Sophie: glibc-6:2.20-22.mga5 src

glibc-2.20-22.mga5.src.rpm

From a02f3e795993ae0f80242b488061b74666605625 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 29 Mar 2016 12:57:56 +0200
Subject: [PATCH] CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879]

The defensive copy is not needed because the name may not alias the
output buffer.

(cherry picked from commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4)
---
 ChangeLog                    |    7 +++++++
 NEWS                         |    7 ++++++-
 resolv/nss_dns/dns-network.c |    5 +----
 3 files changed, 14 insertions(+), 5 deletions(-)

#diff --git a/ChangeLog b/ChangeLog
#index 9907019..685dd90 100644
#--- a/ChangeLog
##+++ b/ChangeLog
#@@ -1,3 +1,10 @@
#+2016-04-01  Florian Weimer  <fweimer@redhat.com>
#+
#+	[BZ #19879]
#+	CVE-2016-3075
#+	* resolv/nss_dns/dns-network.c (_nss_dns_getnetbyname_r): Do not
#+	copy name.
#+
# 2016-02-12  Florian Weimer  <fweimer@redhat.com>
# 
# 	* misc/bug18240.c (do_test): Set RLIMIT_AS.
#diff --git a/NEWS b/NEWS
#index 0d1952c..d7da53f 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -12,7 +12,7 @@ Version 2.19.1
#   15946, 16545, 16574, 16623, 16657, 16695, 16743, 16758, 16759, 16760,
#   16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
#   17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
#-  18032, 18240, 18287, 18905.
#+  18032, 18240, 18287, 18905, 19879.
# 
# * A buffer overflow in gethostbyname_r and related functions performing DNS
#   requests has been fixed.  If the NSS functions were called with a
#@@ -63,6 +63,11 @@ Version 2.19.1
   the get*ent functions if any of the query functions for the same database
   are used during the iteration, causing a denial-of-service condition in
   some applications.
#+
#+* The getnetbyname implementation in nss_dns had a potentially unbounded
#+  alloca call (in the form of a call to strdupa), leading to a stack
#+  overflow (stack exhaustion) and a crash if getnetbyname is invoked
#+  on a very long name.  (CVE-2016-3075)
# 
# Version 2.19
# 
diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c
index 13ad38c..37de664 100644
--- a/resolv/nss_dns/dns-network.c
+++ b/resolv/nss_dns/dns-network.c
@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result,
   } net_buffer;
   querybuf *orig_net_buffer;
   int anslen;
-  char *qbuf;
   enum nss_status status;
 
   if (__res_maybe_init (&_res, 0) == -1)
     return NSS_STATUS_UNAVAIL;
 
-  qbuf = strdupa (name);
-
   net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024);
 
-  anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf,
+  anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf,
 			       1024, &net_buffer.ptr, NULL, NULL, NULL, NULL);
   if (anslen < 0)
     {
-- 
1.7.1