cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106.

Aurelien Jarno Tue, 03 Jan 2017 13:53:30 -0800

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.


commit c16873aceccff7a1116adb047a47d5fb95fd461c
Author: Aurelien Jarno <aurel...@aurel32.net>
Date:   Tue Jan 3 22:51:27 2017 +0100

    patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a 
NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE 
(CVE-2015-5180).  Closes: #796106.
---
 debian/changelog                                  |  3 +
 debian/patches/any/cvs-resolv-internal-qtype.diff | 78 +++++++++++++++++++++++
 debian/patches/series                             |  1 +
 3 files changed, 82 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 58aaf38..2bf3ceb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,9 @@ glibc (2.24-9) UNRELEASED; urgency=medium
     with the PT154 charset.  Closes: #847596.
   * debian/patches/git-updates.diff: update from upstream stable branch:
     - debian/patches/alpha/submitted-math-fixes.diff: Drop, merged upstream.
+  * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
+    NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
+    QTYPE (CVE-2015-5180).  Closes: #796106.
 
  -- Samuel Thibault <sthiba...@debian.org>  Fri, 09 Dec 2016 01:51:00 +0100
 
diff --git a/debian/patches/any/cvs-resolv-internal-qtype.diff 
b/debian/patches/any/cvs-resolv-internal-qtype.diff
new file mode 100644
index 0000000..670d671
--- /dev/null
+++ b/debian/patches/any/cvs-resolv-internal-qtype.diff
@@ -0,0 +1,78 @@
+2016-12-31  Florian Weimer  <fwei...@redhat.com>
+
+       [BZ #18784]
+       CVE-2015-5180
+       * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
+       T_UNSPEC.  Adjust value.
+       * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
+       * resolv/res_query.c (__libc_res_nquery): Likewise.
+       * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
+       QTYPEs.
+
+--- a/include/arpa/nameser_compat.h
++++ b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include <resolv/arpa/nameser_compat.h>
+ 
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+-   T_A and T_AAAA).  */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++   internally by the implementation.  */
++#define T_QUERY_A_AND_AAAA 439963904
+ 
+ #endif
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@
+ 
+   int olderr = errno;
+   enum nss_status status;
+-  int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
++  int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
+                             host_buffer.buf->buf, 2048, &host_buffer.ptr,
+                             &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+   if (n >= 0)
+--- a/resolv/res_mkquery.c
++++ b/resolv/res_mkquery.c
+@@ -103,6 +103,10 @@
+       int n;
+       u_char *dnptrs[20], **dpp, **lastdnptr;
+ 
++      if (class < 0 || class > 65535
++          || type < 0 || type > 65535)
++        return -1;
++
+ #ifdef DEBUG
+       if (statp->options & RES_DEBUG)
+               printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -122,7 +122,7 @@
+       int n, use_malloc = 0;
+       u_int oflags = statp->_flags;
+ 
+-      size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
++      size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
+       u_char *buf = alloca (bufsize);
+       u_char *query1 = buf;
+       int nquery1 = -1;
+@@ -137,7 +137,7 @@
+               printf(";; res_query(%s, %d, %d)\n", name, class, type);
+ #endif
+ 
+-      if (type == T_UNSPEC)
++      if (type == T_QUERY_A_AND_AAAA)
+         {
+           n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
+                            query1, bufsize);
+@@ -190,7 +190,7 @@
+       if (__builtin_expect (n <= 0, 0) && !use_malloc) {
+               /* Retry just in case res_nmkquery failed because of too
+                  short buffer.  Shouldn't happen.  */
+-              bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
++              bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
+               buf = malloc (bufsize);
+               if (buf != NULL) {
+                       query1 = buf;
diff --git a/debian/patches/series b/debian/patches/series
index 5927826..2f9d247 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -215,3 +215,4 @@ any/local-bootstrap-headers.diff
 any/submitted-dlopen-noload.diff
 any/submitted-perl-inc.diff
 any/submitted-unicode-9.0.0.diff
+any/cvs-resolv-internal-qtype.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

[glibc] 02/02: patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106.

Reply via email to