[glibc] 02/05: Update from upstream stable branch:

Tue, 31 May 2016 08:33:15 -0700 

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit 3a6dbc9e2a80e207e5d98855fc72fb95f30e7528
Author: Aurelien Jarno <aurel...@aurel32.net>
Date:   Tue May 31 12:46:33 2016 +0200

    Update from upstream stable branch:
    
    * Update from upstream stable branch:
      - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
---
 debian/changelog                |  2 ++
 debian/patches/git-updates.diff | 57 ++++++++++++++++++++++++++++++++++++-----
 2 files changed, 53 insertions(+), 6 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index b024284..22464d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 glibc (2.22-10) UNRELEASED; urgency=medium
 
   [ Aurelien Jarno ]
+  * Update from upstream stable branch:
+    - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
   * debian/control.in/main: build-depends on dpkg (>= 1.18.7) instead of
     dpkg-dev (>= 1.18.7) as the cputable file is in dpkg, not dpkg-dev.
     Closes: #824127.
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index f62a3eb..850361a 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,17 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.22/master from 
glibc-2.22
 
 diff --git a/ChangeLog b/ChangeLog
-index cb9124e..62794f2 100644
+index cb9124e..123274c 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,621 @@
+@@ -1,3 +1,628 @@
++2016-05-23  Florian Weimer  <fwei...@redhat.com>
++
++      CVE-2016-4429
++      [BZ #20112]
++      * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
++      payload.
++
 +2016-05-02  Florian Weimer  <fwei...@redhat.com>
 +
 +      [BZ #19573]
@@ -627,10 +634,10 @@ index cb9124e..62794f2 100644
  
        * version.h (RELEASE): Set to "stable".
 diff --git a/NEWS b/NEWS
-index 4c31de7..94b731f 100644
+index 4c31de7..b0b981b 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,55 @@ See the end for copying conditions.
+@@ -5,6 +5,59 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -655,7 +662,7 @@ index 4c31de7..94b731f 100644
 +  17905, 18420, 18421, 18480, 18589, 18743, 18778, 18781, 18787, 18796,
 +  18870, 18887, 18921, 18928, 18969, 18985, 19003, 19018, 19048, 19058,
 +  19174, 19178, 19182, 19243, 19573, 19590, 19682, 19791, 19822, 19853,
-+  19879, 19779, 20010.
++  19879, 19779, 20010, 20112.
 +
 +* The getnetbyname implementation in nss_dns had a potentially unbounded
 +  alloca call (in the form of a call to strdupa), leading to a stack
@@ -682,11 +689,15 @@ index 4c31de7..94b731f 100644
 +  even after the fix for CVE-2013-4458 has been applied, potentially
 +  resulting in a stack overflow.  getaddrinfo now uses a heap allocation
 +  instead.  Reported by Michael Petlan.  (CVE-2016-3706)
++
++* The Sun RPC UDP client could exhaust all available stack space when
++  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
++  alloca plugin for GCC.  (CVE-2016-4429)
 +
  Version 2.22
  
  * The following bugs are resolved with this release:
-@@ -84,7 +133,7 @@ Version 2.22
+@@ -84,7 +137,7 @@ Version 2.22
    release.  Use of this header will trigger a deprecation warning.
    Application developers should update their code to use <regex.h> instead.
  
@@ -4455,6 +4466,40 @@ index d5a1115..bea5aa2 100644
        res = 1;
      }
    else
+diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
+index 6ffa5f2..c818caf 100644
+--- a/sunrpc/clnt_udp.c
++++ b/sunrpc/clnt_udp.c
+@@ -420,9 +420,15 @@ send_again:
+         struct sock_extended_err *e;
+         struct sockaddr_in err_addr;
+         struct iovec iov;
+-        char *cbuf = (char *) alloca (outlen + 256);
++        char *cbuf = malloc (outlen + 256);
+         int ret;
+ 
++        if (cbuf == NULL)
++          {
++            cu->cu_error.re_errno = errno;
++            return (cu->cu_error.re_status = RPC_CANTRECV);
++          }
++
+         iov.iov_base = cbuf + 256;
+         iov.iov_len = outlen;
+         msg.msg_name = (void *) &err_addr;
+@@ -447,10 +453,12 @@ send_again:
+                cmsg = CMSG_NXTHDR (&msg, cmsg))
+             if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+               {
++                free (cbuf);
+                 e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+                 cu->cu_error.re_errno = e->ee_errno;
+                 return (cu->cu_error.re_status = RPC_CANTRECV);
+               }
++        free (cbuf);
+       }
+ #endif
+       do
 diff --git a/sysdeps/alpha/fpu/libm-test-ulps 
b/sysdeps/alpha/fpu/libm-test-ulps
 index 9ac946f..ee8e97c 100644
 --- a/sysdeps/alpha/fpu/libm-test-ulps

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-glibc/glibc.git

Reply via email to