Bug#658424: pu: package eglibc/2.11.3-3

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#658424: pu: package eglibc/2.11.3-3
From: Aurelien Jarno <aurel32@debian.org>
Date: Thu, 02 Feb 2012 23:11:21 +0100
Message-id: <20120202221121.2981.37010.reportbug@volta.aurel32.net>
Reply-to: Aurelien Jarno <aurel32@debian.org>, 658424@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

eglibc 2.11.3-2 shipped in Debian Squeeze 6.0.4 suffers from a 
regression in the resolver code with broken DNS server not answering
correctly to AAAA requests. It causes the first or sometimes more DNS
resolving requests to fail. See bug#658171 for more details.

The actual problem has been triggered by the patch 
debian/patches/any/cvs-resolv-different-nameserver.diff, which allows to
fallback to the next server in /etc/resolv.conf in case a DNS server
doesn't answer. Given this feature is quite important, and given this 
code is also present in recent upstream versions (it appears that 
wheezy and sid are also affected), it seemed to be a good idea to fix 
the real problem instead of simply reverting this patch.

The diff below is a proposal for an upload to stable-proposed-updates
fixing the DNS issue, as well as a security issue as requested by the
security team. Both patches are already in sid (though the DNS one is
only present in 2.13-26 that has just been uploaded).

Would it be possible to upload it? You might actually want to wait a 
few days for having some feedback of the sid upload.



Index: debian/patches/any/submitted-resolv-first-query-failure.diff
===================================================================
--- debian/patches/any/submitted-resolv-first-query-failure.diff	(révision 0)
+++ debian/patches/any/submitted-resolv-first-query-failure.diff	(révision 5155)
@@ -0,0 +1,36 @@
+2012-02-02  Aurelien Jarno  <aurel32@debian.org>
+
+	* resolv/res_query.c(__libc_res_nsearch): succeed if the first
+	query fails, but the second query succeeds.
+
+diff --git a/resolv/res_query.c b/resolv/res_query.c
+index 947c651..c88268f 100644
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -378,7 +378,7 @@ __libc_res_nsearch(res_state statp,
+ 		ret = __libc_res_nquerydomain(statp, name, NULL, class, type,
+ 					      answer, anslen, answerp,
+ 					      answerp2, nanswerp2, resplen2);
+-		if (ret > 0 || trailing_dot)
++		if (ret > 0 || (ret == 0 && *resplen2 > 0) || trailing_dot)
+ 			return (ret);
+ 		saved_herrno = h_errno;
+ 		tried_as_is++;
+@@ -418,7 +418,7 @@ __libc_res_nsearch(res_state statp,
+ 						      answer, anslen, answerp,
+ 						      answerp2, nanswerp2,
+ 						      resplen2);
+-			if (ret > 0)
++			if ((ret > 0) || (ret == 0 && *resplen2 > 0))
+ 				return (ret);
+ 
+ 			if (answerp && *answerp != answer) {
+@@ -487,7 +487,7 @@ __libc_res_nsearch(res_state statp,
+ 		ret = __libc_res_nquerydomain(statp, name, NULL, class, type,
+ 					      answer, anslen, answerp,
+ 					      answerp2, nanswerp2, resplen2);
+-		if (ret > 0)
++		if ((ret > 0) || (ret == 0 && *resplen2 > 0))
+ 			return (ret);
+ 	}
+ 
Index: debian/patches/any/cvs-tzfile.diff
===================================================================
--- debian/patches/any/cvs-tzfile.diff	(révision 0)
+++ debian/patches/any/cvs-tzfile.diff	(révision 5154)
@@ -0,0 +1,85 @@
+2011-12-17  Ulrich Drepper  <drepper@gmail.com>
+
+	[BZ #13506]
+	* time/tzfile.c (__tzfile_read): Check values from file header.
+
+diff --git a/time/tzfile.c b/time/tzfile.c
+index 144e20b..402389c 100644
+--- a/time/tzfile.c
++++ b/time/tzfile.c
+@@ -26,6 +26,7 @@
+ #include <time.h>
+ #include <unistd.h>
+ #include <sys/stat.h>
++#include <stdint.h>
+ 
+ #define	NOID
+ #include <timezone/tzfile.h>
+@@ -234,23 +234,58 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
+       goto read_again;
+     }
+ 
++  if (__builtin_expect (num_transitions
++			> ((SIZE_MAX - (__alignof__ (struct ttinfo) - 1))
++			   / (sizeof (time_t) + 1)), 0))
++    goto lose;
+   total_size = num_transitions * (sizeof (time_t) + 1);
+   total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
+ 		& ~(__alignof__ (struct ttinfo) - 1));
+   types_idx = total_size;
+-  total_size += num_types * sizeof (struct ttinfo) + chars;
++  if (__builtin_expect (num_types
++			> (SIZE_MAX - total_size) / sizeof (struct ttinfo), 0))
++    goto lose;
++  total_size += num_types * sizeof (struct ttinfo);
++  if (__builtin_expect (chars > SIZE_MAX - total_size, 0))
++    goto lose;
++  total_size += chars;
++  if (__builtin_expect (__alignof__ (struct leap) - 1
++			> SIZE_MAX - total_size, 0))
++    goto lose;
+   total_size = ((total_size + __alignof__ (struct leap) - 1)
+ 		& ~(__alignof__ (struct leap) - 1));
+   leaps_idx = total_size;
++  if (__builtin_expect (num_leaps
++			> (SIZE_MAX - total_size) / sizeof (struct leap), 0))
++    goto lose;
+   total_size += num_leaps * sizeof (struct leap);
+-  tzspec_len = (sizeof (time_t) == 8 && trans_width == 8
+-		? st.st_size - (ftello (f)
+-				+ num_transitions * (8 + 1)
+-				+ num_types * 6
+-				+ chars
+-				+ num_leaps * 12
+-				+ num_isstd
+-				+ num_isgmt) - 1 : 0);
++  tzspec_len = 0;
++  if (sizeof (time_t) == 8 && trans_width == 8)
++    {
++      off_t rem = st.st_size - ftello (f);
++      if (__builtin_expect (rem < 0
++			    || (size_t) rem < (num_transitions * (8 + 1)
++					       + num_types * 6
++					       + chars), 0))
++	goto lose;
++      tzspec_len = (size_t) rem - (num_transitions * (8 + 1)
++				   + num_types * 6
++				   + chars);
++      if (__builtin_expect (num_leaps > SIZE_MAX / 12
++			    || tzspec_len < num_leaps * 12, 0))
++	goto lose;
++      tzspec_len -= num_leaps * 12;
++      if (__builtin_expect (tzspec_len < num_isstd, 0))
++	goto lose;
++      tzspec_len -= num_isstd;
++      if (__builtin_expect (tzspec_len == 0 || tzspec_len - 1 < num_isgmt, 0))
++	goto lose;
++      tzspec_len -= num_isgmt + 1;
++      if (__builtin_expect (SIZE_MAX - total_size < tzspec_len, 0))
++	goto lose;
++    }
++  if (__builtin_expect (SIZE_MAX - total_size - tzspec_len < extra, 0))
++    goto lose;
+ 
+   /* Allocate enough memory including the extra block requested by the
+      caller.  */
Index: debian/patches/series
===================================================================
--- debian/patches/series	(révision 5091)
+++ debian/patches/series	(copie de travail)
@@ -270,3 +270,5 @@
 any/cvs-dl_close-scope-handling.diff
 any/cvs-nptl-pthread-race.diff
 any/cvs-statvfs-mount-flags.diff
+any/cvs-tzfile.diff
+any/submitted-resolv-first-query-failure.diff
Index: debian/changelog
===================================================================
--- debian/changelog	(révision 5091)
+++ debian/changelog	(copie de travail)
@@ -1,3 +1,13 @@
+eglibc (2.11.3-3) stable; urgency=low
+
+  * patches/any/cvs-tzfile.diff: fix integer overflow in timezone code.
+    (CVE-2009-5029).  Closes: #650790.
+  * patches/any/submitted-resolv-first-query-failure.diff: new patch to fix
+    resolving issues with broken servers returning NOTIMP or FORMERR to AAAA
+    queries.  Closes: #658171.
+
+ -- Aurelien Jarno <aurel32@debian.org>  Thu, 02 Feb 2012 22:20:02 +0100
+
 eglibc (2.11.3-2) stable; urgency=low
 
   * Add patches/arm/cvs-tls-unallocated.diff and

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Reply to:

Prev by Date: Bug#657812: marked as done ([2.11.2 -> 2.11.3 regression] first dns resolution request fails, if AAAA query yields "not implemented")
Next by Date: Bug#658171: libc6: dns resolving failing after point release update
Previous by thread: Bug#657812: marked as done ([2.11.2 -> 2.11.3 regression] first dns resolution request fails, if AAAA query yields "not implemented")
Next by thread: Bug#658171: Bug#658424: pu: package eglibc/2.11.3-3
Index(es):
- Date
- Thread