Contents of /trunk/glibc/patches/glibc-2.21-roundup.patch
Parent Directory | Revision Log
Revision 2568 -
(show annotations)
(download)
Tue Nov 25 23:00:19 2014 UTC (9 years, 10 months ago) by niro
File size: 3805 byte(s)
Tue Nov 25 23:00:19 2014 UTC (9 years, 10 months ago) by niro
File size: 3805 byte(s)
-fixes serveral issues and CVE-2015-1781
1 | diff --git a/ChangeLog b/ChangeLog |
2 | index dc1ed1b..26feb07 100644 |
3 | --- a/ChangeLog |
4 | +++ b/ChangeLog |
5 | @@ -1,3 +1,15 @@ |
6 | +2015-04-21 Arjun Shankar <arjun.is@lostca.se> |
7 | + |
8 | + [BZ #18287] |
9 | + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length |
10 | + based on padding. (CVE-2015-1781) |
11 | + |
12 | +2015-02-10 Evangelos Foutras <evangelos@foutrelis.com> |
13 | + |
14 | + [BZ #17949] |
15 | + * sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of |
16 | + jump label. |
17 | + |
18 | 2015-02-06 Carlos O'Donell <carlos@systemhalted.org> |
19 | |
20 | * version.h (RELEASE): Set to "stable". |
21 | @@ -7,6 +19,7 @@ |
22 | * sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h. |
23 | |
24 | 2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com> |
25 | + Paul Eggert <eggert@cs.ucla.edu> |
26 | |
27 | [BZ #16618] |
28 | * stdio-common/tst-sscanf.c (main): Test for buffer overflow. |
29 | diff --git a/NEWS b/NEWS |
30 | index 617cdbb..c9f6b58 100644 |
31 | --- a/NEWS |
32 | +++ b/NEWS |
33 | @@ -5,6 +5,19 @@ See the end for copying conditions. |
34 | Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> |
35 | using `glibc' in the "product" field. |
36 | |
37 | +Version 2.21.1 |
38 | + |
39 | +* The following bugs are resolved with this release: |
40 | + |
41 | + 17949, 18287. |
42 | + |
43 | +* A buffer overflow in gethostbyname_r and related functions performing DNS |
44 | + requests has been fixed. If the NSS functions were called with a |
45 | + misaligned buffer, the buffer length change due to pointer alignment was |
46 | + not taken into account. This could result in application crashes or, |
47 | + potentially arbitrary code execution, using crafted, but syntactically |
48 | + valid DNS responses. (CVE-2015-1781) |
49 | + |
50 | Version 2.21 |
51 | |
52 | * The following bugs are resolved with this release: |
53 | @@ -21,10 +34,11 @@ Version 2.21 |
54 | 17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885, |
55 | 17892. |
56 | |
57 | -* CVE-2015-1472 Under certain conditions wscanf can allocate too little |
58 | - memory for the to-be-scanned arguments and overflow the allocated |
59 | - buffer. The implementation now correctly computes the required buffer |
60 | - size when using malloc. |
61 | +* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate |
62 | + too little memory for the to-be-scanned arguments and overflow the |
63 | + allocated buffer. The implementation now correctly computes the required |
64 | + buffer size when using malloc, and switches to malloc from alloca as |
65 | + intended. |
66 | |
67 | * A new semaphore algorithm has been implemented in generic C code for all |
68 | machines. Previous custom assembly implementations of semaphore were |
69 | diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c |
70 | index f715ab0..40069a7 100644 |
71 | --- a/resolv/nss_dns/dns-host.c |
72 | +++ b/resolv/nss_dns/dns-host.c |
73 | @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, |
74 | int have_to_map = 0; |
75 | uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); |
76 | buffer += pad; |
77 | - if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) |
78 | + buflen = buflen > pad ? buflen - pad : 0; |
79 | + if (__glibc_unlikely (buflen < sizeof (struct host_data))) |
80 | { |
81 | /* The buffer is too small. */ |
82 | too_small: |
83 | diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S |
84 | index 207b648..b6fa202 100644 |
85 | --- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S |
86 | +++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S |
87 | @@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk) |
88 | cmpl $0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx) |
89 | jne 1f |
90 | call __init_cpu_features |
91 | - leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax |
92 | -1: testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx) |
93 | +1: leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax |
94 | + testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx) |
95 | jz 2f |
96 | leal __mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax |
97 | testl $bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx) |