← Back to branch summary

~ubuntu-branches/ubuntu/trusty/eglibc/trusty-security

« back to all changes in this revision

Viewing changes to debian/patches/any/CVE-2015-8778.diff

  • Committer: Package Import Robot
  • Author(s): Steve Beattie
  • Date: 2016-04-08 23:26:02 UTC
  • Revision ID: package-import@ubuntu.com-20160408232602-694337pzn1m5xgc3
Tags: 2.19-0ubuntu6.8
https://launchpad.net/bugs/1546457
* SECURITY UPDATE: buffer overflow in gethostbyname_r and related
  functions
  - debian/patches/any/CVE-2015-1781.diff: take alignment padding
    into account when computing if buffer is too small.
  - CVE-2015-1781
* SECURITY UPDATE: glibc Name Service Switch (NSS) denial of sevice
  - debian/patches/any/CVE-2014-8121-1.diff: do not close NSS files
    database during iteration.
  - debian/patches/any/CVE-2014-8121-2.diff: Separate internal state
    between getXXent and getXXbyYY NSS calls.
  - CVE-2014-8121
* SECURITY UPDATE: glibc unbounded stack usage in NaN strtod
  conversion
  - debian/patches/any/CVE-2014-9761-1.diff: Refactor strtod parsing
    of NaN payloads.
  - debian/patches/any/CVE-2014-9761-1.diff:  Fix nan functions
    handling of payload strings
  - CVE-2014-9761
* SECURITY UPDATE: NSS files long line buffer overflow
  - debian/patches/any/CVE-2015-5277.diff: Don't ignore too long
    lines in nss_files
  - CVE-2015-5277
* SECURITY UPDATE: out of range data to strftime() causes segfault
  (denial of service)
  - debian/patches/any/CVE-2015-8776.diff: add range checks to
    strftime() processing
  - CVE-2015-8776
* SECURITY UPDATE: glibc honors LD_POINTER_GUARD env for setuid
  AT_SECURE programs (e.g. setuid), allowing disabling of pointer
  mangling
  - debian/patches/any/CVE-2015-8777.diff: Always enable pointer
    guard
  - CVE-2015-8777
* SECURITY UPDATE: integer overflow in hcreate and hcreate_r
  - debian/patches/any/CVE-2015-8778.diff: check for large inputs
  - CVE-2015-8778
* SECURITY UPDATE: unbounded stack allocation in catopen()
  - debian/patches/any/CVE-2015-8779.diff: stop using unbounded
    alloca()
  - CVE-2015-8779
* SECURITY UPDATE: Stack overflow in _nss_dns_getnetbyname_r
  - debian/patches/any/CVE-2016-3075.diff: do not make unneeded
    memory copy on the stack.
  - CVE-2016-3075
* SECURITY UPDATE: pt_chown privilege escalation
  - debian/patches/any/CVE-2016-2856.diff: grantpt: trust the kernel
    about pty group and permission mode
  - debian/sysdeps/linux.mk: don't build pt_chown
  - debian/rules.d/debhelper.mk: only install pt_chown when built.
  - CVE-2016-2856, CVE-2013-2207
* debian/debhelper.in/libc.postinst: add reboot notifications for
  security updates (LP: #1546457)
* debian/patches/ubuntu/submitted-no-stack-backtrace.diff: update
  patch to eliminate compiler warning.

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/any/CVE-2015-8778.diff
 
1
From 2f5c1750558fe64bac361f52d6827ab1bcfe52bc Mon Sep 17 00:00:00 2001
 
2
From: =?utf8?q?Ond=C5=99ej=20B=C3=ADlka?= <neleai@seznam.cz>
 
3
Date: Sat, 11 Jul 2015 17:44:10 +0200
 
4
Subject: [PATCH] Handle overflow in __hcreate_r
 
5
 
 
6
Hi,
 
7
 
 
8
As in bugzilla entry there is overflow in hsearch when looking for prime
 
9
number as SIZE_MAX - 1 is divisible by 5. We fix that by rejecting large
 
10
inputs before looking for prime.
 
11
 
 
12
        * misc/hsearch_r.c (__hcreate_r): Handle overflow.
 
13
 
 
14
[Note: patch differs from upstream commit in that the entries in
 
15
the Changelog were dropped to avoid patch conflicts. -- sbeattie]
 
16
---
 
17
 ChangeLog        |   10 ++++++++++
 
18
 misc/hsearch_r.c |    9 ++++++++-
 
19
 2 files changed, 18 insertions(+), 1 deletions(-)
 
20
 
 
21
diff --git a/misc/hsearch_r.c b/misc/hsearch_r.c
 
22
index 9f55e84..559df29 100644
 
23
--- a/misc/hsearch_r.c
 
24
+++ b/misc/hsearch_r.c
 
25
@@ -19,7 +19,7 @@
 
26
 #include <errno.h>
 
27
 #include <malloc.h>
 
28
 #include <string.h>
 
29
-
 
30
+#include <stdint.h>
 
31
 #include <search.h>
 
32
 
 
33
 /* [Aho,Sethi,Ullman] Compilers: Principles, Techniques and Tools, 1986
 
34
@@ -73,6 +73,13 @@ __hcreate_r (nel, htab)
 
35
       return 0;
 
36
     }
 
37
 
 
38
+  if (nel >= SIZE_MAX / sizeof (_ENTRY))
 
39
+    {
 
40
+      __set_errno (ENOMEM);
 
41
+      return 0;
 
42
+    }
 
43
+
 
44
+
 
45
   /* There is still another table active. Return with error. */
 
46
   if (htab->table != NULL)
 
47
     return 0;
 
48
-- 
 
49
1.7.1
 
50