This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Adhemerval Zanella <adhemerval dot zanella at linaro dot org>, libc-alpha at sourceware dot org
- Date: Tue, 16 Feb 2016 21:30:48 -0500
- Subject: Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow
- Authentication-results: sourceware.org; auth=none
- References: <56C32C20 dot 1070006 at redhat dot com> <56C32DB0 dot 7090409 at redhat dot com> <20160216181300 dot GC7732 at vapier dot lan> <56C36979 dot 6070403 at redhat dot com> <56C37923 dot 1040306 at linaro dot org>
On 02/16/2016 02:31 PM, Adhemerval Zanella wrote:
> On 16-02-2016 16:24, Carlos O'Donell wrote:
>> On 02/16/2016 01:13 PM, Mike Frysinger wrote:
>>> On 16 Feb 2016 09:09, Carlos O'Donell wrote:
>>> many of us have seen this already, so were you going to wait for much
>>> public review before pushing it ? assuming you'll be applying it to
>>> the older branches too.
>> Thanks for the review.
>> Committing the patch to master is not time sensitive except for the
>> upcoming release. I will coordinate with Adhemerval so the branch is
>> not cut until we commit this fix.
> Although the date is set for next 18th, I will wait until you give me
> an ok.
Pushed. NEWS updated.
Author: Carlos O'Donell <email@example.com>
Date: Tue Feb 16 21:26:37 2016 -0500
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from
libnss_dns, allowing specially crafted DNS responses to seize control
of execution flow in the DNS client. The buffer overflow occurs in
the functions send_dg (send datagram) and send_vc (send TCP) for the
NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
family. The use of AF_UNSPEC triggers the low-level resolver code to
send out two parallel queries for A and AAAA. A mismanagement of the
buffers used for those queries could result in the response of a query
writing beyond the alloca allocated buffer created by
_nss_dns_gethostbyname4_r. Buffer management is simplified to remove
the overflow. Thanks to the Google Security Team and Red Hat for
reporting the security impact of this issue, and Robert Holiday of
Ciena for reporting the related bug 18665. (CVE-2015-7547)