Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2016-06-05 14:17:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "glibc" Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc-testsuite.changes 2016-05-19 12:02:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.glibc.new/glibc-testsuite.changes 2016-06-05 14:17:30.000000000 +0200 @@ -1,0 +2,6 @@ +Mon May 30 08:23:03 UTC 2016 - sch...@suse.de + +- clntudp-call-alloca.patch: do not use alloca in clntudp_call + (CVE-2016-4429, bsc#980854, BZ #20112) + +------------------------------------------------------------------- glibc-utils.changes: same change glibc.changes: same change New: ---- clntudp-call-alloca.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc-testsuite.spec ++++++ --- /var/tmp/diff_new_pack.4ZvhYu/_old 2016-06-05 14:17:32.000000000 +0200 +++ /var/tmp/diff_new_pack.4ZvhYu/_new 2016-06-05 14:17:32.000000000 +0200 @@ -306,6 +306,8 @@ Patch1053: 0054-Revert-Report-dlsym-dlvsym-lookup-errors-using-dlerr.patch Patch1054: 0055-CVE-2016-3706-getaddrinfo-stack-overflow-in-hostent-.patch Patch1055: 0056-Fix-strfmon_l-Use-specified-locale-for-number-format.patch +# PATCH-FIX-UPSTREAM sunrpc: Do not use alloca in clntudp_call (CVE-2016-4429, BZ #20112) +Patch1056: clntudp-call-alloca.patch ### # Patches awaiting upstream approval @@ -584,6 +586,7 @@ %patch1053 -p1 %patch1054 -p1 %patch1055 -p1 +%patch1056 -p1 %patch2000 -p1 %patch2001 -p1 glibc-utils.spec: same change glibc.spec: same change ++++++ clntudp-call-alloca.patch ++++++ 2016-05-23 Florian Weimer <fwei...@redhat.com> CVE-2016-4429 [BZ #20112] * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error payload. Index: glibc-2.23/sunrpc/clnt_udp.c =================================================================== --- glibc-2.23.orig/sunrpc/clnt_udp.c +++ glibc-2.23/sunrpc/clnt_udp.c @@ -391,9 +391,15 @@ send_again: struct sock_extended_err *e; struct sockaddr_in err_addr; struct iovec iov; - char *cbuf = (char *) alloca (outlen + 256); + char *cbuf = malloc (outlen + 256); int ret; + if (cbuf == NULL) + { + cu->cu_error.re_errno = errno; + return (cu->cu_error.re_status = RPC_CANTRECV); + } + iov.iov_base = cbuf + 256; iov.iov_len = outlen; msg.msg_name = (void *) &err_addr; @@ -418,10 +424,12 @@ send_again: cmsg = CMSG_NXTHDR (&msg, cmsg)) if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) { + free (cbuf); e = (struct sock_extended_err *) CMSG_DATA(cmsg); cu->cu_error.re_errno = e->ee_errno; return (cu->cu_error.re_status = RPC_CANTRECV); } + free (cbuf); } #endif do