[glibc] 01/01: patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106.
This is an automated email from the git hooks/post-receive script.
aurel32 pushed a commit to branch jessie
in repository glibc.
commit 138de87c1f40c651dce664d76bbf1902eb853cb8
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed Apr 12 00:34:46 2017 +0200
patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106.
---
debian/changelog | 3 +
debian/patches/any/cvs-resolv-internal-qtype.diff | 78 +++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 82 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ffbd139..5a26d07 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ glibc (2.19-18+deb8u8) UNRELEASED; urgency=medium
[ Aurelien Jarno ]
* Update from upstream stable branch:
- Fix PowerPC sqrt inaccuracy. Closes: #855606.
+ * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
+ NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
+ QTYPE (CVE-2015-5180). Closes: #796106.
-- Aurelien Jarno <aurel32@debian.org> Mon, 20 Feb 2017 23:30:47 +0100
diff --git a/debian/patches/any/cvs-resolv-internal-qtype.diff b/debian/patches/any/cvs-resolv-internal-qtype.diff
new file mode 100644
index 0000000..670d671
--- /dev/null
+++ b/debian/patches/any/cvs-resolv-internal-qtype.diff
@@ -0,0 +1,78 @@
+2016-12-31 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18784]
+ CVE-2015-5180
+ * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
+ T_UNSPEC. Adjust value.
+ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
+ * resolv/res_query.c (__libc_res_nquery): Likewise.
+ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
+ QTYPEs.
+
+--- a/include/arpa/nameser_compat.h
++++ b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include <resolv/arpa/nameser_compat.h>
+
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+- T_A and T_AAAA). */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++ internally by the implementation. */
++#define T_QUERY_A_AND_AAAA 439963904
+
+ #endif
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@
+
+ int olderr = errno;
+ enum nss_status status;
+- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
++ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
+ host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+ if (n >= 0)
+--- a/resolv/res_mkquery.c
++++ b/resolv/res_mkquery.c
+@@ -103,6 +103,10 @@
+ int n;
+ u_char *dnptrs[20], **dpp, **lastdnptr;
+
++ if (class < 0 || class > 65535
++ || type < 0 || type > 65535)
++ return -1;
++
+ #ifdef DEBUG
+ if (statp->options & RES_DEBUG)
+ printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -122,7 +122,7 @@
+ int n, use_malloc = 0;
+ u_int oflags = statp->_flags;
+
+- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
++ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
+ u_char *buf = alloca (bufsize);
+ u_char *query1 = buf;
+ int nquery1 = -1;
+@@ -137,7 +137,7 @@
+ printf(";; res_query(%s, %d, %d)\n", name, class, type);
+ #endif
+
+- if (type == T_UNSPEC)
++ if (type == T_QUERY_A_AND_AAAA)
+ {
+ n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
+ query1, bufsize);
+@@ -190,7 +190,7 @@
+ if (__builtin_expect (n <= 0, 0) && !use_malloc) {
+ /* Retry just in case res_nmkquery failed because of too
+ short buffer. Shouldn't happen. */
+- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
++ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
+ buf = malloc (bufsize);
+ if (buf != NULL) {
+ query1 = buf;
diff --git a/debian/patches/series b/debian/patches/series
index 746f71c..2ef5384 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -274,3 +274,4 @@ any/cvs-wscanf.diff
any/cvs-ldconfig-aux-cache.diff
any/cvs-grantpt-pty-owner.diff
any/cvs-hesiod-resolver.diff
+any/cvs-resolv-internal-qtype.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git
Reply to: