From: Michael Tremer Date: Mon, 27 Apr 2015 19:17:17 +0000 (+0200) Subject: glibc: Fix CVE-2013-7423 and CVE-2015-1781 X-Git-Tag: v2.17-core91~97 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=30ca037fb35df6e60681201efe04e2cf17ffd305 glibc: Fix CVE-2013-7423 and CVE-2015-1781 CVE-2013-7423: Fix invalid file descriptor reuse while sending DNS query CVE-2015-1781: Fix buffer overflow in gethostbyname_r with misaligned buffer --- diff --git a/config/rootfiles/core/90/filelists/armv5tel/glibc b/config/rootfiles/core/90/filelists/armv5tel/glibc new file mode 120000 index 0000000000..4c70d724b4 --- /dev/null +++ b/config/rootfiles/core/90/filelists/armv5tel/glibc @@ -0,0 +1 @@ +../../../../common/armv5tel/glibc \ No newline at end of file diff --git a/config/rootfiles/core/90/filelists/i586/glibc b/config/rootfiles/core/90/filelists/i586/glibc new file mode 120000 index 0000000000..943021f19a --- /dev/null +++ b/config/rootfiles/core/90/filelists/i586/glibc @@ -0,0 +1 @@ +../../../../common/i586/glibc \ No newline at end of file diff --git a/lfs/glibc b/lfs/glibc index 11d374e3b8..4ec71a788e 100644 --- a/lfs/glibc +++ b/lfs/glibc @@ -283,6 +283,8 @@ endif cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1154563.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1170121.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1183533.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1207995.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc/glibc-rh1209375.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-resolv-stack_chk_fail.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-remove-ctors-dtors-output-sections.patch diff --git a/src/patches/glibc/glibc-rh1207995.patch b/src/patches/glibc/glibc-rh1207995.patch new file mode 100644 index 0000000000..1732de6492 --- /dev/null +++ b/src/patches/glibc/glibc-rh1207995.patch @@ -0,0 +1,27 @@ +# +# Based on the following commit: +# +# commit f9d2d03254a58d92635a311a42253eeed5a40a47 +# Author: Andreas Schwab +# Date: Mon May 26 18:01:31 2014 +0200 +# +# Fix invalid file descriptor reuse while sending DNS query (BZ #15946) +# +# 2014-06-03 Andreas Schwab +# +# [BZ #15946] +# * resolv/res_send.c (send_dg): Reload file descriptor after +# calling reopen. +# +diff --git a/resolv/res_send.c b/resolv/res_send.c +index 3273d55..af42b8a 100644 +--- a/resolv/res_send.c ++++ b/resolv/res_send.c +@@ -1410,6 +1410,7 @@ send_dg(res_state statp, + retval = reopen (statp, terrno, ns); + if (retval <= 0) + return retval; ++ pfd[0].fd = EXT(statp).nssocks[ns]; + } + } + goto wait; diff --git a/src/patches/glibc/glibc-rh1209375.patch b/src/patches/glibc/glibc-rh1209375.patch new file mode 100644 index 0000000000..74393f0395 --- /dev/null +++ b/src/patches/glibc/glibc-rh1209375.patch @@ -0,0 +1,18 @@ +@@ -, +, @@ + resolv/nss_dns/dns-host.c:getanswer_r. +--- + resolv/nss_dns/dns-host.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) +--- a/resolv/nss_dns/dns-host.c ++++ a/resolv/nss_dns/dns-host.c +@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const char *qname, int qtype, + int have_to_map = 0; + uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data); + buffer += pad; +- if (__builtin_expect (buflen < sizeof (struct host_data) + pad, 0)) ++ buflen = buflen > pad ? buflen - pad : 0; ++ if (__builtin_expect (buflen < sizeof (struct host_data), 0)) + { + /* The buffer is too small. */ + too_small: +--