[glibc] 01/01: Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).

To: debian-glibc@lists.debian.org
Subject: [glibc] 01/01: Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Tue, 07 Jun 2016 15:30:45 +0000
Message-id: <[🔎] E1bAIxp-00083S-6x@moszumanska.debian.org>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>
In-reply-to: <[🔎] 20160607153044.30871.92666@moszumanska.debian.org>
References: <[🔎] 20160607153044.30871.92666@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch jessie
in repository glibc.

commit 6e388e01c3392030fcdd91101fd1e81d5922af1b
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Tue Jun 7 17:28:20 2016 +0200

    Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
---
 debian/changelog                |  1 +
 debian/patches/git-updates.diff | 55 +++++++++++++++++++++++++++++++++++++----
 2 files changed, 51 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index c96e478..b619b11 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium
     - Fix a buffer overflow in the glob function (CVE-2016-1234).
     - Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075).
     - Fix a stack overflow in getaddrinfo function (CVE-2016-3706).
+    - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
 
  -- Aurelien Jarno <aurel32@debian.org>  Sun, 01 May 2016 16:38:48 +0200
 
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index b77210d..d45102a 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,17 @@
 GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
 
 diff --git a/ChangeLog b/ChangeLog
-index 81c393a..f9a9e33 100644
+index 81c393a..fb2d7ff 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,551 @@
+@@ -1,3 +1,558 @@
++2016-05-23  Florian Weimer  <fweimer@redhat.com>
++
++	CVE-2016-4429
++	[BZ #20112]
++	* sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
++	payload.
++
 +2016-03-25  Florian Weimer  <fweimer@redhat.com>
 +
 +	[BZ #19791]
@@ -557,10 +564,10 @@ index 81c393a..f9a9e33 100644
  
  	[BZ #16529]
 diff --git a/NEWS b/NEWS
-index 98b479e..d14f9ed 100644
+index 98b479e..937c618 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,94 @@ See the end for copying conditions.
+@@ -5,6 +5,98 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -572,7 +579,7 @@ index 98b479e..d14f9ed 100644
 +  16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
 +  17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
 +  18032, 18080, 18240, 18287, 18508, 18665, 18905, 19779, 19791, 19879,
-+  20010.
++  20010, 20112.
 +
 +* A buffer overflow in gethostbyname_r and related functions performing DNS
 +  requests has been fixed.  If the NSS functions were called with a
@@ -651,6 +658,10 @@ index 98b479e..d14f9ed 100644
 +  the overflow.  Thanks to the Google Security Team and Red Hat for
 +  reporting the security impact of this issue, and Robert Holiday of
 +  Ciena for reporting the related bug 18665. (CVE-2015-7547)
++
++* The Sun RPC UDP client could exhaust all available stack space when
++  flooded with crafted ICMP and UDP messages.  Reported by Aldy Hernandez'
++  alloca plugin for GCC.  (CVE-2016-4429)
 +
  Version 2.19
  
@@ -5013,6 +5024,40 @@ index b395dc7..fcd059f 100644
  }
  
  
+diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
+index 1b6a20b..81d5637 100644
+--- a/sunrpc/clnt_udp.c
++++ b/sunrpc/clnt_udp.c
+@@ -420,9 +420,15 @@ send_again:
+ 	  struct sock_extended_err *e;
+ 	  struct sockaddr_in err_addr;
+ 	  struct iovec iov;
+-	  char *cbuf = (char *) alloca (outlen + 256);
++	  char *cbuf = malloc (outlen + 256);
+ 	  int ret;
+ 
++	  if (cbuf == NULL)
++	    {
++	      cu->cu_error.re_errno = errno;
++	      return (cu->cu_error.re_status = RPC_CANTRECV);
++	    }
++
+ 	  iov.iov_base = cbuf + 256;
+ 	  iov.iov_len = outlen;
+ 	  msg.msg_name = (void *) &err_addr;
+@@ -447,10 +453,12 @@ send_again:
+ 		 cmsg = CMSG_NXTHDR (&msg, cmsg))
+ 	      if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ 		{
++		  free (cbuf);
+ 		  e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ 		  cu->cu_error.re_errno = e->ee_errno;
+ 		  return (cu->cu_error.re_status = RPC_CANTRECV);
+ 		}
++	  free (cbuf);
+ 	}
+ #endif
+       do
 diff --git a/sysdeps/ieee754/dbl-64/s_sin.c b/sysdeps/ieee754/dbl-64/s_sin.c
 index 6105e9f..50109b8 100644
 --- a/sysdeps/ieee754/dbl-64/s_sin.c

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git

Reply to:

References:
- [glibc] branch jessie updated (bebcfae -> 6e388e0)
  - From: Aurelien Jarno <aurel32@moszumanska.debian.org>

Prev by Date: Re: Bug#822783: eztrace-contrib: FTBFS with libc 2.23: 'memcpy' was not declared in this scope
Next by Date: [glibc] branch jessie updated (bebcfae -> 6e388e0)
Previous by thread: [glibc] branch jessie updated (bebcfae -> 6e388e0)
Next by thread: Bug#826678: libc6: upgrade of libc6 overwrites libraries in active use by Upstart /sbin/init
Index(es):
- Date
- Thread