[glibc] 01/01: Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
This is an automated email from the git hooks/post-receive script.
aurel32 pushed a commit to branch jessie
in repository glibc.
commit 6e388e01c3392030fcdd91101fd1e81d5922af1b
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Tue Jun 7 17:28:20 2016 +0200
Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
---
debian/changelog | 1 +
debian/patches/git-updates.diff | 55 +++++++++++++++++++++++++++++++++++++----
2 files changed, 51 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index c96e478..b619b11 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,7 @@ glibc (2.19-18+deb8u5) UNRELEASED; urgency=medium
- Fix a buffer overflow in the glob function (CVE-2016-1234).
- Fix a stack overflow in nss_dns_getnetbyname_r (CVE-2016-3075).
- Fix a stack overflow in getaddrinfo function (CVE-2016-3706).
+ - Fix a stack overflow in Sun RPC clntudp_call() (CVE-2016-4429).
-- Aurelien Jarno <aurel32@debian.org> Sun, 01 May 2016 16:38:48 +0200
diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff
index b77210d..d45102a 100644
--- a/debian/patches/git-updates.diff
+++ b/debian/patches/git-updates.diff
@@ -1,10 +1,17 @@
GIT update of git://sourceware.org/git/glibc.git/release/2.19/master from glibc-2.19
diff --git a/ChangeLog b/ChangeLog
-index 81c393a..f9a9e33 100644
+index 81c393a..fb2d7ff 100644
--- a/ChangeLog
+++ b/ChangeLog
-@@ -1,3 +1,551 @@
+@@ -1,3 +1,558 @@
++2016-05-23 Florian Weimer <fweimer@redhat.com>
++
++ CVE-2016-4429
++ [BZ #20112]
++ * sunrpc/clnt_udp.c (clntudp_call): Use malloc/free for the error
++ payload.
++
+2016-03-25 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #19791]
@@ -557,10 +564,10 @@ index 81c393a..f9a9e33 100644
[BZ #16529]
diff --git a/NEWS b/NEWS
-index 98b479e..d14f9ed 100644
+index 98b479e..937c618 100644
--- a/NEWS
+++ b/NEWS
-@@ -5,6 +5,94 @@ See the end for copying conditions.
+@@ -5,6 +5,98 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
@@ -572,7 +579,7 @@ index 98b479e..d14f9ed 100644
+ 16878, 16882, 16885, 16916, 16932, 16943, 16958, 17048, 17062, 17069,
+ 17079, 17137, 17153, 17213, 17263, 17269, 17325, 17555, 17905, 18007,
+ 18032, 18080, 18240, 18287, 18508, 18665, 18905, 19779, 19791, 19879,
-+ 20010.
++ 20010, 20112.
+
+* A buffer overflow in gethostbyname_r and related functions performing DNS
+ requests has been fixed. If the NSS functions were called with a
@@ -651,6 +658,10 @@ index 98b479e..d14f9ed 100644
+ the overflow. Thanks to the Google Security Team and Red Hat for
+ reporting the security impact of this issue, and Robert Holiday of
+ Ciena for reporting the related bug 18665. (CVE-2015-7547)
++
++* The Sun RPC UDP client could exhaust all available stack space when
++ flooded with crafted ICMP and UDP messages. Reported by Aldy Hernandez'
++ alloca plugin for GCC. (CVE-2016-4429)
+
Version 2.19
@@ -5013,6 +5024,40 @@ index b395dc7..fcd059f 100644
}
+diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c
+index 1b6a20b..81d5637 100644
+--- a/sunrpc/clnt_udp.c
++++ b/sunrpc/clnt_udp.c
+@@ -420,9 +420,15 @@ send_again:
+ struct sock_extended_err *e;
+ struct sockaddr_in err_addr;
+ struct iovec iov;
+- char *cbuf = (char *) alloca (outlen + 256);
++ char *cbuf = malloc (outlen + 256);
+ int ret;
+
++ if (cbuf == NULL)
++ {
++ cu->cu_error.re_errno = errno;
++ return (cu->cu_error.re_status = RPC_CANTRECV);
++ }
++
+ iov.iov_base = cbuf + 256;
+ iov.iov_len = outlen;
+ msg.msg_name = (void *) &err_addr;
+@@ -447,10 +453,12 @@ send_again:
+ cmsg = CMSG_NXTHDR (&msg, cmsg))
+ if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR)
+ {
++ free (cbuf);
+ e = (struct sock_extended_err *) CMSG_DATA(cmsg);
+ cu->cu_error.re_errno = e->ee_errno;
+ return (cu->cu_error.re_status = RPC_CANTRECV);
+ }
++ free (cbuf);
+ }
+ #endif
+ do
diff --git a/sysdeps/ieee754/dbl-64/s_sin.c b/sysdeps/ieee754/dbl-64/s_sin.c
index 6105e9f..50109b8 100644
--- a/sysdeps/ieee754/dbl-64/s_sin.c
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: