[glibc] 02/05: Update from upstream stable branch:
This is an automated email from the git hooks/post-receive script.
aurel32 pushed a commit to branch sid
in repository glibc.
commit 3a6dbc9e2a80e207e5d98855fc72fb95f30e7528
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Tue May 31 12:46:33 2016 +0200
Update from upstream stable branch:
* Update from upstream stable branch:
- Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
---
debian/changelog | 2 ++
debian/patches/git-updates.diff | 57 ++++++++++++++++++++++++++++++++++++-----
2 files changed, 53 insertions(+), 6 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index b024284..22464d8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
glibc (2.22-10) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
+ * Update from upstream stable branch:
+ - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
* debian/control.in/main: build-depends on dpkg (>= 1.18.7) instead of
dpkg-dev (>= 1.18.7) as the cputable file is in dpkg, not dpkg-dev.
Closes: #824127.
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index f62a3eb..850361a 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,17 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.22/master from glibc-2.22
diff --git a/ChangeLog b/ChangeLog
-index cb9124e..62794f2 100644
+index cb9124e..123274c 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,621 @@
+@@ -1,3 +1,628 @@
++2016-05-23 Florian Weimer <fweimer@redhat.com>
++
++ CVE-2016-4429
++ [BZ #20112]
++ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
++ payload.
++
+2016-05-02 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #19573]
@@ -627,10 +634,10 @@ index cb9124e..62794f2 100644
* version.h (RELEASE): Set to "stable".
diff --git a/NEWS b/NEWS
-index 4c31de7..94b731f 100644
+index 4c31de7..b0b981b 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,55 @@ See the end for copying conditions.
+@@ -5,6 +5,59 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
@@ -655,7 +662,7 @@ index 4c31de7..94b731f 100644
+ 17905, 18420, 18421, 18480, 18589, 18743, 18778, 18781, 18787, 18796,
+ 18870, 18887, 18921, 18928, 18969, 18985, 19003, 19018, 19048, 19058,
+ 19174, 19178, 19182, 19243, 19573, 19590, 19682, 19791, 19822, 19853,
-+ 19879, 19779, 20010.
++ 19879, 19779, 20010, 20112.
+
+* The getnetbyname implementation in nss_dns had a potentially unbounded
+ alloca call (in the form of a call to strdupa), leading to a stack
@@ -682,11 +689,15 @@ index 4c31de7..94b731f 100644
+ even after the fix for CVE-2013-4458 has been applied, potentially
+ resulting in a stack overflow. getaddrinfo now uses a heap allocation
+ instead. Reported by Michael Petlan. (CVE-2016-3706)
++
++* The Sun RPC UDP client could exhaust all available stack space when
++ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez'
++ alloca plugin for GCC. (CVE-2016-4429)
+
Version 2.22
* The following bugs are resolved with this release:
-@@ -84,7 +133,7 @@ Version 2.22
+@@ -84,7 +137,7 @@ Version 2.22
release. Use of this header will trigger a deprecation warning.
Application developers should update their code to use <regex.h> instead.
@@ -4455,6 +4466,40 @@ index d5a1115..bea5aa2 100644
res = 1;
}
else
+diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
+index 6ffa5f2..c818caf 100644
+--- a/sunrpc/clnt_udp.c
++++ b/sunrpc/clnt_udp.c
+@@ -420,9 +420,15 @@ send_again:
+ struct sock_extended_err *e;
+ struct sockaddr_in err_addr;
+ struct iovec iov;
+- char *cbuf = (char *) alloca (outlen + 256);
++ char *cbuf = malloc (outlen + 256);
+ int ret;
+
++ if (cbuf == NULL)
++ {
++ cu->cu_error.re_errno = errno;
++ return (cu->cu_error.re_status = RPC_CANTRECV);
++ }
++
+ iov.iov_base = cbuf + 256;
+ iov.iov_len = outlen;
+ msg.msg_name = (void *) &err_addr;
+@@ -447,10 +453,12 @@ send_again:
+ cmsg = CMSG_NXTHDR (&msg, cmsg))
+ if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ {
++ free (cbuf);
+ e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ cu->cu_error.re_errno = e->ee_errno;
+ return (cu->cu_error.re_status = RPC_CANTRECV);
+ }
++ free (cbuf);
+ }
+ #endif
+ do
diff --git a/sysdeps/alpha/fpu/libm-test-ulps b/sysdeps/alpha/fpu/libm-test-ulps
index 9ac946f..ee8e97c 100644
--- a/sysdeps/alpha/fpu/libm-test-ulps
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: