glibc: Fix CVE-2013-7423 and CVE-2015-1781
authorMichael Tremer <michael.tremer@ipfire.org>
Mon, 27 Apr 2015 19:17:17 +0000 (21:17 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 27 Apr 2015 19:20:46 +0000 (21:20 +0200)
CVE-2013-7423: Fix invalid file descriptor reuse while sending DNS query
CVE-2015-1781: Fix buffer overflow in gethostbyname_r with misaligned buffer

config/rootfiles/core/90/filelists/armv5tel/glibc [new symlink]
config/rootfiles/core/90/filelists/i586/glibc [new symlink]
lfs/glibc
src/patches/glibc/glibc-rh1207995.patch [new file with mode: 0644]
src/patches/glibc/glibc-rh1209375.patch [new file with mode: 0644]

diff --git a/config/rootfiles/core/90/filelists/armv5tel/glibc b/config/rootfiles/core/90/filelists/armv5tel/glibc
new file mode 120000 (symlink)
index 0000000..4c70d72
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/armv5tel/glibc
\ No newline at end of file
diff --git a/config/rootfiles/core/90/filelists/i586/glibc b/config/rootfiles/core/90/filelists/i586/glibc
new file mode 120000 (symlink)
index 0000000..943021f
--- /dev/null
@@ -0,0 +1 @@
+../../../../common/i586/glibc
\ No newline at end of file
index 11d374e..4ec71a7 100644 (file)
--- a/lfs/glibc
+++ b/lfs/glibc
@@ -283,6 +283,8 @@ endif
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1154563.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1170121.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1183533.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1207995.patch
+       cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1209375.patch
 
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-resolv-stack_chk_fail.patch
        cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-remove-ctors-dtors-output-sections.patch
diff --git a/src/patches/glibc/glibc-rh1207995.patch b/src/patches/glibc/glibc-rh1207995.patch
new file mode 100644 (file)
index 0000000..1732de6
--- /dev/null
@@ -0,0 +1,27 @@
+#
+# Based on the following commit:
+#
+# commit f9d2d03254a58d92635a311a42253eeed5a40a47
+# Author: Andreas Schwab <schwab@suse.de>
+# Date:   Mon May 26 18:01:31 2014 +0200
+# 
+#     Fix invalid file descriptor reuse while sending DNS query (BZ #15946)
+# 
+# 2014-06-03  Andreas Schwab  <schwab@suse.de>
+# 
+#      [BZ #15946]
+#      * resolv/res_send.c (send_dg): Reload file descriptor after
+#      calling reopen.
+# 
+diff --git a/resolv/res_send.c b/resolv/res_send.c
+index 3273d55..af42b8a 100644
+--- a/resolv/res_send.c
++++ b/resolv/res_send.c
+@@ -1410,6 +1410,7 @@ send_dg(res_state statp,
+                                       retval = reopen (statp, terrno, ns);
+                                       if (retval <= 0)
+                                               return retval;
++                                      pfd[0].fd = EXT(statp).nssocks[ns];
+                               }
+                       }
+                       goto wait;
diff --git a/src/patches/glibc/glibc-rh1209375.patch b/src/patches/glibc/glibc-rh1209375.patch
new file mode 100644 (file)
index 0000000..74393f0
--- /dev/null
@@ -0,0 +1,18 @@
+@@ -, +, @@
+ resolv/nss_dns/dns-host.c:getanswer_r.
+---
+ resolv/nss_dns/dns-host.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+--- a/resolv/nss_dns/dns-host.c
++++ a/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype,
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__builtin_expect (buflen < sizeof (struct host_data), 0))
+     {
+       /* The buffer is too small.  */
+     too_small:
+--