From 116e17a138071d2ca8d8b76c2fde561577b258ba Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Fri, 6 May 2016 16:35:32 +0200 Subject: [PATCH] Resolves: #1321954 CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r --- glibc-rh1321954.patch | 32 ++++++++++++++++++++++++++++++++ glibc.spec | 3 +++ 2 files changed, 35 insertions(+) create mode 100644 glibc-rh1321954.patch diff --git a/glibc-rh1321954.patch b/glibc-rh1321954.patch new file mode 100644 index 0000000..c229e3b --- /dev/null +++ b/glibc-rh1321954.patch @@ -0,0 +1,32 @@ +commit 317b199b4aff8cfa27f2302ab404d2bb5032b9a4 +Author: Florian Weimer +Date: Tue Mar 29 12:57:56 2016 +0200 + + CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r [BZ #19879] + + The defensive copy is not needed because the name may not alias the + output buffer. + +diff --git a/resolv/nss_dns/dns-network.c b/resolv/nss_dns/dns-network.c +index 2eb2f67..8f301a7 100644 +--- a/resolv/nss_dns/dns-network.c ++++ b/resolv/nss_dns/dns-network.c +@@ -118,17 +118,14 @@ _nss_dns_getnetbyname_r (const char *name, struct netent *result, + } net_buffer; + querybuf *orig_net_buffer; + int anslen; +- char *qbuf; + enum nss_status status; + + if (__res_maybe_init (&_res, 0) == -1) + return NSS_STATUS_UNAVAIL; + +- qbuf = strdupa (name); +- + net_buffer.buf = orig_net_buffer = (querybuf *) alloca (1024); + +- anslen = __libc_res_nsearch (&_res, qbuf, C_IN, T_PTR, net_buffer.buf->buf, ++ anslen = __libc_res_nsearch (&_res, name, C_IN, T_PTR, net_buffer.buf->buf, + 1024, &net_buffer.ptr, NULL, NULL, NULL, NULL); + if (anslen < 0) + { diff --git a/glibc.spec b/glibc.spec index adeeecc..3b8b3e1 100644 --- a/glibc.spec +++ b/glibc.spec @@ -225,6 +225,7 @@ Patch1002: glibc-rh1276761-1.patch Patch1003: glibc-rh1276761-2.patch Patch1004: glibc-rh1276761-3.patch Patch1005: glibc-rh1332912.patch +Patch1006: glibc-rh1321954.patch ############################################################################## # @@ -649,6 +650,7 @@ microbenchmark tests on the system. %patch1003 -p1 %patch1004 -p1 %patch1005 -p1 +%patch1006 -p1 %patch0059 -p1 ############################################################################## @@ -1871,6 +1873,7 @@ rm -f *.filelist* %changelog * Fri May 6 2016 Florian Weimer - 2.22-12 - Fix heap-based buffer overflow in get_txt_records (#1332912) +- CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r (#1321954) * Wed Mar 02 2016 Mike FABIAN - 2.22-11 - Add the C.UTF-8 locale