2016-04-01 Florian Weimer [BZ #19879] CVE-2016-3075 * resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not copy name. Index: glibc-2.23/NEWS =================================================================== --- glibc-2.23.orig/NEWS +++ glibc-2.23/NEWS @@ -9,7 +9,10 @@ Version 2.23.1 Security related changes: - [Add security related changes here] +* The getnetbyname implementation in nss_dns had a potentially unbounded + alloca call (in the form of a call to strdupa), leading to a stack + overflow (stack exhaustion) and a crash if getnetbyname is invoked + on a very long name. (CVE-2016-3075) The following bugs are resolved with this release: @@ -17,9 +20,12 @@ The following bugs are resolved with thi [19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS [19759] Don't inline mempcpy for x86 [19762] Use HAS_ARCH_FEATURE with Fast_Rep_String - [19791] Assertion failure in res_query.c with un-connectable name server addresses + [19791] Assertion failure in res_query.c with un-connectable name server + addresses [19792] MIPS: backtrace yields infinite backtrace with makecontext [19822] libm.so install clobbers old version + [19879] network: nss_dns: Stack overflow in getnetbyname implementation + (CVE-2016-3075) Version 2.23 Index: glibc-2.23/resolv/nss_dns/dns-network.c =================================================================== --- glibc-2.23.orig/resolv/nss_dns/dns-network.c +++ glibc-2.23/resolv/nss_dns/dns-network.c @@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *nam } net_buffer; querybuf *orig_net_buffer; int anslen; - char *qbuf; enum nss_status status; if (__res_maybe_init (&_res, 0) == -1) return NSS_STATUS_UNAVAIL; - qbuf = strdupa (name); - net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); - anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, + anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); if (anslen < 0) {