This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch sid in repository glibc.
commit 3a6dbc9e2a80e207e5d98855fc72fb95f30e7528 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Tue May 31 12:46:33 2016 +0200 Update from upstream stable branch: * Update from upstream stable branch: - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429). --- debian/changelog | 2 ++ debian/patches/git-updates.diff | 57 ++++++++++++++++++++++++++++++++++++----- 2 files changed, 53 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index b024284..22464d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ glibc (2.22-10) UNRELEASED; urgency=medium [ Aurelien Jarno ] + * Update from upstream stable branch: + - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429). * debian/control.in/main: build-depends on dpkg (>= 1.18.7) instead of dpkg-dev (>= 1.18.7) as the cputable file is in dpkg, not dpkg-dev. Closes: #824127. diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index f62a3eb..850361a 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,17 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.22/master from glibc-2.22 diff --git a/ChangeLog b/ChangeLog -index cb9124e..62794f2 100644 +index cb9124e..123274c 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,621 @@ +@@ -1,3 +1,628 @@ ++2016-05-23 Florian Weimer <fwei...@redhat.com> ++ ++ CVE-2016-4429 ++ [BZ #20112] ++ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error ++ payload. ++ +2016-05-02 Florian Weimer <fwei...@redhat.com> + + [BZ #19573] @@ -627,10 +634,10 @@ index cb9124e..62794f2 100644 * version.h (RELEASE): Set to "stable". diff --git a/NEWS b/NEWS -index 4c31de7..94b731f 100644 +index 4c31de7..b0b981b 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,55 @@ See the end for copying conditions. +@@ -5,6 +5,59 @@ See the end for copying conditions. Please send GNU C library bug reports via <http://sourceware.org/bugzilla/> using `glibc' in the "product" field. @@ -655,7 +662,7 @@ index 4c31de7..94b731f 100644 + 17905, 18420, 18421, 18480, 18589, 18743, 18778, 18781, 18787, 18796, + 18870, 18887, 18921, 18928, 18969, 18985, 19003, 19018, 19048, 19058, + 19174, 19178, 19182, 19243, 19573, 19590, 19682, 19791, 19822, 19853, -+ 19879, 19779, 20010. ++ 19879, 19779, 20010, 20112. + +* The getnetbyname implementation in nss_dns had a potentially unbounded + alloca call (in the form of a call to strdupa), leading to a stack @@ -682,11 +689,15 @@ index 4c31de7..94b731f 100644 + even after the fix for CVE-2013-4458 has been applied, potentially + resulting in a stack overflow. getaddrinfo now uses a heap allocation + instead. Reported by Michael Petlan. (CVE-2016-3706) ++ ++* The Sun RPC UDP client could exhaust all available stack space when ++ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez' ++ alloca plugin for GCC. (CVE-2016-4429) + Version 2.22 * The following bugs are resolved with this release: -@@ -84,7 +133,7 @@ Version 2.22 +@@ -84,7 +137,7 @@ Version 2.22 release. Use of this header will trigger a deprecation warning. Application developers should update their code to use <regex.h> instead. @@ -4455,6 +4466,40 @@ index d5a1115..bea5aa2 100644 res = 1; } else +diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c +index 6ffa5f2..c818caf 100644 +--- a/sunrpc/clnt_udp.c ++++ b/sunrpc/clnt_udp.c +@@ -420,9 +420,15 @@ send_again: + struct sock_extended_err *e; + struct sockaddr_in err_addr; + struct iovec iov; +- char *cbuf = (char *) alloca (outlen + 256); ++ char *cbuf = malloc (outlen + 256); + int ret; + ++ if (cbuf == NULL) ++ { ++ cu->cu_error.re_errno = errno; ++ return (cu->cu_error.re_status = RPC_CANTRECV); ++ } ++ + iov.iov_base = cbuf + 256; + iov.iov_len = outlen; + msg.msg_name = (void *) &err_addr; +@@ -447,10 +453,12 @@ send_again: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { ++ free (cbuf); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; + return (cu->cu_error.re_status = RPC_CANTRECV); + } ++ free (cbuf); + } + #endif + do diff --git a/sysdeps/alpha/fpu/libm-test-ulps b/sysdeps/alpha/fpu/libm-test-ulps index 9ac946f..ee8e97c 100644 --- a/sysdeps/alpha/fpu/libm-test-ulps -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git