diff --git a/clntudp-call-alloca.patch b/clntudp-call-alloca.patch new file mode 100644 index 0000000..c848131 --- /dev/null +++ b/clntudp-call-alloca.patch @@ -0,0 +1,41 @@ +2016-05-23 Florian Weimer + + CVE-2016-4429 + [BZ #20112] + * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error + payload. + +Index: glibc-2.23/sunrpc/clnt_udp.c +=================================================================== +--- glibc-2.23.orig/sunrpc/clnt_udp.c ++++ glibc-2.23/sunrpc/clnt_udp.c +@@ -391,9 +391,15 @@ send_again: + struct sock_extended_err *e; + struct sockaddr_in err_addr; + struct iovec iov; +- char *cbuf = (char *) alloca (outlen + 256); ++ char *cbuf = malloc (outlen + 256); + int ret; + ++ if (cbuf == NULL) ++ { ++ cu->cu_error.re_errno = errno; ++ return (cu->cu_error.re_status = RPC_CANTRECV); ++ } ++ + iov.iov_base = cbuf + 256; + iov.iov_len = outlen; + msg.msg_name = (void *) &err_addr; +@@ -418,10 +424,12 @@ send_again: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { ++ free (cbuf); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; + return (cu->cu_error.re_status = RPC_CANTRECV); + } ++ free (cbuf); + } + #endif + do diff --git a/glibc-testsuite.changes b/glibc-testsuite.changes index e2af952..99e1209 100644 --- a/glibc-testsuite.changes +++ b/glibc-testsuite.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon May 30 08:23:03 UTC 2016 - schwab@suse.de + +- clntudp-call-alloca.patch: do not use alloca in clntudp_call + (CVE-2016-4429, bsc#980854, BZ #20112) + ------------------------------------------------------------------- Wed May 11 09:33:47 UTC 2016 - schwab@suse.de diff --git a/glibc-testsuite.spec b/glibc-testsuite.spec index 3582f1d..f81a47f 100644 --- a/glibc-testsuite.spec +++ b/glibc-testsuite.spec @@ -306,6 +306,8 @@ Patch1052: 0053-Remove-trailing-newline-from-date_fmt-in-Serbian-loc.patch Patch1053: 0054-Revert-Report-dlsym-dlvsym-lookup-errors-using-dlerr.patch Patch1054: 0055-CVE-2016-3706-getaddrinfo-stack-overflow-in-hostent-.patch Patch1055: 0056-Fix-strfmon_l-Use-specified-locale-for-number-format.patch +# PATCH-FIX-UPSTREAM sunrpc: Do not use alloca in clntudp_call (CVE-2016-4429, BZ #20112) +Patch1056: clntudp-call-alloca.patch ### # Patches awaiting upstream approval @@ -584,6 +586,7 @@ rm nscd/s-stamp %patch1053 -p1 %patch1054 -p1 %patch1055 -p1 +%patch1056 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/glibc-utils.changes b/glibc-utils.changes index e2af952..99e1209 100644 --- a/glibc-utils.changes +++ b/glibc-utils.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon May 30 08:23:03 UTC 2016 - schwab@suse.de + +- clntudp-call-alloca.patch: do not use alloca in clntudp_call + (CVE-2016-4429, bsc#980854, BZ #20112) + ------------------------------------------------------------------- Wed May 11 09:33:47 UTC 2016 - schwab@suse.de diff --git a/glibc-utils.spec b/glibc-utils.spec index 572ca31..1b7ad53 100644 --- a/glibc-utils.spec +++ b/glibc-utils.spec @@ -305,6 +305,8 @@ Patch1052: 0053-Remove-trailing-newline-from-date_fmt-in-Serbian-loc.patch Patch1053: 0054-Revert-Report-dlsym-dlvsym-lookup-errors-using-dlerr.patch Patch1054: 0055-CVE-2016-3706-getaddrinfo-stack-overflow-in-hostent-.patch Patch1055: 0056-Fix-strfmon_l-Use-specified-locale-for-number-format.patch +# PATCH-FIX-UPSTREAM sunrpc: Do not use alloca in clntudp_call (CVE-2016-4429, BZ #20112) +Patch1056: clntudp-call-alloca.patch ### # Patches awaiting upstream approval @@ -584,6 +586,7 @@ rm nscd/s-stamp %patch1053 -p1 %patch1054 -p1 %patch1055 -p1 +%patch1056 -p1 %patch2000 -p1 %patch2001 -p1 diff --git a/glibc.changes b/glibc.changes index e2af952..99e1209 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon May 30 08:23:03 UTC 2016 - schwab@suse.de + +- clntudp-call-alloca.patch: do not use alloca in clntudp_call + (CVE-2016-4429, bsc#980854, BZ #20112) + ------------------------------------------------------------------- Wed May 11 09:33:47 UTC 2016 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index 804c5ba..3187cfc 100644 --- a/glibc.spec +++ b/glibc.spec @@ -306,6 +306,8 @@ Patch1052: 0053-Remove-trailing-newline-from-date_fmt-in-Serbian-loc.patch Patch1053: 0054-Revert-Report-dlsym-dlvsym-lookup-errors-using-dlerr.patch Patch1054: 0055-CVE-2016-3706-getaddrinfo-stack-overflow-in-hostent-.patch Patch1055: 0056-Fix-strfmon_l-Use-specified-locale-for-number-format.patch +# PATCH-FIX-UPSTREAM sunrpc: Do not use alloca in clntudp_call (CVE-2016-4429, BZ #20112) +Patch1056: clntudp-call-alloca.patch ### # Patches awaiting upstream approval @@ -584,6 +586,7 @@ rm nscd/s-stamp %patch1053 -p1 %patch1054 -p1 %patch1055 -p1 +%patch1056 -p1 %patch2000 -p1 %patch2001 -p1