Annotation of /trunk/glibc/patches/glibc-2.21-roundup.patch
Parent Directory | Revision Log
Revision 2568 -
(hide annotations)
(download)
Tue Nov 25 23:00:19 2014 UTC (9 years, 7 months ago) by niro
File size: 3805 byte(s)
Tue Nov 25 23:00:19 2014 UTC (9 years, 7 months ago) by niro
File size: 3805 byte(s)
-fixes serveral issues and CVE-2015-1781
1 | niro | 2568 | diff --git a/ChangeLog b/ChangeLog |
2 | index dc1ed1b..26feb07 100644 | ||
3 | --- a/ChangeLog | ||
4 | +++ b/ChangeLog | ||
5 | @@ -1,3 +1,15 @@ | ||
6 | +2015-04-21 Arjun Shankar <arjun.is@lostca.se> | ||
7 | + | ||
8 | + [BZ #18287] | ||
9 | + * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length | ||
10 | + based on padding. (CVE-2015-1781) | ||
11 | + | ||
12 | +2015-02-10 Evangelos Foutras <evangelos@foutrelis.com> | ||
13 | + | ||
14 | + [BZ #17949] | ||
15 | + * sysdeps/i386/i686/multiarch/mempcpy_chk.S: Fix position of | ||
16 | + jump label. | ||
17 | + | ||
18 | 2015-02-06 Carlos O'Donell <carlos@systemhalted.org> | ||
19 | |||
20 | * version.h (RELEASE): Set to "stable". | ||
21 | @@ -7,6 +19,7 @@ | ||
22 | * sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h. | ||
23 | |||
24 | 2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com> | ||
25 | + Paul Eggert <eggert@cs.ucla.edu> | ||
26 | |||
27 | [BZ #16618] | ||
28 | * stdio-common/tst-sscanf.c (main): Test for buffer overflow. | ||
29 | diff --git a/NEWS b/NEWS | ||
30 | index 617cdbb..c9f6b58 100644 | ||
31 | --- a/NEWS | ||
32 | +++ b/NEWS | ||
33 | @@ -5,6 +5,19 @@ See the end for copying conditions. | ||
34 | Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> | ||
35 | using `glibc' in the "product" field. | ||
36 | |||
37 | +Version 2.21.1 | ||
38 | + | ||
39 | +* The following bugs are resolved with this release: | ||
40 | + | ||
41 | + 17949, 18287. | ||
42 | + | ||
43 | +* A buffer overflow in gethostbyname_r and related functions performing DNS | ||
44 | + requests has been fixed. If the NSS functions were called with a | ||
45 | + misaligned buffer, the buffer length change due to pointer alignment was | ||
46 | + not taken into account. This could result in application crashes or, | ||
47 | + potentially arbitrary code execution, using crafted, but syntactically | ||
48 | + valid DNS responses. (CVE-2015-1781) | ||
49 | + | ||
50 | Version 2.21 | ||
51 | |||
52 | * The following bugs are resolved with this release: | ||
53 | @@ -21,10 +34,11 @@ Version 2.21 | ||
54 | 17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885, | ||
55 | 17892. | ||
56 | |||
57 | -* CVE-2015-1472 Under certain conditions wscanf can allocate too little | ||
58 | - memory for the to-be-scanned arguments and overflow the allocated | ||
59 | - buffer. The implementation now correctly computes the required buffer | ||
60 | - size when using malloc. | ||
61 | +* CVE-2015-1472 CVE-2015-1473 Under certain conditions wscanf can allocate | ||
62 | + too little memory for the to-be-scanned arguments and overflow the | ||
63 | + allocated buffer. The implementation now correctly computes the required | ||
64 | + buffer size when using malloc, and switches to malloc from alloca as | ||
65 | + intended. | ||
66 | |||
67 | * A new semaphore algorithm has been implemented in generic C code for all | ||
68 | machines. Previous custom assembly implementations of semaphore were | ||
69 | diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c | ||
70 | index f715ab0..40069a7 100644 | ||
71 | --- a/resolv/nss_dns/dns-host.c | ||
72 | +++ b/resolv/nss_dns/dns-host.c | ||
73 | @@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, | ||
74 | int have_to_map = 0; | ||
75 | uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); | ||
76 | buffer += pad; | ||
77 | - if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) | ||
78 | + buflen = buflen > pad ? buflen - pad : 0; | ||
79 | + if (__glibc_unlikely (buflen < sizeof (struct host_data))) | ||
80 | { | ||
81 | /* The buffer is too small. */ | ||
82 | too_small: | ||
83 | diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S b/sysdeps/i386/i686/multiarch/mempcpy_chk.S | ||
84 | index 207b648..b6fa202 100644 | ||
85 | --- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S | ||
86 | +++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.S | ||
87 | @@ -36,8 +36,8 @@ ENTRY(__mempcpy_chk) | ||
88 | cmpl $0, KIND_OFFSET+__cpu_features@GOTOFF(%ebx) | ||
89 | jne 1f | ||
90 | call __init_cpu_features | ||
91 | - leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax | ||
92 | -1: testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx) | ||
93 | +1: leal __mempcpy_chk_ia32@GOTOFF(%ebx), %eax | ||
94 | + testl $bit_SSE2, CPUID_OFFSET+index_SSE2+__cpu_features@GOTOFF(%ebx) | ||
95 | jz 2f | ||
96 | leal __mempcpy_chk_sse2_unaligned@GOTOFF(%ebx), %eax | ||
97 | testl $bit_Fast_Unaligned_Load, FEATURE_OFFSET+index_Fast_Unaligned_Load+__cpu_features@GOTOFF(%ebx) |