[oe-commits] Armin Kuster : glibc: CVE-2014-9402 endless loop in getaddr_r

git at git.openembedded.org git at git.openembedded.org
Wed Feb 11 17:40:39 UTC 2015 

Module: openembedded-core.git
Branch: dizzy
Commit: 7e3f4ddd001f9c50a49d8ba5ab548af311e6b51f
URL:    http://git.openembedded.org/?p=openembedded-core.git&a=commit;h=7e3f4ddd001f9c50a49d8ba5ab548af311e6b51f

Author: Armin Kuster <akuster at mvista.com>
Date:   Wed Jan 21 12:43:11 2015 -0800

glibc: CVE-2014-9402 endless loop in getaddr_r

The getnetbyname function in glibc 2.21 in earlier will enter an infinite loop
if the DNS backend is activated in the system Name Service Switch
configuration, and the DNS resolver receives a positive answer while processing
the network name.

(From OE-Core rev: f03bf84c179f69ef4800ed92a4a9d9401d0e5966)

Signed-off-by: Armin Kuster <akuster at mvista.com>
Signed-off-by: Ross Burton <ross.burton at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808 at gmail.com>

---

 .../CVE-2014-9402_endless-loop-in-getaddr_r.patch  | 65 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.20.bb              |  1 +
 2 files changed, 66 insertions(+)

diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch
new file mode 100644
index 0000000..ba1da67
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch
@@ -0,0 +1,65 @@
+CVE-2014-9402 endless loop in getaddr_r
+
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=11e3417af6e354f1942c68a271ae51e892b2814d
+
+Upstream-Status: Backport
+
+Signed-off-by: Armin Kuster <akuster at mvista.com>
+
+From 11e3417af6e354f1942c68a271ae51e892b2814d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer at redhat.com>
+Date: Mon, 15 Dec 2014 17:41:13 +0100
+Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
+
+---
+ ChangeLog                    | 6 ++++++
+ NEWS                         | 7 +++++--
+ resolv/nss_dns/dns-network.c | 4 ++--
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -24,7 +24,10 @@ Version 2.20
+   17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
+   17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
+   17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
+-  17625.
++  17625, 17630.
++
++* The nss_dns implementation of getnetbyname could run into an infinite loop
++  if the DNS response contained a PTR record of an unexpected format.
+ 
+ * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
+   under certain input conditions resulting in the execution of a shell for
+Index: git/resolv/nss_dns/dns-network.c
+===================================================================
+--- git.orig/resolv/nss_dns/dns-network.c
++++ git/resolv/nss_dns/dns-network.c
+@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int
+ 
+ 	case BYNAME:
+ 	  {
+-	    char **ap = result->n_aliases++;
+-	    while (*ap != NULL)
++	    char **ap;
++	    for (ap = result->n_aliases; *ap != NULL; ++ap)
+ 	      {
+ 		/* Check each alias name for being of the forms:
+ 		   4.3.2.1.in-addr.arpa		= net 1.2.3.4
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,9 @@
++2014-12-16  Florian Weimer  <fweimer at redhat.com>
++
++       [BZ #17630]
++       * resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias
++       names.
++
+ 2014-12-15  Jeff Law  <law at redhat.com>
+ 
+    [BZ #16617]
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index f67fbfd..8a8b296 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -44,6 +44,7 @@ EGLIBCPATCHES = "\
 CVEPATCHES = "\
         file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
+        file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
     "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \

More information about the Openembedded-commits mailing list