This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch jessie in repository glibc.
commit 138de87c1f40c651dce664d76bbf1902eb853cb8 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Wed Apr 12 00:34:46 2017 +0200 patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106. --- debian/changelog | 3 + debian/patches/any/cvs-resolv-internal-qtype.diff | 78 +++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 82 insertions(+) diff --git a/debian/changelog b/debian/changelog index ffbd139..5a26d07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,9 @@ glibc (2.19-18+deb8u8) UNRELEASED; urgency=medium [ Aurelien Jarno ] * Update from upstream stable branch: - Fix PowerPC sqrt inaccuracy. Closes: #855606. + * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a + NULL pointer dereference in libresolv when receiving a T_UNSPEC internal + QTYPE (CVE-2015-5180). Closes: #796106. -- Aurelien Jarno <aure...@debian.org> Mon, 20 Feb 2017 23:30:47 +0100 diff --git a/debian/patches/any/cvs-resolv-internal-qtype.diff b/debian/patches/any/cvs-resolv-internal-qtype.diff new file mode 100644 index 0000000..670d671 --- /dev/null +++ b/debian/patches/any/cvs-resolv-internal-qtype.diff @@ -0,0 +1,78 @@ +2016-12-31 Florian Weimer <fwei...@redhat.com> + + [BZ #18784] + CVE-2015-5180 + * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from + T_UNSPEC. Adjust value. + * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it. + * resolv/res_query.c (__libc_res_nquery): Likewise. + * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range + QTYPEs. + +--- a/include/arpa/nameser_compat.h ++++ b/include/arpa/nameser_compat.h +@@ -1,8 +1,8 @@ + #ifndef _ARPA_NAMESER_COMPAT_ + #include <resolv/arpa/nameser_compat.h> + +-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., +- T_A and T_AAAA). */ +-#define T_UNSPEC 62321 ++/* The number is outside the 16-bit RR type range and is used ++ internally by the implementation. */ ++#define T_QUERY_A_AND_AAAA 439963904 + + #endif +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -323,7 +323,7 @@ + + int olderr = errno; + enum nss_status status; +- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC, ++ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA, + host_buffer.buf->buf, 2048, &host_buffer.ptr, + &ans2p, &nans2p, &resplen2, &ans2p_malloced); + if (n >= 0) +--- a/resolv/res_mkquery.c ++++ b/resolv/res_mkquery.c +@@ -103,6 +103,10 @@ + int n; + u_char *dnptrs[20], **dpp, **lastdnptr; + ++ if (class < 0 || class > 65535 ++ || type < 0 || type > 65535) ++ return -1; ++ + #ifdef DEBUG + if (statp->options & RES_DEBUG) + printf(";; res_nmkquery(%s, %s, %s, %s)\n", +--- a/resolv/res_query.c ++++ b/resolv/res_query.c +@@ -122,7 +122,7 @@ + int n, use_malloc = 0; + u_int oflags = statp->_flags; + +- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE; ++ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE; + u_char *buf = alloca (bufsize); + u_char *query1 = buf; + int nquery1 = -1; +@@ -137,7 +137,7 @@ + printf(";; res_query(%s, %d, %d)\n", name, class, type); + #endif + +- if (type == T_UNSPEC) ++ if (type == T_QUERY_A_AND_AAAA) + { + n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL, + query1, bufsize); +@@ -190,7 +190,7 @@ + if (__builtin_expect (n <= 0, 0) && !use_malloc) { + /* Retry just in case res_nmkquery failed because of too + short buffer. Shouldn't happen. */ +- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET; ++ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET; + buf = malloc (bufsize); + if (buf != NULL) { + query1 = buf; diff --git a/debian/patches/series b/debian/patches/series index 746f71c..2ef5384 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -274,3 +274,4 @@ any/cvs-wscanf.diff any/cvs-ldconfig-aux-cache.diff any/cvs-grantpt-pty-owner.diff any/cvs-hesiod-resolver.diff +any/cvs-resolv-internal-qtype.diff -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git