[OE-core] [PATCH 2/2] glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow

Khem Raj raj.khem at gmail.com
Fri May 8 16:25:08 UTC 2015 

this is ok

> On May 8, 2015, at 7:28 AM, Haris Okanovic <haris.okanovic at ni.com> wrote:
> 
> Backport Arjun Shankar's patch for CVE-2015-1781:
> 
> A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
> other related functions computed the size of a buffer when passed a
> misaligned buffer as input. An attacker able to make an application call
> any of these functions with a misaligned buffer could use this flaw to
> crash the application or, potentially, execute arbitrary code with the
> permissions of the user running the application.
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=18287
> 
> Signed-off-by: Haris Okanovic <haris.okanovic at ni.com>
> Signed-off-by: Ken Sharp <ken.sharp at ni.com>
> Reviewed-by: Rich Tollerton <rich.tollerton at ni.com>
> ---
> Natinst-CAR-ID: 525428
> Natinst-ReviewBoard-ID: 96712
> ---
> ...81-resolv-nss_dns-dns-host.c-buffer-overf.patch | 43 ++++++++++++++++++++++
> meta/recipes-core/glibc/glibc_2.20.bb              |  1 +
> 2 files changed, 44 insertions(+)
> create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
> 
> diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
> new file mode 100644
> index 0000000..c02fa12
> --- /dev/null
> +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch
> @@ -0,0 +1,43 @@
> +From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001
> +From: Arjun Shankar <arjun.is at lostca.se>
> +Date: Tue, 21 Apr 2015 14:06:31 +0200
> +Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
> + [BZ#18287]
> +
> +Upstream-Status: Backport
> +https://sourceware.org/bugzilla/show_bug.cgi?id=18287
> +---
> + resolv/nss_dns/dns-host.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
> +index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644
> +--- a/resolv/nss_dns/dns-host.c
> ++++ b/resolv/nss_dns/dns-host.c
> +@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
> +   int n, ancount, qdcount;
> +   int haveanswer, had_error;
> +   char *bp, **ap, **hap;
> +   char tbuf[MAXDNAME];
> +   const char *tname;
> +   int (*name_ok) (const char *);
> +   u_char packtmp[NS_MAXCDNAME];
> +   int have_to_map = 0;
> +   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
> +   buffer += pad;
> +-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
> ++  buflen = buflen > pad ? buflen - pad : 0;
> ++  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
> +     {
> +       /* The buffer is too small.  */
> +     too_small:
> +       *errnop = ERANGE;
> +       *h_errnop = NETDB_INTERNAL;
> +       return NSS_STATUS_TRYAGAIN;
> +     }
> +   host_data = (struct host_data *) buffer;
> +   linebuflen = buflen - sizeof (struct host_data);
> +   if (buflen - sizeof (struct host_data) != linebuflen)
> +--
> +2.2.2
> +
> diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
> index e3427dd..ba62fc3 100644
> --- a/meta/recipes-core/glibc/glibc_2.20.bb
> +++ b/meta/recipes-core/glibc/glibc_2.20.bb
> @@ -47,6 +47,7 @@ CVEPATCHES = "\
>         file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
>         file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
>         file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
> +        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
>     "
> LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
>       file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
> --
> 2.2.2
> 
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20150508/4fb0b353/attachment-0002.sig>

More information about the Openembedded-core mailing list