From b3a96fb7e3ca45c8d408fb8fcea2b925272cc659 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Mon, 8 Feb 2016 12:12:34 +0100
Subject: [PATCH] Resolves: #1214152

CVE-2015-1781: glibc: buffer overflow in gethostbyname_r related functions.
---
 glibc-rh1214152.patch | 22 ++++++++++++++++++++++
 glibc.spec            |  5 +++++
 2 files changed, 27 insertions(+)
 create mode 100644 glibc-rh1214152.patch

diff --git a/glibc-rh1214152.patch b/glibc-rh1214152.patch
new file mode 100644
index 0000000..3470e39
--- /dev/null
+++ b/glibc-rh1214152.patch
@@ -0,0 +1,22 @@
+Upstream commits:
+
+commit 2959eda9272a033863c271aff62095abd01bd4e3
+Author: Arjun Shankar <arjun.is@lostca.se>
+Date:   Tue Apr 21 14:06:31 2015 +0200
+
+    CVE-2015-1781: resolv/nss_dns/dns-host.c buffer overflow [BZ#18287]
+
+Index: glibc-2.21/resolv/nss_dns/dns-host.c
+===================================================================
+--- glibc-2.21.orig/resolv/nss_dns/dns-host.c
++++ glibc-2.21/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+     {
+       /* The buffer is too small.  */
+     too_small:
diff --git a/glibc.spec b/glibc.spec
index 3f8eeaf..9e778e0 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -229,6 +229,8 @@ Patch1004: glibc-rh1276761-1.patch
 Patch1005: glibc-rh1276761-2.patch
 Patch1006: glibc-rh1276761-3.patch
 
+Patch1007: glibc-rh1214152.patch
+
 ##############################################################################
 #
 # Patches submitted, but not yet approved upstream.
@@ -604,6 +606,7 @@ package or when debugging this package.
 %patch1004 -p1
 %patch1005 -p1
 %patch1006 -p1
+%patch1007 -p1
 
 ##############################################################################
 # %%prep - Additional prep required...
@@ -1779,6 +1782,8 @@ rm -f *.filelist*
 * Fri Feb  5 2016 Florian Weimer <fweimer@redhat.com> - 2.21-10
 - Make locale -a output ASCII-only (#1184168).
 - CVE-2015-8777: Apply additional pointer guard hardening.  (#1276761)
+- CVE-2015-1781: glibc: buffer overflow in gethostbyname_r and
+  related functions with misaligned buffer.  (#1214152)
 
 * Wed Oct 28 2015 Florian Weimer <fweimer@redhat.com> - 2.21-9
 - Prevent malloc arena free list from becoming cyclic.  (#1276112)