Sophie

Sophie

distrib > Mageia > 5 > i586 > by-pkgid > 11f97bbd2adce813d2e3f0d63eb2159f > files > 21

glibc-2.20-22.mga5.src.rpm

From 2aad087ddc0d14214f3d8fd1731a9b2e15f75091 Mon Sep 17 00:00:00 2001
From: Arjun Shankar <arjun.is@lostca.se>
Date: Tue, 21 Apr 2015 14:06:31 +0200
Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
 [BZ#18287]

Conflicts:
	NEWS
---
 ChangeLog                 | 6 ++++++
 NEWS                      | 9 ++++++++-
 resolv/nss_dns/dns-host.c | 3 ++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff -Nurp glibc-2.20.orig/ChangeLog glibc-2.20/ChangeLog
--- glibc-2.20.orig/ChangeLog	2015-05-01 23:03:43.445700552 +0300
+++ glibc-2.20/ChangeLog	2015-05-01 23:09:41.736465950 +0300
@@ -1,3 +1,9 @@
+2015-04-21  Arjun Shankar  <arjun.is@lostca.se>
+
+	[BZ #18287]
+	* resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
+	based on padding.  (CVE-2015-1781)
+
 2015-02-26  Andreas Schwab  <schwab@suse.de>
 
 	[BZ #18032]
diff -Nurp glibc-2.20.orig/NEWS glibc-2.20/NEWS
--- glibc-2.20.orig/NEWS	2015-05-01 23:03:43.445700552 +0300
+++ glibc-2.20/NEWS	2015-05-01 23:14:58.331996997 +0300
@@ -10,7 +10,14 @@ Version 2.20.1
 * The following bugs are resolved with this release:
 
   16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555,
-  17625, 17630, 17801, 18032.
+  17625, 17630, 17801, 18032, 18287.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+  requests has been fixed.  If the NSS functions were called with a
+  misaligned buffer, the buffer length change due to pointer alignment was
+ not taken into account.  This could result in application crashes or,
+  potentially arbitrary code execution, using crafted, but syntactically
+  valid DNS responses.  (CVE-2015-1781)
 
 * CVE-2015-1472 Under certain conditions wscanf can allocate too little
   memory for the to-be-scanned arguments and overflow the allocated
diff -Nurp glibc-2.20.orig/resolv/nss_dns/dns-host.c glibc-2.20/resolv/nss_dns/dns-host.c
--- glibc-2.20.orig/resolv/nss_dns/dns-host.c	2014-09-07 11:09:09.000000000 +0300
+++ glibc-2.20/resolv/nss_dns/dns-host.c	2015-05-01 23:09:02.916279320 +0300
@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int
   int have_to_map = 0;
   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
   buffer += pad;
-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
+  buflen = buflen > pad ? buflen - pad : 0;
+  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
     {
       /* The buffer is too small.  */
     too_small:

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional