Bug#821358: nss_hesiod segfaults in sock_eq

2016-09-29 Thread Aurelien Jarno 
control: severity -1 important

On 2016-09-29 00:09, Anders Kaseorg wrote:
> Control: severity -1 serious
> 
> Bumping severity because this is a regression introduced in a stable 
> update.
> 

While this is unfortunate and will be fixed, i don't see why the fact
that the regression have been introduced in a stable update changes the
severity of the bug. Downgrading it back to important.

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#821358: nss_hesiod segfaults in sock_eq

2016-09-28 Thread Anders Kaseorg 
Control: severity -1 serious

Bumping severity because this is a regression introduced in a stable 
update.

Anders

Bug#821358: nss_hesiod segfaults in sock_eq

2016-09-28 Thread Anders Kaseorg 
Control: reopen -1
Control: found -1 2.19-18+deb8u6
Control: tags -1 + jessie

On Sun, 17 Apr 2016, Anders Kaseorg wrote:
> glibc 2.22 broke nss_hesiod so that it segfaults on almost all uses.  To 
> reproduce:
> 
> # sed -i 's/^passwd:.*/& hesiod/' /etc/nsswitch.conf
> # cat > /etc/hesiod.conf < lhs=.ns
> rhs=.athena.mit.edu
> EOF
> # id andersk
> Segmentation fault (core dumped)
> 
> See also:
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=19573
> https://bugzilla.redhat.com/show_bug.cgi?id=1252570
> https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1571456

The patch introducing this bug was backported to jessie in 2.19-18+deb8u6 
as debian/patches/any/submitted-resolv-ipv6-nameservers.diff 
(https://bugs.debian.org/818281) without the fix.  Therefore, jessie is 
now also affected.

# id andersk
uid=39270(andersk) gid=101(libuuid) groups=101(libuuid)
# apt install libc6
…
Preparing to unpack .../libc6_2.19-18+deb8u6_amd64.deb ...
Unpacking libc6:amd64 (2.19-18+deb8u6) over (2.19-18+deb8u4) ...
Setting up libc6:amd64 (2.19-18+deb8u6) ...
…
# id andersk
Segmentation fault (core dumped)

Anders

Bug#821358: nss_hesiod segfaults in sock_eq

2016-04-27 Thread Anders Kaseorg 
notfound 821358 2.2.1-9
found 821358 2.22-0experimental0
tags 821358 + patch

I sent this patch upstream.  Since it only touches nss_hesiod, which is 
completely broken otherwise, it should be very low risk.

https://sourceware.org/ml/libc-alpha/2016-04/msg00563.html


2016-04-22  Anders Kaseorg  

[BZ #19573]
* hesiod/hesiod.c (hesiod_end): Only call res_nclose(ctx->res) if
ctx->free_res is nonnull, to prevent a crash on res_nclose()
introduced by commit 2212c1420c92a33b0e0bd9a34938c9814a56c0f7
(Simplify handling of nameserver configuration in resolver).

diff --git a/hesiod/hesiod.c b/hesiod/hesiod.c
index 657dabe..a540382 100644
--- a/hesiod/hesiod.c
+++ b/hesiod/hesiod.c
@@ -152,12 +152,12 @@ hesiod_end(void *context) {
struct hesiod_p *ctx = (struct hesiod_p *) context;
int save_errno = errno;
 
-   if (ctx->res)
+   if (ctx->res && ctx->free_res) {
res_nclose(ctx->res);
+   (*ctx->free_res)(ctx->res);
+   }
free(ctx->RHS);
free(ctx->LHS);
-   if (ctx->res && ctx->free_res)
-   (*ctx->free_res)(ctx->res);
free(ctx);
__set_errno(save_errno);
 }


Anders

Bug#821358: nss_hesiod segfaults in sock_eq

2016-04-17 Thread Anders Kaseorg 
Package: libc6
Version: 2.22-6
Severity: important
Tags: upstream
Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=19573

glibc 2.22 broke nss_hesiod so that it segfaults on almost all uses.  To 
reproduce:

# sed -i 's/^passwd:.*/& hesiod/' /etc/nsswitch.conf
# cat > /etc/hesiod.conf <, a2=0x0) at 
res_send.c:1629
1629res_send.c: No such file or directory.
(gdb) bt
#0  0x76531aa3 in sock_eq (a1=a1@entry=0x77bb7af4 <_res+20>, 
a2=0x0) at res_send.c:1629
#1  0x765333f7 in __libc_res_nsend (statp=0x77bb7ae0 <_res>, 
buf=buf@entry=0x7fffdec0 "\322\325\001", buflen=45, buf2=buf2@entry=0x0, 
buflen2=buflen2@entry=0, ans=ans@entry=0x7fffe2c0 
"`\343\377\377\377\177", anssiz=1024, ansp=0x0, ansp2=0x0, nansp2=0x0, 
resplen2=0x0, 
ansp2_malloced=0x0) at res_send.c:416
#2  0x76533bbd in __GI___res_nsend (statp=, 
buf=buf@entry=0x7fffdec0 "\322\325\001", buflen=, 
ans=ans@entry=0x7fffe2c0 "`\343\377\377\377\177", 
anssiz=anssiz@entry=1024) at res_send.c:638
#3  0x767417d6 in get_txt_records (class=1, name=name@entry=0x610a80 
"39270.uid.ns.athena.mit.edu", ctx=0x60f8c0) at hesiod.c:374
#4  0x76741d95 in hesiod_resolve (context=context@entry=0x60f8c0, 
name=name@entry=0x7fffe780 "39270", type=type@entry=0x767432c6 "uid")
at hesiod.c:240
#5  0x76742aa2 in lookup (name=name@entry=0x7fffe780 "39270", 
type=type@entry=0x767432c6 "uid", 
pwd=pwd@entry=0x77bb5e20 , buffer=buffer@entry=0x60f260 
"saned", buflen=buflen@entry=1024, errnop=errnop@entry=0x77fe56b8)
at nss_hesiod/hesiod-pwd.c:63
#6  0x76742c2b in _nss_hesiod_getpwuid_r (uid=, 
pwd=0x77bb5e20 , buffer=0x60f260 "saned", buflen=1024, 
errnop=0x77fe56b8) at nss_hesiod/hesiod-pwd.c:112
#7  0x778ccc0c in __getpwuid_r (uid=uid@entry=39270, 
resbuf=resbuf@entry=0x77bb5e20 , buffer=0x60f260 "saned", 
buflen=buflen@entry=1024, result=result@entry=0x7fffe848) at 
../nss/getXXbyYY_r.c:266
#8  0x778cc52e in getpwuid (uid=39270) at ../nss/getXXbyYY.c:116
#9  0x004022b9 in ?? ()
#10 0x77835610 in __libc_start_main (main=0x401b20, argc=2, 
argv=0x7fffe9b8, init=, fini=, 
rtld_fini=, stack_end=0x7fffe9a8) at libc-start.c:291
#11 0x004026ac in ?? ()

See also:

https://sourceware.org/bugzilla/show_bug.cgi?id=19573
https://bugzilla.redhat.com/show_bug.cgi?id=1252570
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1571456

Anders