From f626cf6388984e40e4ec6adfe1083e65e8546745 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Mon, 19 Aug 2013 18:25:29 +0530 Subject: [PATCH] Fix stack overflow in getaddrinfo with many results (#947892, CVE-2013-1914) --- glibc-rh947892.patch | 50 ++++++++++++++++++++++++++++++++++++++++++++ glibc.spec | 7 ++++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 glibc-rh947892.patch diff --git a/glibc-rh947892.patch b/glibc-rh947892.patch new file mode 100644 index 0000000..d11f041 --- /dev/null +++ b/glibc-rh947892.patch @@ -0,0 +1,50 @@ +commit 1cef1b19089528db11f221e938f60b9b048945d7 +Author: Andreas Schwab +Date: Thu Mar 21 15:50:27 2013 +0100 + + Fix stack overflow in getaddrinfo with many results + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index d95c2d1..2309281 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -2489,11 +2489,27 @@ getaddrinfo (const char *name, const char *service, + __typeof (once) old_once = once; + __libc_once (once, gaiconf_init); + /* Sort results according to RFC 3484. */ +- struct sort_result results[nresults]; +- size_t order[nresults]; ++ struct sort_result *results; ++ size_t *order; + struct addrinfo *q; + struct addrinfo *last = NULL; + char *canonname = NULL; ++ bool malloc_results; ++ ++ malloc_results ++ = !__libc_use_alloca (nresults * (sizeof (*results) + sizeof (size_t))); ++ if (malloc_results) ++ { ++ results = malloc (nresults * (sizeof (*results) + sizeof (size_t))); ++ if (results == NULL) ++ { ++ __free_in6ai (in6ai); ++ return EAI_MEMORY; ++ } ++ } ++ else ++ results = alloca (nresults * (sizeof (*results) + sizeof (size_t))); ++ order = (size_t *) (results + nresults); + + /* Now we definitely need the interface information. */ + if (! check_pf_called) +@@ -2664,6 +2680,9 @@ getaddrinfo (const char *name, const char *service, + + /* Fill in the canonical name into the new first entry. */ + p->ai_canonname = canonname; ++ ++ if (malloc_results) ++ free (results); + } + + __free_in6ai (in6ai); diff --git a/glibc.spec b/glibc.spec index 1400f35..6c54e8b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -27,7 +27,7 @@ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 12%{?dist} +Release: 13%{?dist} # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries. # Things that are linked directly into dynamically linked programs # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional @@ -123,6 +123,7 @@ Patch1006: %{name}-rh977887.patch Patch1007: %{name}-rh977887-2.patch Patch1008: %{name}-rh984829.patch Patch1009: %{name}-rh995841.patch +Patch1010: %{name}-rh947892.patch # # Patches submitted, but not yet approved upstream. @@ -433,6 +434,7 @@ package or when debugging this package. %patch1008 -p1 %patch2040 -p1 %patch1009 -p1 +%patch1010 -p1 # On powerpc32, hp timing is only available in power4/power6 # libs, not in base, so pre-power4 dynamic linker is incompatible @@ -1223,6 +1225,9 @@ rm -f *.filelist* %endif %changelog +* Mon Aug 19 2013 Siddhesh Poyarekar - 2.17-13 +- Fix stack overflow in getaddrinfo with many results (#947892, CVE-2013-1914). + * Mon Aug 19 2013 Siddhesh Poyarekar - 2.17-12 - Disable pt_chown (#984829, CVE-2013-2207). - Fix strcoll flaws (#855399, CVE-2012-4412, CVE-2012-4424).