Bug#821358: nss_hesiod segfaults in sock_eq
control: severity -1 important On 2016-09-29 00:09, Anders Kaseorg wrote: > Control: severity -1 serious > > Bumping severity because this is a regression introduced in a stable > update. > While this is unfortunate and will be fixed, i don't see why the fact that the regression have been introduced in a stable update changes the severity of the bug. Downgrading it back to important. -- Aurelien Jarno GPG: 4096R/1DDD8C9B aurel...@aurel32.net http://www.aurel32.net
Bug#821358: nss_hesiod segfaults in sock_eq
Control: severity -1 serious Bumping severity because this is a regression introduced in a stable update. Anders
Bug#821358: nss_hesiod segfaults in sock_eq
Control: reopen -1 Control: found -1 2.19-18+deb8u6 Control: tags -1 + jessie On Sun, 17 Apr 2016, Anders Kaseorg wrote: > glibc 2.22 broke nss_hesiod so that it segfaults on almost all uses. To > reproduce: > > # sed -i 's/^passwd:.*/& hesiod/' /etc/nsswitch.conf > # cat > /etc/hesiod.conf < lhs=.ns > rhs=.athena.mit.edu > EOF > # id andersk > Segmentation fault (core dumped) > > See also: > > https://sourceware.org/bugzilla/show_bug.cgi?id=19573 > https://bugzilla.redhat.com/show_bug.cgi?id=1252570 > https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1571456 The patch introducing this bug was backported to jessie in 2.19-18+deb8u6 as debian/patches/any/submitted-resolv-ipv6-nameservers.diff (https://bugs.debian.org/818281) without the fix. Therefore, jessie is now also affected. # id andersk uid=39270(andersk) gid=101(libuuid) groups=101(libuuid) # apt install libc6 … Preparing to unpack .../libc6_2.19-18+deb8u6_amd64.deb ... Unpacking libc6:amd64 (2.19-18+deb8u6) over (2.19-18+deb8u4) ... Setting up libc6:amd64 (2.19-18+deb8u6) ... … # id andersk Segmentation fault (core dumped) Anders
Bug#821358: nss_hesiod segfaults in sock_eq
notfound 821358 2.2.1-9 found 821358 2.22-0experimental0 tags 821358 + patch I sent this patch upstream. Since it only touches nss_hesiod, which is completely broken otherwise, it should be very low risk. https://sourceware.org/ml/libc-alpha/2016-04/msg00563.html 2016-04-22 Anders Kaseorg[BZ #19573] * hesiod/hesiod.c (hesiod_end): Only call res_nclose(ctx->res) if ctx->free_res is nonnull, to prevent a crash on res_nclose() introduced by commit 2212c1420c92a33b0e0bd9a34938c9814a56c0f7 (Simplify handling of nameserver configuration in resolver). diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c index 657dabe..a540382 100644 --- a/hesiod/hesiod.c +++ b/hesiod/hesiod.c @@ -152,12 +152,12 @@ hesiod_end(void *context) { struct hesiod_p *ctx = (struct hesiod_p *) context; int save_errno = errno; - if (ctx->res) + if (ctx->res && ctx->free_res) { res_nclose(ctx->res); + (*ctx->free_res)(ctx->res); + } free(ctx->RHS); free(ctx->LHS); - if (ctx->res && ctx->free_res) - (*ctx->free_res)(ctx->res); free(ctx); __set_errno(save_errno); } Anders
Bug#821358: nss_hesiod segfaults in sock_eq
Package: libc6 Version: 2.22-6 Severity: important Tags: upstream Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=19573 glibc 2.22 broke nss_hesiod so that it segfaults on almost all uses. To reproduce: # sed -i 's/^passwd:.*/& hesiod/' /etc/nsswitch.conf # cat > /etc/hesiod.conf <, a2=0x0) at res_send.c:1629 1629res_send.c: No such file or directory. (gdb) bt #0 0x76531aa3 in sock_eq (a1=a1@entry=0x77bb7af4 <_res+20>, a2=0x0) at res_send.c:1629 #1 0x765333f7 in __libc_res_nsend (statp=0x77bb7ae0 <_res>, buf=buf@entry=0x7fffdec0 "\322\325\001", buflen=45, buf2=buf2@entry=0x0, buflen2=buflen2@entry=0, ans=ans@entry=0x7fffe2c0 "`\343\377\377\377\177", anssiz=1024, ansp=0x0, ansp2=0x0, nansp2=0x0, resplen2=0x0, ansp2_malloced=0x0) at res_send.c:416 #2 0x76533bbd in __GI___res_nsend (statp=, buf=buf@entry=0x7fffdec0 "\322\325\001", buflen=, ans=ans@entry=0x7fffe2c0 "`\343\377\377\377\177", anssiz=anssiz@entry=1024) at res_send.c:638 #3 0x767417d6 in get_txt_records (class=1, name=name@entry=0x610a80 "39270.uid.ns.athena.mit.edu", ctx=0x60f8c0) at hesiod.c:374 #4 0x76741d95 in hesiod_resolve (context=context@entry=0x60f8c0, name=name@entry=0x7fffe780 "39270", type=type@entry=0x767432c6 "uid") at hesiod.c:240 #5 0x76742aa2 in lookup (name=name@entry=0x7fffe780 "39270", type=type@entry=0x767432c6 "uid", pwd=pwd@entry=0x77bb5e20 , buffer=buffer@entry=0x60f260 "saned", buflen=buflen@entry=1024, errnop=errnop@entry=0x77fe56b8) at nss_hesiod/hesiod-pwd.c:63 #6 0x76742c2b in _nss_hesiod_getpwuid_r (uid=, pwd=0x77bb5e20 , buffer=0x60f260 "saned", buflen=1024, errnop=0x77fe56b8) at nss_hesiod/hesiod-pwd.c:112 #7 0x778ccc0c in __getpwuid_r (uid=uid@entry=39270, resbuf=resbuf@entry=0x77bb5e20 , buffer=0x60f260 "saned", buflen=buflen@entry=1024, result=result@entry=0x7fffe848) at ../nss/getXXbyYY_r.c:266 #8 0x778cc52e in getpwuid (uid=39270) at ../nss/getXXbyYY.c:116 #9 0x004022b9 in ?? () #10 0x77835610 in __libc_start_main (main=0x401b20, argc=2, argv=0x7fffe9b8, init=, fini=, rtld_fini=, stack_end=0x7fffe9a8) at libc-start.c:291 #11 0x004026ac in ?? () See also: https://sourceware.org/bugzilla/show_bug.cgi?id=19573 https://bugzilla.redhat.com/show_bug.cgi?id=1252570 https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1571456 Anders