This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow


On 02/16/2016 02:31 PM, Adhemerval Zanella wrote:
> 
> 
> On 16-02-2016 16:24, Carlos O'Donell wrote:
>> On 02/16/2016 01:13 PM, Mike Frysinger wrote:
>>> On 16 Feb 2016 09:09, Carlos O'Donell wrote:
>>>
>>> many of us have seen this already, so were you going to wait for much
>>> public review before pushing it ?  assuming you'll be applying it to
>>> the older branches too.
>>
>> Thanks for the review.
>>
>> Committing the patch to master is not time sensitive except for the
>> upcoming release. I will coordinate with Adhemerval so the branch is
>> not cut until we commit this fix.
> 
> Although the date is set for next 18th, I will wait until you give me 
> an ok.

Pushed. NEWS updated.

commit e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca
Author: Carlos O'Donell <carlos@systemhalted.org>
Date:   Tue Feb 16 21:26:37 2016 -0500

    CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
    
    * A stack-based buffer overflow was found in libresolv when invoked from
      libnss_dns, allowing specially crafted DNS responses to seize control
      of execution flow in the DNS client.  The buffer overflow occurs in
      the functions send_dg (send datagram) and send_vc (send TCP) for the
      NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
      family.  The use of AF_UNSPEC triggers the low-level resolver code to
      send out two parallel queries for A and AAAA.  A mismanagement of the
      buffers used for those queries could result in the response of a query
      writing beyond the alloca allocated buffer created by
      _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
      the overflow.  Thanks to the Google Security Team and Red Hat for
      reporting the security impact of this issue, and Robert Holiday of
      Ciena for reporting the related bug 18665. (CVE-2015-7547)
    
    See also:
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
    https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html

Cheers,
Carlos.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]