diff --git a/ChangeLog b/ChangeLog index dc1ed1b..26feb07 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2015-04-21 Arjun Shankar + + [BZ #18287] + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length + based on padding. (CVE-2015-1781) + +2015-02-10 Evangelos Foutras + + [BZ #17949] + * sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of + jump label. + 2015-02-06 Carlos O'Donell * version.h (RELEASE): Set to "stable". @@ -7,6 +19,7 @@ * sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h. 2015-02-05 Paul Pluzhnikov + Paul Eggert [BZ #16618] * stdio-common/tst-sscanf.c (main): Test for buffer overflow. diff --git a/NEWS b/NEWS index 617cdbb..c9f6b58 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,19 @@ See the end for copying conditions. Please send GNU C library bug reports via using `glibc' in the "product" field. +Version 2.21.1 + +* The following bugs are resolved with this release: + + 17949, 18287. + +* A buffer overflow in gethostbyname_r and related functions performing DNS + requests has been fixed. If the NSS functions were called with a + misaligned buffer, the buffer length change due to pointer alignment was + not taken into account. This could result in application crashes or, + potentially arbitrary code execution, using crafted, but syntactically + valid DNS responses. (CVE-2015-1781) + Version 2.21 * The following bugs are resolved with this release: @@ -21,10 +34,11 @@ Version 2.21 17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885, 17892. -* CVE-2015-1472 Under certain conditions wscanf can allocate too little - memory for the to-be-scanned arguments and overflow the allocated - buffer. The implementation now correctly computes the required buffer - size when using malloc. +* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate + too little memory for the to-be-scanned arguments and overflow the + allocated buffer. The implementation now correctly computes the required + buffer size when using malloc, and switches to malloc from alloca as + intended. * A new semaphore algorithm has been implemented in generic C code for all machines. Previous custom assembly implementations of semaphore were diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index f715ab0..40069a7 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, int have_to_map = 0; uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); buffer += pad; - if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) + buflen = buflen > pad ? buflen - pad : 0; + if (__glibc_unlikely (buflen < sizeof (struct host_data))) { /* The buffer is too small. */ too_small: diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S index 207b648..b6fa202 100644 --- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S +++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S @@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk) cmpl $0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx) jne 1f call __init_cpu_features - leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax -1: testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx) +1: leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax + testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx) jz 2f leal __mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax testl $bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx)