r5816 - in glibc-package/branches/eglibc-2.18/debian: . patches patches/any
Author: aurel32
Date: 2013-11-29 18:33:08 +0000 (Fri, 29 Nov 2013)
New Revision: 5816
Added:
glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4458-getaddrinfo.diff
Modified:
glibc-package/branches/eglibc-2.18/debian/changelog
glibc-package/branches/eglibc-2.18/debian/patches/series
Log:
patches/any/cvs-CVE-2013-4458-getaddrinfo.diff: new patch from upstream
to fix stack (frame) overflow in getaddrinfo() when called with AF_INET6
/ CVE-2013-4458 (Closes: #727181).
Modified: glibc-package/branches/eglibc-2.18/debian/changelog
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/changelog 2013-11-29 18:22:49 UTC (rev 5815)
+++ glibc-package/branches/eglibc-2.18/debian/changelog 2013-11-29 18:33:08 UTC (rev 5816)
@@ -140,6 +140,9 @@
* patches/any/cvs-strcasecmp-locales.diff: new patch from upstream to
fix mismatch between strcasecmp and toupper/tolower in tr_TR.iso88599
locale (Closes: #716775).
+ * patches/any/cvs-CVE-2013-4458-getaddrinfo.diff: new patch from upstream
+ to fix stack (frame) overflow in getaddrinfo() when called with AF_INET6
+ / CVE-2013-4458 (Closes: #727181).
-- Adam Conrad <adconrad@ubuntu.com> Sat, 09 Nov 2013 12:48:20 +0100
Added: glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4458-getaddrinfo.diff
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4458-getaddrinfo.diff (rev 0)
+++ glibc-package/branches/eglibc-2.18/debian/patches/any/cvs-CVE-2013-4458-getaddrinfo.diff 2013-11-29 18:33:08 UTC (rev 5816)
@@ -0,0 +1,56 @@
+commit 7cbcdb3699584db8913ca90f705d6337633ee10f
+Author: Siddhesh Poyarekar <siddhesh@redhat.com>
+Date: Fri Oct 25 10:22:12 2013 +0530
+
+ Fix stack overflow due to large AF_INET6 requests
+
+ Resolves #16072 (CVE-2013-4458).
+
+ This patch fixes another stack overflow in getaddrinfo when it is
+ called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
+ but the AF_INET6 case went undetected back then.
+
+2013-10-25 Siddhesh Poyarekar <siddhesh@redhat.com>
+
+ [BZ #16072]
+ * sysdeps/posix/getaddrinfo.c (gethosts): Allocate tmpbuf on
+ heap for large requests.
+
+diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
+index e6ce4cf..8ff74b4 100644
+--- a/sysdeps/posix/getaddrinfo.c
++++ b/sysdeps/posix/getaddrinfo.c
+@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
+ &rc, &herrno, NULL, &localcanon)); \
+ if (rc != ERANGE || herrno != NETDB_INTERNAL) \
+ break; \
+- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
++ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
++ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
++ alloca_used); \
++ else \
++ { \
++ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
++ 2 * tmpbuflen); \
++ if (newp == NULL) \
++ { \
++ result = -EAI_MEMORY; \
++ goto free_and_return; \
++ } \
++ tmpbuf = newp; \
++ malloc_tmpbuf = true; \
++ tmpbuflen = 2 * tmpbuflen; \
++ } \
+ } \
+ if (status == NSS_STATUS_SUCCESS && rc == 0) \
+ h = &th; \
+@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
+ { \
+ __set_h_errno (herrno); \
+ _res.options |= old_res_options & RES_USE_INET6; \
+- return -EAI_SYSTEM; \
++ result = -EAI_SYSTEM; \
++ goto free_and_return; \
+ } \
+ if (herrno == TRY_AGAIN) \
+ no_data = EAI_AGAIN; \
Modified: glibc-package/branches/eglibc-2.18/debian/patches/series
===================================================================
--- glibc-package/branches/eglibc-2.18/debian/patches/series 2013-11-29 18:22:49 UTC (rev 5815)
+++ glibc-package/branches/eglibc-2.18/debian/patches/series 2013-11-29 18:33:08 UTC (rev 5816)
@@ -253,3 +253,4 @@
any/unsubmitted-scanf-includes.diff
any/unsubmitted-dlopen-static-crash.diff
any/cvs-strcasecmp-locales.diff
+any/cvs-CVE-2013-4458-getaddrinfo.diff
Reply to: