this is ok > On May 8, 2015, at 7:28 AM, Haris Okanovic <[email protected]> wrote: > > Backport Arjun Shankar's patch for CVE-2015-1781: > > A buffer overflow flaw was found in the way glibc's gethostbyname_r() and > other related functions computed the size of a buffer when passed a > misaligned buffer as input. An attacker able to make an application call > any of these functions with a misaligned buffer could use this flaw to > crash the application or, potentially, execute arbitrary code with the > permissions of the user running the application. > > https://sourceware.org/bugzilla/show_bug.cgi?id=18287 > > Signed-off-by: Haris Okanovic <[email protected]> > Signed-off-by: Ken Sharp <[email protected]> > Reviewed-by: Rich Tollerton <[email protected]> > --- > Natinst-CAR-ID: 525428 > Natinst-ReviewBoard-ID: 96712 > --- > ...81-resolv-nss_dns-dns-host.c-buffer-overf.patch | 43 ++++++++++++++++++++++ > meta/recipes-core/glibc/glibc_2.20.bb | 1 + > 2 files changed, 44 insertions(+) > create mode 100644 > meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch > > diff --git > a/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch > > b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch > new file mode 100644 > index 0000000..c02fa12 > --- /dev/null > +++ > b/meta/recipes-core/glibc/glibc/CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch > @@ -0,0 +1,43 @@ > +From 2959eda9272a033863c271aff62095abd01bd4e3 Mon Sep 17 00:00:00 2001 > +From: Arjun Shankar <[email protected]> > +Date: Tue, 21 Apr 2015 14:06:31 +0200 > +Subject: [PATCH] CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow > + [BZ#18287] > + > +Upstream-Status: Backport > +https://sourceware.org/bugzilla/show_bug.cgi?id=18287 > +--- > + resolv/nss_dns/dns-host.c | 3 ++- > + 1 file changed, 2 insertions(+), 1 deletion(-) > + > +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c > +index > b16b0ddf110907a0086b86612e544d3dc75182b8..d8c55791591750567f00e616e5d7b378dec934a0 > 100644 > +--- a/resolv/nss_dns/dns-host.c > ++++ b/resolv/nss_dns/dns-host.c > +@@ -608,21 +608,22 @@ getanswer_r (const querybuf *answer, int anslen, const > char *qname, int qtype, > + int n, ancount, qdcount; > + int haveanswer, had_error; > + char *bp, **ap, **hap; > + char tbuf[MAXDNAME]; > + const char *tname; > + int (*name_ok) (const char *); > + u_char packtmp[NS_MAXCDNAME]; > + int have_to_map = 0; > + uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); > + buffer += pad; > +- if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad)) > ++ buflen = buflen > pad ? buflen - pad : 0; > ++ if (__glibc_unlikely (buflen < sizeof (struct host_data))) > + { > + /* The buffer is too small. */ > + too_small: > + *errnop = ERANGE; > + *h_errnop = NETDB_INTERNAL; > + return NSS_STATUS_TRYAGAIN; > + } > + host_data = (struct host_data *) buffer; > + linebuflen = buflen - sizeof (struct host_data); > + if (buflen - sizeof (struct host_data) != linebuflen) > +-- > +2.2.2 > + > diff --git a/meta/recipes-core/glibc/glibc_2.20.bb > b/meta/recipes-core/glibc/glibc_2.20.bb > index e3427dd..ba62fc3 100644 > --- a/meta/recipes-core/glibc/glibc_2.20.bb > +++ b/meta/recipes-core/glibc/glibc_2.20.bb > @@ -47,6 +47,7 @@ CVEPATCHES = "\ > file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \ > file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \ > file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ > + file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ > " > LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ > file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ > -- > 2.2.2 > > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core
signature.asc
Description: Message signed with OpenPGP using GPGMail
-- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
