaling comparisons on NaNs (bug 18857).
      Fix math.h, tgmath.h XSI POSIX namespace (gamma, isnan, scalb) (bug 18967).
      Clean up ldbl-128 / ldbl-128ibm expm1l dead code (bug 16415).
      Update de.po from Translation Project (bug 4404).
      Make scalbn set errno (bug 6803).
      Don't declare float / long double Bessel functions for XSI POSIX (bug 18977).
      Fix tgamma missing underflows (bug 18951).
      Reduce number of constants in __finite* (bug 15384).
      Fix sign of zero part from ctan / ctanh when argument infinite (bug 17118).
      Test for weak undefined symbols in linknamespace.pl.
      Avoid excess range overflowing results from cosh, sinh, lgamma (bug 18980).
      Avoid excess range in results from i386 scalb functions (bug 18981).
      Avoid excess range in results from i386 exp, hypot, pow functions (bug 18980).
      Revert timezone/Makefile change.
      Use math_narrow_eval more consistently.
      Refactor code forcing underflow exceptions.
      Don't use volatile in exp2f.
      Fix x86_64 fma4 pow inappropriate contraction (bug 19003).
      Refactor i386 libm code forcing underflow exceptions.
      Use LOAD_PIC_REG in i386 atanh.
      Refactor x86_64 libm code forcing underflow exceptions.
      Fix hypot missing underflows (bug 18803).
      Use soft-fp fma for MicroBlaze (bug 13304).
      Use soft-fp fma for no-FPU ColdFire (bug 13304).
      Fix pow missing underflows (bug 18825).
      Fix powf inaccuracy (bug 18956).
      Fix clog, clog10 inaccuracy (bug 19016).
      Refine errno / "inexact" expectations in libm-test.inc.
      Improve test coverage of real libm functions [a-e]*.
      Fix i386 acosh (-qNaN) spurious "invalid" exception.
      Fix ldbl-128ibm exp10l spurious overflows (bug 16620).
      Use type-specific precision when printing results in libm-test.inc.
      Fix ldbl-128 / ldbl-128ibm lgamma overflow handling (bug 16347, bug 19046).
      Fix i386 build after put*ent hardening changes.
      Fix nexttoward overflow in non-default rounding modes (bug 19059).
      Work around powerpc32 integer 0 converting to -0 (bug 887, bug 19049, bug 19050).
      Don't list bug 887 as fixed for glibc 2.16.
      Fix ldbl-96 lroundl just below powers of 2 (bug 19071).
      Fix ldbl-128ibm log1pl (-1) sign of infinity (bug 19076).
      Fix ldbl-128ibm logl (1) sign of zero result (bug 19077).
      Add more scalb test expectations for "inexact" exception.
      Fix ldbl-128ibm expl overflow in non-default rounding modes (bug 19078).
      Remove scripts/rpm2dynsym.sh.
      Remove configure tests for SSE4 support.
      Use same test inputs for lrint and llrint.
      Add more tests of lrint, llrint, lround, llround.
      Don't use dbl-64/wordsize-64 lround based on llround for ILP32 (bug 19079).
      Use dbl-64/wordsize-64 for MIPS64.
      Fix ldbl-128 lrintl, lroundl missing exceptions for 32-bit long (bug 19085).
      Fix lround, llround missing exceptions close to overflow threshold (bug 19088).
      Remove configure tests for AVX support.
      Correct "inexact" expectations in lround, llround tests.
      Fix lrint, llrint missing exceptions close to overflow threshold (bug 19094).
      Fix dbl-64 lrint for 64-bit long (bug 19095).
      Remove configure tests for FMA4 support.
      Remove configure tests for -mno-vzeroupper support.
      Fix lrint, llrint, lround, llround missing exceptions for MIPS (bug 16399).
      Fix llrint, llround missing exceptions for ARM (bug 15470).
      Regenerate ARM libm-test-ulps.
      Regenerate MIPS libm-test-ulps.
      Fix powerpc32 llrint, llrintf bad exceptions (bug 16422).
      Move powerpc llround implementations to powerpc32 directory.
      Fix powerpc32 llround, llroundf exceptions (bug 19125).
      Fix powerpc32 lround, lroundf spurious exceptions (bug 19134).
      Remove stddef.h configure test.
      Remove -static-libgcc configure test.
      Remove .previous, .popsection configure tests.
      Remove assembler -mtune=i686 configure test.
      Do not leave files behind in /tmp from testing.
      Remove -fexceptions configure test.
      Remove sizeof (long double) configure test.
      Remove -Bgroup configure test.
      Remove NPTL configure errors based on top-level configure tests.
      Fix i386 build for lll_unlock_elision change.
      Convert 703 function definitions to prototype style.
      Add more tests for ceil, floor, round, trunc.
      Add more libm tests (fabs, fdim, fma, fmax, fmin, fmod).
      Convert 231 sysdeps function definitions to prototype style.
      Remove .weak, .weakext configure tests.
      Remove -fgnu89-inline configure test.
      Convert 69 more function definitions to prototype style (line wrap cases).
      Do not use -Wno-strict-prototypes.
      Remove gnu_unique_object configure test.
      Convert 24 more function definitions to prototype style (array parameters).
      Convert 29 more function definitions to prototype style (multiple parameters in one K&R parameter declaration).
      Convert 113 more function definitions to prototype style (files with assertions).
      Convert miscellaneous function definitions to prototype style.
      Add more libm tests (fmod, fpclassify, frexp, hypot, ilogb, j0, j1, jn, log, log10, log2).
      Convert a few more function definitions to prototype style.
      Use -Wold-style-definition.
      Fix ldbl-128 j0l spurious underflows (bug 19156).
      Make io/ftwtest-sh remove temporary files on early exit.
      Move io/tst-fcntl temporary file creation to do_prepare.
      Fix i386 / x86_64 nearbyint exception clearing (bug 15491).
      Fix j1, jn missing errno setting on underflow (bug 18611).
      Add more libm tests (ilogb, is*, j0, j1, jn, lgamma, log*).
      Remove libm-test.inc special-casing of errors up to 0.5 ulp.
      Remove configure test for assembler .text directive.
      Remove support for removing glibc 2.0 headers.
      Remove configure test for needing -P for .S files.
      Remove TLS configure tests.
      Require GCC 4.7 or later to build glibc.
      Use -std=c11 for C11 conform/ tests.
      Remove pre-GCC-4.7 conform/ test XFAILs.
      Remove sysdeps/nptl/configure.ac.
      Use -std=gnu11 instead of -std=gnu99.
      Add -std=gnu11 and -std=c11 NPTL initializers tests.
      Remove GCC version conditionals on -Wmaybe-uninitialized pragmas.
      Remove MIPS16 atomics using __sync_* (bug 17404).
      Remove configure test for ARM TLS descriptors support.
      Remove -mavx2 configure tests.
      Use C11 *_DECIMAL_DIG macros in libm-test.inc.
      Fix i386/x86_64 fesetenv SSE exception clearing (bug 19181).
      Use C11 *_TRUE_MIN macros where applicable.
      Use C11 CMPLX* macros in libm tests.
      Handle more state in i386/x86_64 fesetenv (bug 16068).
      Use max_align_t from <stddef.h>.
      Remove configure tests for visibility support.
      Remove cpuid.h configure tests.
      Make drem an alias of remainder (bug 16171).
      Do not test sign of zero result from infinite argument to Bessel functions.
      Fix ldbl-128 log1pl (-qNaN) spurious "invalid" exception (bug 19189).
      Remove init_array / fini_array configure test.
      Make nextafter, nexttoward set errno (bug 6799).
      Fix dbl-64 remainder sign of zero result (bug 19201).
      Add more libm tests (modf, nearbyint, nextafter, nexttoward, pow, remainder, remquo, rint).
      Remove --no-whole-archive configure test.
      Add more libm tests (scalb*, signbit, sin, sincos, sinh, sqrt, tan, tanh, tgamma, y0, y1, yn, significand).
      Refactor libm-test inline tests disabling.
      Remove miscellaneous GCC >= 4.7 version conditionals.
      Make bits/math-finite.h conditions match other headers (bug 19205).
      Don't redirect ldexp to scalbn in bits/math-finite.h (bug 19209).
      Fix features.h for -Wundef (bug 19212).
      Fix finite-math-only lgamma functions signgam setting (bug 19211).
      Fix i386/x86_64 log* (1) zero sign for -ffinite-math-only (bug 19213).
      Add script to list fixed bugs for the NEWS file.
      Run libm-test tests for finite-math-only functions.
      Remove configure tests for some linker -z options.
      Fix typo in signgam test messages.
      Add more tests of pow.
      Fix powerpc nearbyint wrongly clearing "inexact" and leaving traps disabled (bug 19228).
      Fix powerpc64 lround, lroundf, llround, llroundf spurious "inexact" exceptions (bug 19235).
      Fix powerpc round, roundf spurious "inexact" (bug 19238).
      Fix ldbl-128ibm strtold overflow handling (bug 14551).
      Fix lgamma setting signgam for ISO C (bug 15421).
      Fix math_private.h multiple include guards.
      Fix strtol in Turkish locales (bug 19242).
      Update <netpacket/packet.h> for Linux 4.3.
      Update <sys/ptrace.h> for Linux 4.3.
      Fix strtod ("NAN(I)") in Turkish locales (bug 19266).
      Refactor strtod parsing of NaN payloads.
      Use hex float constants in sysdeps/ieee754/dbl-64/e_sqrt.c.
      Fix nan functions handling of payload strings (bug 16961, bug 16962).
      Use direct socket syscalls for new kernels on i386, m68k, microblaze, sh.
      Fix ldbl-128ibm tanhl inaccuracy for small arguments (bug 19349).
      Fix ldbl-128ibm sinhl spurious overflows (bug 19350).
      Fix ldbl-128ibm logl inaccuracy near 1 (bug 19351).
      Automate LC_CTYPE generation for tr_TR, update to Unicode 8.0.0 (bug 18491).
      Make obsolete syscall wrappers into compat symbols (bug 18472).
      Update copyright dates with scripts/update-copyrights.
      Update copyright dates not handled by scripts/update-copyrights.
      Update miscellaneous files from upstream sources.
      Add new header definitions from Linux 4.4 (plus older ptrace definitions).
      Regenerate ARM libm-test-ulps.
      Regenerate powerpc-nofpu libm-test-ulps.
      Regenerate MIPS libm-test-ulps.
      Fix ulps regeneration for *-finite tests.
      Update localplt.data for powerpc-nofpu.
      Fix __finitel libm compat symbol version.
      Fix MIPS mmap negative offset handling for consistency (bug 19550).

Justus Winter (1):
      Cache the host port like we cache the task port

Khem Raj (1):
      argp: Use fwrite_unlocked instead of __fxprintf when !_LIBC

Ludovic Courtès (2):
      Gracefully handle incompatible locale data
      Use shell's builtin pwd.

Maciej W. Rozycki (3):
      [BZ #17250] Fix static dlopen default library search path
      MIPS: Wire FCSR.ABS2008 to FCSR.NAN2008
      MIPS: Set the required Linux kernel version to 4.5.0 for 2008 NaN

Manolis Ragkousis (1):
      Check sysheaders when looking for Mach and Hurd headers

Marcin Kościelnicki (1):
      Add __private_ss to s390 struct tcbhead.

Mark Wielaard (3):
      Add LFS support for fts functions (bug 11460)
      elf/elf.h: Add new 386 and X86_64 relocations from binutils.
      Revert "elf/elf.h: Add new 386 and X86_64 relocations from binutils."

Marko Myllynen (4):
      localedata: remove timezone information [BZ #18525]
      Fix lang_lib/lang_term as per ISO 639-2 [BZ #16973]
      Make shebang interpreter directives consistent
      Make shebang interpreter directives consistent

Martin Sebor (4):
      Let 'make check subdirs=string' succeed even when it's invoked
      Fix build errors with -DNDEBUG.
      Fix build failures with -DDEBUG.
      Have iconv accept redundant escape sequences in IBM900, IBM903, IBM905,

Maxim Ostapenko (1):
      Clear DF_1_NODELETE flag only for failed to load library.

Mike FABIAN (3):
      Generic updates to transliterations.
      Update da, nb, nn, and sv locales (Bug 89)
      Update to Unicode 8.0.0.

Mike Frysinger (44):
      nptl: fix set-but-unused warning w/_STACK_GROWS_UP
      mmap64: fix undef warnings
      test-skeleton: add usage information
      fix missing ctype.h include
      hppa: _dl_symbol_address: add missing hidden def
      microblaze: include unix/sysdep.h
      hppa: put custom madvise defines behind __USE_MISC
      fix non-portable `echo -n` usage
      gawk: fix gensub usage
      stpncpy: fix bug number [BZ #18795]
      hppa: assume TLS everywhere
      hppa: drop __ASSUME_LWS_CAS define
      hppa: shm.h: add SHM_EXEC
      hppa: sigaction.h: update define export based on __USE_XOPEN2K8
      hppa: epoll.h: move to common sys/epoll.h
      hppa: eventfd.h: move to common sys/eventfd.h
      hppa: inotify.h: move to common sys/inotify.h
      hppa: signalfd.h: move to common sys/signalfd.h
      hppa: timerfd.h: move to common sys/timerfd.h
      NEWS: note fixed bug
      relocate localedata ChangeLog entries
      manual: skip build when perl is unavailable
      mips: siginfo.h: add SIGSYS details [BZ #18863]
      de.po: fix SIGALRM typo [BZ #4404]
      getmntent: fix memory corruption w/blank lines [BZ #18887]
      NEWS: add #18887
      localedef: improve error message [BZ #16985]
      alpha: drop __ASSUME_FDATASYNC
      timezone: fix parallel check failures
      timezone: add a configure flag to disable program install
      timezone: document new --disable-timezone-tools option
      timezone: polish grammar a bit in documentation
      use -fstack-protector-strong when available
      pylintrc: disable reports
      ia64: fpu: fix gammaf typo [BZ #15421]
      list-fixed-bugs: use argparse for the commandline
      localedata: nl_NL@euro: copy measurement from nl_NL [BZ #19198]
      ia64: fpu: fix gamma definition handling [BZ #15421]
      xstat: only check to see if __ASSUME_ST_INO_64_BIT is defined
      longlong: fix sh -Wundef builds
      sparc: mman.h: fix bad comment insertion
      configure: make the unsupported error message less hostile
      localedata: convert all files to utf-8
      Revert "ChangeLogs: convert to utf-8"

Namhyung Kim (1):
      manual/argp.texi (Specifying Argp Parsers): Fix typo.

Ondrej Bilka (1):
      powerpc: Fix stpcpy performance for power8

Ondřej Bílka (4):
      Fix exponents in manual.
      Fix strcpy_chk and stpcpy_chk performance.
      Handle overflow in __hcreate_r
      add bug 18240 to news.

Paul E. Murphy (6):
      powerpc: Fix tabort usage in syscalls
      powerpc: Revert to default atomic ops in elision code
      Fix race in tst-mqueue5
      powerpc: Fix macro usage of htm builtins
      Fix nptl/tst-setuid3.c
      Cleanup ppc bits/ipc.h

Paul Eggert (8):
      Port the 0x7efe...feff pattern to GCC 6.
      Fix broken overflow check in posix_fallocate [BZ 18873]
      Consistency about byte vs character in string.texi
      Fix typo in strncat, wcsncat manual entries
      Split large string section; add truncation advice
      Update timezone code from tzcode 2015g.
      Fix doc quoting problems with Texinfo 5
      ChangeLogs: convert to utf-8

Paul Murphy (6):
      nptl: Add adapt_count parameter to lll_unlock_elision
      powerpc: Optimize lock elision for pthread_mutex_t
      powerpc: Fix usage of elision transient failure adapt param
      Shuffle includes in ldbl-128ibm/mpn2ldl.c
      powerpc: More elision improvements
      powerpc: Spinlock optimization and cleanup

Paul Pluzhnikov (19):
      Add #include <unistd.h> to libio/oldfileops.c for write.
      Fix BZ #17905
      Fix trailing space.
      In preparation for fixing BZ#16734, fix failure in misc/tst-error1-mem
      Fix BZ #18086 -- nice resets errno to 0.
      Fix BZ #16734 -- fopen calls mmap to allocate its buffer
      Fix BZ #18820 -- fmemopen may leak memory on failure.
      Regenerated sysdeps/x86_64/fpu/libm-test-ulps with AVX2.
      Fix BZ #18084 -- backtrace (..., 0) dumps core on x86.
      Filter out NULL entries.
      Fix BZ #18757.
      To fix BZ #18675, use __fstatvfs64 in __fpathconf.
      Fix BZ #18872 -- memory leak in printf_positional.
      Fix BZ #18985 -- out of range data to strftime() causes a segfault
      sysdeps/x86_64/fpu/libm-test-ulps: Regenerated on Haswell.
      Fix BZ #19012 -- iconv_open leaks memory on error path.
      stdio-common/tst-printf-bz18872.sh: Use attribute optimize instead of
      [BZ #19451]
      2016-01-20  Paul Pluzhnikov  <ppluzhnikov@google.com>

Petar Jovanovic (1):
      Fix dynamic linker issue with bind-now

Phil Blundell (1):
      ChangeLog: Fix incorrect email address

Rajalakshmi Srinivasaraghavan (3):
      powerpc: Handle worstcase behavior in strstr() for POWER7
      Call direct system calls for socket operations
      powerpc: Regenerate libm-test-ulps

Rasmus Villemoes (1):
      linux/getsysstats.c: use sysinfo() instead of parsing /proc/meminfo

Richard Henderson (2):
      longlong.h: Disable alpha umul_ppmm for old g++
      Update Alpha libm-test-ulps

Rob Wu (1):
      resolv: Reset defdname before use in __res_vinit [BZ #19369]

Roland McGrath (12):
      NaCl: Call __nacl_main in preference to main.
      Meaningless ChangeLog cleanup to trigger buildbot.
      Mark elf/tst-protected1[ab] as XFAIL.
      BZ#18921: Fix opendir inverted o_directory_works test.
      BZ#18921: Mark fixed in NEWS.
      NaCl: Do not install <sys/mtio.h>.
      Use HOST_NAME_MAX for MAXHOSTNAMELEN in <sys/param.h>.
      BZ#18872: Don't conditionalize build rules for test program.
      Fix some stub prototypes missing ... after K&R conversion
      NaCl: Use open_resource API for shared objects
      NaCl: Use allocate_code_data after dyncode_create
      NaCl: Fix unused variable errors in lowlevellock-futex.h macros.

Samuel Thibault (20):
      Fix gcrt0.o compilation
      Fix sysdeps/i386/fpu/s_scalbn.S build
      Fix rules generating headers in hurd/ and mach/
      Fix parallel build of before-compile targets.
      Fix typo
      Fix typo
      Really fix sysdeps/i386/fpu/s_scalbn.S build
      Fix vm_page_size visibility
      Add missing __mach_host_self_ symbol in Versions
      Add task_notify to mach_interface_list
      Make _hurd_raise_signal return errors
      Make _hurd_raise_signal directly return the error
      Remove unusued variable
      Fix RPC breakage when longjumping from signal handler
      Fix hurd build with hidden support
      Revert not defining NO_HIDDEN on hurd
      Do not add relro attribute to __libc_stack_end
      hurd: Initialize __libc_stack_end for hidden support
      hurd: Make mmap64 use vm_offset_t for overflow check
      Harmonize generic stdio-lock support with nptl

Siddhesh Poyarekar (12):
      Remove incorrect register mov in floorf/nearbyint on x86_64
      Drop unused first argument from arena_get2
      Don't use the main arena in retry path if it is corrupt
      benchtests: Mark output variables as used
      Remove redundant else clauses in s_sin.c
      Include s_sin.c in s_sincos.c
      benchtests: Add inputs from sin and cos to sincos
      benchtests: ffs and ffsll are string functions, not math
      Fix up ChangeLog
      Consolidate range reduction in sincos for x > 281474976710656
      Consolidate sin and cos code for 105414350 <|x|< 281474976710656
      Consolidate sincos computation for 2.426265 < |x| < 105414350

Stan Shebs (1):
      Disable uninitialized warning with GCC 4.8

Stefan Liebler (37):
      S390: Fix handling of DXC-byte in FPC-register.
      S390: Refactor ifunc implementations and enable ifunc-test-framework.
      S390: Add hwcaps value for vector facility.
      S390: Add new s390 platform.
      S390: configure check for vector instruction support in assembler.
      S390: Ifunc resolver macro for vector instructions.
      S390: Optimize strlen and wcslen.
      S390: Optimize strnlen and wcsnlen.
      S390: Optimize strcpy and wcscpy.
      S390: Optimize stpcpy and wcpcpy.
      S390: Optimize strncpy and wcsncpy.
      S390: Optimize stpncpy and wcpncpy.
      S390: Optimize strcat and wcscat.
      S390: Optimize strncat wcsncat.
      S390: Optimize strcmp and wcscmp.
      S390: Optimize strncmp and wcsncmp.
      S390: Optimize strchr and wcschr.
      S390: Optimize strchrnul and wcschrnul.
      S390: Optimize strrchr and wcsrchr.
      S390: Optimize strspn and wcsspn.
      S390: Optimize strpbrk and wcspbrk.
      S390: Optimize strcspn and wcscspn.
      S390: Optimize memchr, rawmemchr and wmemchr.
      S390: Optimize memccpy.
      S390: Optimize wmemset.
      S390: Optimize wmemcmp.
      S390: Optimize memrchr.
      S390: Optimize string, wcsmbs and memory functions.
      S390: Fix build error with gcc6 in utf8_utf16-z9.c.
      Adjust _Unwind_Word in unwind.h to version in libgcc.
      S390: Call direct system calls for socket operations.
      S390: Clean setjmp, longjmp, getcontext symbols.
      S390: Use __asm__ instead of asm.
      S/390: Do not raise inexact exception in lrint/lround. [BZ #19486]
      S390: Regenerate ULPs
      S390: Fix build error in iconvdata/bug-iconv11.c.
      S390: Fix build failure in test string/tst-endian.c with gcc 6.

Steve Ellcey (9):
      Fix undefined warning messages in GCC 6.
      Add unused attribute to declaration for mips16 builds.
      Add missing ChangeLog entry.
      Update timezone/Makefile to use -Wno-unused-variable
      Make performance improvement to MIPS memcpy for small copies.
      Fix indentation.
      Fix indentation.
      Fix indentation.
      Fix MIPS64 memcpy regression.

Szabolcs Nagy (4):
      Regenerate aarch64 libm-test-ulps
      [BZ #19129][ARM] Fix _dl_tlsdesc_resolve_hold to save r0
      [AArch64] Regenerate libm-test-ulps
      [ARM] add missing -funwind-tables to test case (bug 19529)

Thomas Schwinge (1):
      hurd: install correct number of send rights on fork

Torvald Riegel (5):
      Remove unused variable in math/atest-exp2.c.
      Do not violate mutex destruction requirements.
      New pthread_barrier algorithm to fulfill barrier destruction requirements.
      Fix pthread_barrier_init typo.
      nptl: Add first-line description for barrier tests.

Tulio Magno Quites Machado Filho (3):
      PowerPC: Fix a race condition when eliding a lock
      tst-backtrace4: fix a warning message
      powerpc: Enforce compiler barriers on hardware transactions

Vincent Bernat (2):
      time: in strptime(), make %z accept Z as a time zone [BZ #17886]
      time: in strptime(), make %z accept [+-]HH:MM tz [BZ #17887]

Wilco Dijkstra (17):
      Improve fesetenv performance by avoiding unnecessary FPSR/FPCR reads/writes.
      Improve feenableexcept performance - avoid an unnecessary FPCR read in case
      This patch improves strncpy performance by using strnlen/memcpy rather than a byte loop. Performance
      Improve memccpy performance by using memchr/memcpy/mempcpy rather than
      Improve performance of mempcpy by inlining and using memcpy. Enable
      Improve stpncpy performance by using __strnlen/memcpy/memset rather than a
      2015-08-24  Wilco Dijkstra  <wdijkstr@arm.com>
      2015-08-24  Wilco Dijkstra  <wdijkstr@arm.com>
      Add a new benchmark for isinf/isnan/isnormal/isfinite/fpclassify. The test uses 2 arrays with 1024 doubles, one with 99% finite FP numbers (10% zeroes, 10% negative) and 1% inf/NaN, the other with 50% inf, and 50% Nan.
      Add inlining of the C99 math functions isinf/isnan/signbit/isfinite/isnormal/fpclassify using GCC
      Use the GCC builtin functions for the non-inlined signbit implementations.
      Fix several build failures with GCC6 due to unused static variables.
      Since we now inline isinf, isnan and isfinite in math.h, replace uses of __isinf_ns(l/f)
      Cleanup a few cases where isinf is used to get the signbit to improve the readability and maintainability and allow inlining.
      Undo build error fixes to timezone/private.h, change makefile instead to
      Remove __signbit* from localplt.data as they are no longer called from within GLIBC.
      Enable _STRING_ARCH_unaligned on AArch64.

Zack Weinberg (4):
      Correct comments about the history of <regexp.h>
      stpncpy: fix size checking [BZ #18975]
      Desupport regexp.h (bug 18681)
      regexp.h: update Versions to match file usage [BZ #18681]

-----------------------------------------------------------------------
Comment 16 Sourceware Commits 2016-02-25 19:06:39 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.20/master has been updated
       via  d5a4840c6b4025302f485b9271e4c72d315221f5 (commit)
       via  eda498975dd49f616d8af26e5224ca39c8feeb8c (commit)
       via  6ef92b982aef69f05a3faa481c34699bfa55f1dd (commit)
       via  d5ef25a8d894fa5833854588afaacdf8771972a8 (commit)
       via  9f108bbbeb8064a746cd2e1e7079f58fe3508485 (commit)
      from  ed99e5f9cc6471745488f269d16ee5b127944a85 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5a4840c6b4025302f485b9271e4c72d315221f5

commit d5a4840c6b4025302f485b9271e4c72d315221f5
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit 16d0a0ce7613552301786bf05d7eba8784b5732c)
    
    Conflicts:
    	NEWS
    	resolv/res_send.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=eda498975dd49f616d8af26e5224ca39c8feeb8c

commit eda498975dd49f616d8af26e5224ca39c8feeb8c
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 26 14:55:24 2015 +0100

    Fix read past end of pattern in fnmatch (bug 18032)
    
    (cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6ef92b982aef69f05a3faa481c34699bfa55f1dd

commit 6ef92b982aef69f05a3faa481c34699bfa55f1dd
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
Date:   Sun Feb 22 12:01:47 2015 -0800

    Fix BZ #17269 -- _IO_wstr_overflow integer overflow
    
    (cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
    
    Conflicts:
    	NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5ef25a8d894fa5833854588afaacdf8771972a8

commit d5ef25a8d894fa5833854588afaacdf8771972a8
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Oct 6 13:12:36 2015 +0200

    Harden tls_dtor_list with pointer mangling [BZ #19018]
    
    (cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
    
    Conflicts:
    	NEWS
    	stdlib/cxa_thread_atexit_impl.c

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9f108bbbeb8064a746cd2e1e7079f58fe3508485

commit 9f108bbbeb8064a746cd2e1e7079f58fe3508485
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Oct 15 09:23:07 2015 +0200

    Always enable pointer guard [BZ #18928]
    
    Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
    has security implications.  This commit enables pointer guard
    unconditionally, and the environment variable is now ignored.
    
            [BZ #18928]
            * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
            _dl_pointer_guard member.
            * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
            initializer.
            (security_init): Always set up pointer guard.
            (process_envvars): Do not process LD_POINTER_GUARD.
    
    (cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
    
    Conflicts:
    	NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                       |   45 +++++++
 NEWS                            |   21 +++-
 elf/rtld.c                      |   15 +--
 libio/wstrops.c                 |    8 +-
 posix/fnmatch_loop.c            |    5 +-
 posix/tst-fnmatch3.c            |    8 +-
 resolv/nss_dns/dns-host.c       |  111 +++++++++++++++++-
 resolv/res_query.c              |    3 +
 resolv/res_send.c               |  257 ++++++++++++++++++++++++++++++---------
 stdlib/cxa_thread_atexit_impl.c |   12 ++-
 sysdeps/generic/ldsodefs.h      |    3 -
 11 files changed, 401 insertions(+), 87 deletions(-)
Comment 17 Sourceware Commits 2016-03-25 18:35:23 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  b66d837bb5398795c6b0f651bd5a5d66091d8577 (commit)
      from  f327f5b47be57bc05a4077344b381016c1bb2c11 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b66d837bb5398795c6b0f651bd5a5d66091d8577

commit b66d837bb5398795c6b0f651bd5a5d66091d8577
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 25 11:49:51 2016 +0100

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog         |    9 +++++++
 resolv/res_send.c |   63 +++++++++++++++++++++++++++++++++-------------------
 2 files changed, 49 insertions(+), 23 deletions(-)
Comment 18 Sourceware Commits 2016-03-28 20:20:23 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.22/master has been updated
       via  5a1a5f0dd2744044801c91bf2588444c29cda533 (commit)
      from  de905d1487a6d1d1667ae1346e4f2629dce9485f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5a1a5f0dd2744044801c91bf2588444c29cda533

commit 5a1a5f0dd2744044801c91bf2588444c29cda533
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 25 11:49:51 2016 +0100

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog         |    9 +++++++
 NEWS              |    2 +-
 resolv/res_send.c |   63 +++++++++++++++++++++++++++++++++-------------------
 3 files changed, 50 insertions(+), 24 deletions(-)
Comment 19 Sourceware Commits 2016-03-28 20:41:19 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.23/master has been updated
       via  3a188eb4e641d2df0cfd352fd09232347f28fbe1 (commit)
      from  73f158cef52f3968e0b9a7785638cf1737c35306 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3a188eb4e641d2df0cfd352fd09232347f28fbe1

commit 3a188eb4e641d2df0cfd352fd09232347f28fbe1
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 25 11:49:51 2016 +0100

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog         |    9 +++++++
 NEWS              |    1 +
 resolv/res_send.c |   63 +++++++++++++++++++++++++++++++++-------------------
 3 files changed, 50 insertions(+), 23 deletions(-)
Comment 20 Sourceware Commits 2016-03-30 21:15:24 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.22 has been updated
       via  b286c83dcbd06314859bf86319782611c81e283d (commit)
      from  066bfd462534b7141aaaac23aadc5c0ec3e4e7f3 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b286c83dcbd06314859bf86319782611c81e283d

commit b286c83dcbd06314859bf86319782611c81e283d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 25 11:49:51 2016 +0100

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
    (cherry picked from commit 5a1a5f0dd2744044801c91bf2588444c29cda533)

-----------------------------------------------------------------------

Summary of changes:
 resolv/res_send.c |   63 +++++++++++++++++++++++++++++++++-------------------
 1 files changed, 40 insertions(+), 23 deletions(-)
Comment 21 Sourceware Commits 2016-03-30 22:10:40 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, gentoo/2.23 has been updated
       via  c51410d427a863b076443efe7c18b1aef07d3a7b (commit)
      from  2e39530c16a949a76d0a273a43d44682d9dbe109 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c51410d427a863b076443efe7c18b1aef07d3a7b

commit c51410d427a863b076443efe7c18b1aef07d3a7b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 25 11:49:51 2016 +0100

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
    (cherry picked from commit 3a188eb4e641d2df0cfd352fd09232347f28fbe1)

-----------------------------------------------------------------------

Summary of changes:
 resolv/res_send.c |   63 +++++++++++++++++++++++++++++++++-------------------
 1 files changed, 40 insertions(+), 23 deletions(-)
Comment 22 Sourceware Commits 2016-04-19 22:47:10 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.18/master has been updated
       via  2eb35ebfb291f773c1ba7939601a049acb4f3706 (commit)
       via  3ac88d96513b73b69fdc64d9c2f17cc38257a828 (commit)
      from  eca182fcad77681d5ebe9ab49f91d33ed85d8289 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2eb35ebfb291f773c1ba7939601a049acb4f3706

commit 2eb35ebfb291f773c1ba7939601a049acb4f3706
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Apr 19 17:38:19 2016 -0500

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3ac88d96513b73b69fdc64d9c2f17cc38257a828

commit 3ac88d96513b73b69fdc64d9c2f17cc38257a828
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Apr 19 17:38:09 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry pick from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |   24 ++++
 NEWS                      |   14 ++
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  325 +++++++++++++++++++++++++++++++++------------
 5 files changed, 391 insertions(+), 86 deletions(-)
Comment 23 Sourceware Commits 2016-04-22 20:00:11 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.18/master has been updated
       via  715e7fe0322004fd2e3fed853e9be3c279f5015d (commit)
       via  04130e53ba685dd7138e3e928708e17923f795b5 (commit)
       via  c5ae7f9a3b543426cb186fb7b493f9d8458467a9 (commit)
      from  b057b4813c9f05c3cedff0c74b58c9c9d583f09f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=715e7fe0322004fd2e3fed853e9be3c279f5015d

commit 715e7fe0322004fd2e3fed853e9be3c279f5015d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Apr 22 10:38:15 2016 -0500

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=04130e53ba685dd7138e3e928708e17923f795b5

commit 04130e53ba685dd7138e3e928708e17923f795b5
Author: Andreas Schwab <schwab@suse.de>
Date:   Fri Apr 22 10:35:41 2016 -0500

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)
    
    (cherry picked from commit 45af2f6fe19b8a776373cac5a2691460179aa1a3)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c5ae7f9a3b543426cb186fb7b493f9d8458467a9

commit c5ae7f9a3b543426cb186fb7b493f9d8458467a9
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Apr 19 17:38:09 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |   30 ++++
 NEWS                      |   19 +++-
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  326 +++++++++++++++++++++++++++++++++------------
 5 files changed, 401 insertions(+), 88 deletions(-)
Comment 24 Sourceware Commits 2016-05-28 21:00:43 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.19/master has been updated
       via  10d268070a8aa9a878668e7f060e92ed668de146 (commit)
       via  c08e8bd0ef1d16d0139dbc80a976e2cbf2517f02 (commit)
      from  762aafec34478bcef01a16acf1959732ab8bb2b6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=10d268070a8aa9a878668e7f060e92ed668de146

commit 10d268070a8aa9a878668e7f060e92ed668de146
Author: Florian Weimer <fweimer@redhat.com>
Date:   Fri Mar 25 11:49:51 2016 +0100

    resolv: Always set *resplen2 out parameter in send_dg [BZ #19791]
    
    Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
    second fallback mode for DNS requests), there is a code path which
    returns early, before *resplen2 is initialized.  This happens if the
    name server address is immediately recognized as invalid (because of
    lack of protocol support, or if it is a broadcast address such
    255.255.255.255, or another invalid address).
    
    If this happens and *resplen2 was non-zero (which is the case if a
    previous query resulted in a failure), __libc_res_nquery would reuse
    an existing second answer buffer.  This answer has been previously
    identified as unusable (for example, it could be an NXDOMAIN
    response).  Due to the presence of a second answer, no name server
    switching will occur.  The result is a name resolution failure,
    although a successful resolution would have been possible if name
    servers have been switched and queries had proceeded along the search
    path.
    
    The above paragraph still simplifies the situation.  Before glibc
    2.23, if the second answer needed malloc, the stub resolver would
    still attempt to reuse the second answer, but this is not possible
    because __libc_res_nsearch has freed it, after the unsuccessful call
    to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
    eventually leads to an assertion failure in __libc_res_nquery:
    
    	/* Make sure both hp and hp2 are defined */
    	assert((hp != NULL) && (hp2 != NULL));
    
    If assertions are disabled, the consequence is a NULL pointer
    dereference on the next line.
    
    Starting with glibc 2.23, as a result of commit
    e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
    stack-based buffer overflow (Bug 18665)), the second answer is always
    allocated with malloc.  This means that the assertion failure happens
    with small responses as well because there is no buffer to reuse, as
    soon as there is a name resolution failure which triggers a search for
    an answer along the search path.
    
    This commit addresses the issue by ensuring that *resplen2 is
    initialized before the send_dg function returns.
    
    This commit also addresses a bug where an invalid second reply is
    incorrectly returned as a valid to the caller.
    
    (cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c08e8bd0ef1d16d0139dbc80a976e2cbf2517f02

commit c08e8bd0ef1d16d0139dbc80a976e2cbf2517f02
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
    
    (cherry picked from commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                 |   24 ++++
 NEWS                      |   17 +++-
 resolv/nss_dns/dns-host.c |  111 +++++++++++++++-
 resolv/res_query.c        |    3 +
 resolv/res_send.c         |  320 +++++++++++++++++++++++++++++++++------------
 5 files changed, 389 insertions(+), 86 deletions(-)
Comment 25 Norman Blair 2017-09-15 08:08:49 UTC Comment hidden (spam)
Comment 26 Mark winds 2021-02-10 19:27:14 UTC Comment hidden (spam)
Comment 27 Mark winds 2021-02-10 19:28:54 UTC Comment hidden (spam)