[glibc] 02/02: patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106.

To: debian-glibc@lists.debian.org
Subject: [glibc] 02/02: patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106.
From: Aurelien Jarno <aurel32@moszumanska.debian.org>
Date: Tue, 03 Jan 2017 21:52:24 +0000
Message-id: <[🔎] E1cOX0K-0008Kq-Tx@moszumanska.debian.org>
Reply-to: Aurelien Jarno <aurelien@aurel32.net>
In-reply-to: <[🔎] 20170103215155.31443.62363@moszumanska.debian.org>
References: <[🔎] 20170103215155.31443.62363@moszumanska.debian.org>

This is an automated email from the git hooks/post-receive script.

aurel32 pushed a commit to branch sid
in repository glibc.

commit c16873aceccff7a1116adb047a47d5fb95fd461c
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Tue Jan 3 22:51:27 2017 +0100

    patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180).  Closes: #796106.
---
 debian/changelog                                  |  3 +
 debian/patches/any/cvs-resolv-internal-qtype.diff | 78 +++++++++++++++++++++++
 debian/patches/series                             |  1 +
 3 files changed, 82 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 58aaf38..2bf3ceb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -24,6 +24,9 @@ glibc (2.24-9) UNRELEASED; urgency=medium
     with the PT154 charset.  Closes: #847596.
   * debian/patches/git-updates.diff: update from upstream stable branch:
     - debian/patches/alpha/submitted-math-fixes.diff: Drop, merged upstream.
+  * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
+    NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
+    QTYPE (CVE-2015-5180).  Closes: #796106.
 
  -- Samuel Thibault <sthibault@debian.org>  Fri, 09 Dec 2016 01:51:00 +0100
 
diff --git a/debian/patches/any/cvs-resolv-internal-qtype.diff b/debian/patches/any/cvs-resolv-internal-qtype.diff
new file mode 100644
index 0000000..670d671
--- /dev/null
+++ b/debian/patches/any/cvs-resolv-internal-qtype.diff
@@ -0,0 +1,78 @@
+2016-12-31  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18784]
+	CVE-2015-5180
+	* include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
+	T_UNSPEC.  Adjust value.
+	* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
+	* resolv/res_query.c (__libc_res_nquery): Likewise.
+	* resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
+	QTYPEs.
+
+--- a/include/arpa/nameser_compat.h
++++ b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include <resolv/arpa/nameser_compat.h>
+ 
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+-   T_A and T_AAAA).  */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++   internally by the implementation.  */
++#define T_QUERY_A_AND_AAAA 439963904
+ 
+ #endif
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@
+ 
+   int olderr = errno;
+   enum nss_status status;
+-  int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
++  int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
+ 			      host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ 			      &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+   if (n >= 0)
+--- a/resolv/res_mkquery.c
++++ b/resolv/res_mkquery.c
+@@ -103,6 +103,10 @@
+ 	int n;
+ 	u_char *dnptrs[20], **dpp, **lastdnptr;
+ 
++	if (class < 0 || class > 65535
++	    || type < 0 || type > 65535)
++	  return -1;
++
+ #ifdef DEBUG
+ 	if (statp->options & RES_DEBUG)
+ 		printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -122,7 +122,7 @@
+ 	int n, use_malloc = 0;
+ 	u_int oflags = statp->_flags;
+ 
+-	size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
++	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
+ 	u_char *buf = alloca (bufsize);
+ 	u_char *query1 = buf;
+ 	int nquery1 = -1;
+@@ -137,7 +137,7 @@
+ 		printf(";; res_query(%s, %d, %d)\n", name, class, type);
+ #endif
+ 
+-	if (type == T_UNSPEC)
++	if (type == T_QUERY_A_AND_AAAA)
+ 	  {
+ 	    n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
+ 			     query1, bufsize);
+@@ -190,7 +190,7 @@
+ 	if (__builtin_expect (n <= 0, 0) && !use_malloc) {
+ 		/* Retry just in case res_nmkquery failed because of too
+ 		   short buffer.  Shouldn't happen.  */
+-		bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
++		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
+ 		buf = malloc (bufsize);
+ 		if (buf != NULL) {
+ 			query1 = buf;
diff --git a/debian/patches/series b/debian/patches/series
index 5927826..2f9d247 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -215,3 +215,4 @@ any/local-bootstrap-headers.diff
 any/submitted-dlopen-noload.diff
 any/submitted-perl-inc.diff
 any/submitted-unicode-9.0.0.diff
+any/cvs-resolv-internal-qtype.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git

Reply to:

References:
- [glibc] branch sid updated (60d2b4b -> c16873a)
  - From: Aurelien Jarno <aurel32@moszumanska.debian.org>

Prev by Date: Processed: Use jrtc27@debian.org as submitter/owner everywhere
Next by Date: [glibc] 01/02: debian/patches/git-updates.diff: update from upstream stable branch:
Previous by thread: [glibc] branch sid updated (60d2b4b -> c16873a)
Next by thread: [glibc] 01/02: debian/patches/git-updates.diff: update from upstream stable branch:
Index(es):
- Date
- Thread