diff options
| author |   Haris Okanovic <haris.okanovic@ni.com> | 2015-05-15 16:57:11 -0500 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-07-20 20:53:07 +0100 |
| commit | 96ff830b79c64d8f35c311b66906b492cbeeeb55 (patch) | |
| tree | 95f130b4ed1d9df431a27e4f9cc97462cb6c9953 | |
| parent | e4c1374330679f84436796a3f6c50b486465a7ed (diff) | |
| download | openembedded-core-contrib-96ff830b79c64d8f35c311b66906b492cbeeeb55.tar.gz | |
glibc: CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow
Backport Arjun Shankar's patch for CVE-2015-1781:
A buffer overflow flaw was found in the way glibc's gethostbyname_r() and
other related functions computed the size of a buffer when passed a
misaligned buffer as input. An attacker able to make an application call
any of these functions with a misaligned buffer could use this flaw to
crash the application or, potentially, execute arbitrary code with the
permissions of the user running the application.
https://sourceware.org/bugzilla/show_bug.cgi?id=18287
(From OE-Core rev: c0f0b6e6ef1edc0a9f9e1ceffb1cdbbef2e409c6)
Signed-off-by: Haris Okanovic <haris.okanovic@ni.com>
Reviewed-by: Ben Shelton <ben.shelton@ni.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
| -rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch | 43 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc_2.20.bb | 3 |
2 files changed, 46 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch new file mode 100644 index 0000000000..c02fa127cd --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch @@ -0,0 +1,43 @@ +From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001 +From: Arjun Shankar <arjun.is@lostca.se> +Date: Tue, 21 Apr 2015 14:06:31 +0200 +Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow + [BZ#18287] + +Upstream-Status: Backport +https://sourceware.org/bugzilla/show_bug.cgi?id=18287 +--- + resolv/nss_dns/dns-host.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, + int n, ancount, qdcount; + int haveanswer, had_error; + char *bp, **ap, **hap; + char tbuf[MAXDNAME]; + const char *tname; + int (*name_ok) (const char *); + u_char packtmp[NS_MAXCDNAME]; + int have_to_map = 0; + uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); + buffer += pad; +- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) ++ buflen = buflen > pad ? buflen - pad : 0; ++ if (__glibc_unlikely (buflen < sizeof (struct host_data))) + { + /* The buffer is too small. */ + too_small: + *errnop = ERANGE; + *h_errnop = NETDB_INTERNAL; + return NSS_STATUS_TRYAGAIN; + } + host_data = (struct host_data *) buffer; + linebuflen = buflen - sizeof (struct host_data); + if (buflen - sizeof (struct host_data) != linebuflen) +-- +2.2.2 + diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index 8a8b296def..a0736cdeec 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb @@ -40,6 +40,9 @@ EGLIBCPATCHES = "\ # file://eglibc-install-pic-archives.patch \ # file://initgroups_keys.patch \ # +CVEPATCHES = "\ + file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ +" CVEPATCHES = "\ file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \ |