~ubuntu-branches/ubuntu/lucid/eglibc/lucid-updates

Viewing changes to debian/patches/any/CVE-2015-0235.diff

Committer: Package Import Robot
Author(s): Steve Beattie
Date: 2015-01-21 13:03:05 UTC
mfrom: (42.1.11 lucid-security)
Revision ID: package-import@ubuntu.com-20150121130305-ed13tzq3xms8b09y

Tags: 2.11.1-0ubuntu7.20

* SECURITY UPDATE: buffer overflow in __nss_hostname_digits_dots
  - debian/patches/any/CVE-2015-0235.diff: fix overflow in
    nss/digits_dots.c
  - CVE-2015-0235

files added:
debian/patches/any/CVE-2015-0235.diff

files modified:
debian/changelog

debian/patches/series

Show diffs side-by-side

added added

removed removed

debian/patches/any/CVE-2015-0235.diff

From: Andreas Schwab <schwab@suse.de>

Date: Mon, 21 Jan 2013 16:41:28 +0000 (+0100)

Subject: Fix parsing of numeric hosts in gethostbyname_r

X-Git-Tag: glibc-2.18~221

X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd

Fix parsing of numeric hosts in gethostbyname_r

2013-05-21 Andreas Schwab <schwab@suse.de>

[BZ #15014]

* nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME))

[HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was

successful.

* nss/digits_dots.c (__nss_hostname_digits_dots): Remove

redundant variable declarations and reallocation of buffer when

parsing as IPv6 address. Always set NSS status when called from

reentrant functions. Use NETDB_INTERNAL instead of TRY_AGAIN when

buffer too small. Correct computation of needed size.

* nss/Makefile (tests): Add test-digits-dots.

* nss/test-digits-dots.c: New test.

CVE-2015-0235

(Ubuntu note: patch differs from upstream commit in that it drops

the changelog and NEWS entries as well as the whitespace only change to

nss/getXXbyYY_r.c to reduce patch conflicts. --sbeattie)

---

nss/Makefile | 2 -

nss/digits_dots.c | 73 +++++++++++++------------------------------------

nss/getXXbyYY_r.c | 3 ++

nss/test-digits-dots.c | 38 +++++++++++++++++++++++++

4 files changed, 62 insertions(+), 54 deletions(-)

Index: b/nss/digits_dots.c

===================================================================

--- a/nss/digits_dots.c

+++ b/nss/digits_dots.c

@@ -47,7 +47,10 @@ __nss_hostname_digits_dots (const char *

{

if (h_errnop)

*h_errnop = NETDB_INTERNAL;

- *result = NULL;

+ if (buffer_size == NULL)

+ *status = NSS_STATUS_TRYAGAIN;

+ else

+ *result = NULL;

return -1;

}

@@ -84,14 +87,16 @@ __nss_hostname_digits_dots (const char *

}

size_needed = (sizeof (*host_addr)

- + sizeof (*h_addr_ptrs) + strlen (name) + 1);

+ + sizeof (*h_addr_ptrs)

+ + sizeof (*h_alias_ptr) + strlen (name) + 1);

if (buffer_size == NULL)

{

if (buflen < size_needed)

{

+ *status = NSS_STATUS_TRYAGAIN;

if (h_errnop != NULL)

- *h_errnop = TRY_AGAIN;

+ *h_errnop = NETDB_INTERNAL;

__set_errno (ERANGE);

goto done;

}

@@ -110,7 +115,7 @@ __nss_hostname_digits_dots (const char *

*buffer_size = 0;

__set_errno (save);

if (h_errnop != NULL)

- *h_errnop = TRY_AGAIN;

+ *h_errnop = NETDB_INTERNAL;

*result = NULL;

goto done;

}

@@ -150,7 +155,9 @@ __nss_hostname_digits_dots (const char *

if (! ok)

{

*h_errnop = HOST_NOT_FOUND;

- if (buffer_size)

+ if (buffer_size == NULL)

+ *status = NSS_STATUS_NOTFOUND;

+ else

*result = NULL;

goto done;

}

@@ -191,7 +198,7 @@ __nss_hostname_digits_dots (const char *

if (buffer_size == NULL)

*status = NSS_STATUS_SUCCESS;

else

- *result = resbuf;

+ *result = resbuf;

goto done;

}

100

@@ -202,15 +209,6 @@ __nss_hostname_digits_dots (const char *

101

102

if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':')

103

{

104

- const char *cp;

105

- char *hostname;

106

- typedef unsigned char host_addr_t[16];

107

- host_addr_t *host_addr;

108

- typedef char *host_addr_list_t[2];

109

- host_addr_list_t *h_addr_ptrs;

110

- size_t size_needed;

111

- int addr_size;

112

113

switch (af)

114

{

115

default:

116

@@ -226,7 +224,10 @@ __nss_hostname_digits_dots (const char *

117

/* This is not possible. We cannot represent an IPv6 address

118

in an `struct in_addr' variable. */

119

*h_errnop = HOST_NOT_FOUND;

120

- *result = NULL;

121

+ if (buffer_size == NULL)

122

+ *status = NSS_STATUS_NOTFOUND;

123

+ else

124

+ *result = NULL;

125

goto done;

126

127

case AF_INET6:

128

@@ -234,42 +235,6 @@ __nss_hostname_digits_dots (const char *

129

break;

130

}

131

132

- size_needed = (sizeof (*host_addr)

133

- + sizeof (*h_addr_ptrs) + strlen (name) + 1);

134

135

- if (buffer_size == NULL && buflen < size_needed)

136

- {

137

- if (h_errnop != NULL)

138

- *h_errnop = TRY_AGAIN;

139

- __set_errno (ERANGE);

140

- goto done;

141

- }

142

- else if (buffer_size != NULL && *buffer_size < size_needed)

143

- {

144

- char *new_buf;

145

- *buffer_size = size_needed;

146

- new_buf = realloc (*buffer, *buffer_size);

147

148

- if (new_buf == NULL)

149

- {

150

- save = errno;

151

- free (*buffer);

152

- __set_errno (save);

153

- *buffer = NULL;

154

- *buffer_size = 0;

155

- *result = NULL;

156

- goto done;

157

- }

158

- *buffer = new_buf;

159

- }

160

161

- memset (*buffer, '\0', size_needed);

162

163

- host_addr = (host_addr_t *) *buffer;

164

- h_addr_ptrs = (host_addr_list_t *)

165

- ((char *) host_addr + sizeof (*host_addr));

166

- hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs);

167

168

for (cp = name;; ++cp)

169

{

170

if (!*cp)

171

@@ -282,7 +247,9 @@ __nss_hostname_digits_dots (const char *

172

if (inet_pton (AF_INET6, name, host_addr) <= 0)

173

{

174

*h_errnop = HOST_NOT_FOUND;

175

- if (buffer_size)

176

+ if (buffer_size == NULL)

177

+ *status = NSS_STATUS_NOTFOUND;

178

+ else

179

*result = NULL;

180

goto done;

181

}

182

Index: b/nss/getXXbyYY_r.c

183

===================================================================

184

--- a/nss/getXXbyYY_r.c

185

+++ b/nss/getXXbyYY_r.c

186

@@ -178,6 +178,9 @@ INTERNAL (REENTRANT_NAME) (ADD_PARAMS, L

187

case -1:

188

return errno;

189

case 1:

190

+#ifdef NEED_H_ERRNO

191

+ any_service = true;

192

+#endif

193

goto done;

194

}

195

#endif

196

Index: b/nss/test-digits-dots.c

197

===================================================================

198

--- /dev/null

199

+++ b/nss/test-digits-dots.c

200

@@ -0,0 +1,38 @@

201

202

+ This file is part of the GNU C Library.

203

204

+ The GNU C Library is free software; you can redistribute it and/or

205

+ modify it under the terms of the GNU Lesser General Public

206

+ License as published by the Free Software Foundation; either

207

+ version 2.1 of the License, or (at your option) any later version.

208

209

+ The GNU C Library is distributed in the hope that it will be useful,

210

+ but WITHOUT ANY WARRANTY; without even the implied warranty of

211

+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

212

+ Lesser General Public License for more details.

213

214

+ You should have received a copy of the GNU Lesser General Public

215

+ License along with the GNU C Library; if not, see

216

+ <http://www.gnu.org/licenses/>. */

217

218

+/* Testcase for BZ #15014 */

219

220

+#include <stdlib.h>

221

+#include <netdb.h>

222

+#include <errno.h>

223

224

+static int

225

+do_test (void)

226

227

+ char buf[32];

228

+ struct hostent *result = NULL;

229

+ struct hostent ret;

230

+ int h_err = 0;

231

+ int err;

232

233

+ err = gethostbyname_r ("1.2.3.4", &ret, buf, sizeof (buf), &result, &h_err);

234

+ return err == ERANGE && h_err == NETDB_INTERNAL ? EXIT_SUCCESS : EXIT_FAILURE;

235

236

237

+#define TEST_FUNCTION do_test ()

238

+#include "../test-skeleton.c"

239

Index: b/nss/Makefile

240

===================================================================

241

--- a/nss/Makefile

242

+++ b/nss/Makefile

243

@@ -46,7 +46,7 @@ routines-$(OPTION_EGLIBC_INET) += digits

244

others := getent

245

install-bin := getent

246

247

-tests-$(OPTION_EGLIBC_INET) += test-netdb

248

+tests-$(OPTION_EGLIBC_INET) += test-netdb test-digits-dots

249

xtests-$(OPTION_EGLIBC_INET) += bug-erange

250

251

include ../Makeconfig

Older »