rpm/glibc
SHA256
1
0
Fork 0
forked from pool/glibc
Code Pull Requests Activity
e794ddb00b
glibc/0021-CVE-2016-3075-Stack-overflow-in-_nss_dns_getnetbynam.patch

61 lines
2.1 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

2016-04-01 Florian Weimer <fweimer@redhat.com>
[BZ #19879]
CVE-2016-3075
* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
copy name.
Index: glibc-2.23/NEWS
===================================================================
--- glibc-2.23.orig/NEWS
+++ glibc-2.23/NEWS
@@ -9,7 +9,10 @@ Version 2.23.1
Security related changes:
- [Add security related changes here]
+* The getnetbyname implementation in nss_dns had a potentially unbounded
+ alloca call (in the form of a call to strdupa), leading to a stack
+ overflow (stack exhaustion) and a crash if getnetbyname is invoked
+ on a very long name. (CVE-2016-3075)
The following bugs are resolved with this release:
@@ -17,9 +20,12 @@ The following bugs are resolved with thi
[19758] Or bit_Prefer_MAP_32BIT_EXEC in EXTRA_LD_ENVVARS
[19759] Don't inline mempcpy for x86
[19762] Use HAS_ARCH_FEATURE with Fast_Rep_String
- [19791] Assertion failure in res_query.c with un-connectable name server addresses
+ [19791] Assertion failure in res_query.c with un-connectable name server
+ addresses
[19792] MIPS: backtrace yields infinite backtrace with makecontext
[19822] libm.so install clobbers old version
+ [19879] network: nss_dns: Stack overflow in getnetbyname implementation
+ (CVE-2016-3075)
Version 2.23
Index: glibc-2.23/resolv/nss_dns/dns-network.c
===================================================================
--- glibc-2.23.orig/resolv/nss_dns/dns-network.c
+++ glibc-2.23/resolv/nss_dns/dns-network.c
@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *nam
} net_buffer;
querybuf *orig_net_buffer;
int anslen;
- char *qbuf;
enum nss_status status;
if (__res_maybe_init (&_res, 0) == -1)
return NSS_STATUS_UNAVAIL;
- qbuf = strdupa (name);
-
net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
if (anslen < 0)
{
View Git Blame Copy Permalink