Created
February 2, 2015 00:32
-
-
Save duncm/c1d8396e30bccd92599c to your computer and use it in GitHub Desktop.
CVE-2015-0235 patch for Ubuntu 11.04 (Natty Narwhal)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff -u eglibc-2.13/debian/changelog eglibc-2.13/debian/changelog | |
| --- eglibc-2.13/debian/changelog | |
| +++ eglibc-2.13/debian/changelog | |
| @@ -1,3 +1,12 @@ | |
| +eglibc (2.13-0ubuntu13.2+CVE.2015.0235) natty-security; urgency=medium | |
| + | |
| + * SECURITY UPDATE: buffer overflow in __nss_hostname_digits_dots | |
| + - debian/patches/any/CVE-2015-0235.diff: fix overflow in | |
| + nss/digits_dots.c | |
| + - CVE-2015-0235 | |
| + | |
| + -- Duncan Maitland <dmaitland@fairfaxmedia.com.au> Wed, 31 Jan 2015 00:13:41 +1100 | |
| + | |
| eglibc (2.13-0ubuntu13.2) natty-security; urgency=low | |
| * SECURITY UPDATE: buffer overflow in vfprintf handling | |
| diff -u eglibc-2.13/debian/patches/series eglibc-2.13/debian/patches/series | |
| --- eglibc-2.13/debian/patches/series | |
| +++ eglibc-2.13/debian/patches/series | |
| @@ -236,0 +237 @@ | |
| +any/CVE-2015-0235.diff | |
| only in patch2: | |
| unchanged: | |
| --- eglibc-2.13.orig/debian/patches/any/CVE-2015-0235.diff | |
| +++ eglibc-2.13/debian/patches/any/CVE-2015-0235.diff | |
| @@ -0,0 +1,251 @@ | |
| +From: Andreas Schwab <schwab@suse.de> | |
| +Date: Mon, 21 Jan 2013 16:41:28 +0000 (+0100) | |
| +Subject: Fix parsing of numeric hosts in gethostbyname_r | |
| +X-Git-Tag: glibc-2.18~221 | |
| +X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd | |
| + | |
| +Fix parsing of numeric hosts in gethostbyname_r | |
| + | |
| +2013-05-21 Andreas Schwab <schwab@suse.de> | |
| + | |
| + [BZ #15014] | |
| + * nss/getXXbyYY_r.c (INTERNAL (REENTRANT_NAME)) | |
| + [HANDLE_DIGITS_DOTS]: Set any_service when digits-dots parsing was | |
| + successful. | |
| + * nss/digits_dots.c (__nss_hostname_digits_dots): Remove | |
| + redundant variable declarations and reallocation of buffer when | |
| + parsing as IPv6 address. Always set NSS status when called from | |
| + reentrant functions. Use NETDB_INTERNAL instead of TRY_AGAIN when | |
| + buffer too small. Correct computation of needed size. | |
| + * nss/Makefile (tests): Add test-digits-dots. | |
| + * nss/test-digits-dots.c: New test. | |
| + | |
| +CVE-2015-0235 | |
| + | |
| +(Ubuntu note: patch differs from upstream commit in that it drops | |
| +the changelog and NEWS entries as well as the whitespace only change to | |
| +nss/getXXbyYY_r.c to reduce patch conflicts. --sbeattie) | |
| + | |
| +--- | |
| + nss/Makefile | 2 - | |
| + nss/digits_dots.c | 73 +++++++++++++------------------------------------ | |
| + nss/getXXbyYY_r.c | 3 ++ | |
| + nss/test-digits-dots.c | 38 +++++++++++++++++++++++++ | |
| + 4 files changed, 62 insertions(+), 54 deletions(-) | |
| + | |
| +Index: b/nss/digits_dots.c | |
| +=================================================================== | |
| +--- a/nss/digits_dots.c | |
| ++++ b/nss/digits_dots.c | |
| +@@ -47,7 +47,10 @@ __nss_hostname_digits_dots (const char * | |
| + { | |
| + if (h_errnop) | |
| + *h_errnop = NETDB_INTERNAL; | |
| +- *result = NULL; | |
| ++ if (buffer_size == NULL) | |
| ++ *status = NSS_STATUS_TRYAGAIN; | |
| ++ else | |
| ++ *result = NULL; | |
| + return -1; | |
| + } | |
| + | |
| +@@ -84,14 +87,16 @@ __nss_hostname_digits_dots (const char * | |
| + } | |
| + | |
| + size_needed = (sizeof (*host_addr) | |
| +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); | |
| ++ + sizeof (*h_addr_ptrs) | |
| ++ + sizeof (*h_alias_ptr) + strlen (name) + 1); | |
| + | |
| + if (buffer_size == NULL) | |
| + { | |
| + if (buflen < size_needed) | |
| + { | |
| ++ *status = NSS_STATUS_TRYAGAIN; | |
| + if (h_errnop != NULL) | |
| +- *h_errnop = TRY_AGAIN; | |
| ++ *h_errnop = NETDB_INTERNAL; | |
| + __set_errno (ERANGE); | |
| + goto done; | |
| + } | |
| +@@ -110,7 +115,7 @@ __nss_hostname_digits_dots (const char * | |
| + *buffer_size = 0; | |
| + __set_errno (save); | |
| + if (h_errnop != NULL) | |
| +- *h_errnop = TRY_AGAIN; | |
| ++ *h_errnop = NETDB_INTERNAL; | |
| + *result = NULL; | |
| + goto done; | |
| + } | |
| +@@ -150,7 +155,9 @@ __nss_hostname_digits_dots (const char * | |
| + if (! ok) | |
| + { | |
| + *h_errnop = HOST_NOT_FOUND; | |
| +- if (buffer_size) | |
| ++ if (buffer_size == NULL) | |
| ++ *status = NSS_STATUS_NOTFOUND; | |
| ++ else | |
| + *result = NULL; | |
| + goto done; | |
| + } | |
| +@@ -191,7 +198,7 @@ __nss_hostname_digits_dots (const char * | |
| + if (buffer_size == NULL) | |
| + *status = NSS_STATUS_SUCCESS; | |
| + else | |
| +- *result = resbuf; | |
| ++ *result = resbuf; | |
| + goto done; | |
| + } | |
| + | |
| +@@ -202,15 +209,6 @@ __nss_hostname_digits_dots (const char * | |
| + | |
| + if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':') | |
| + { | |
| +- const char *cp; | |
| +- char *hostname; | |
| +- typedef unsigned char host_addr_t[16]; | |
| +- host_addr_t *host_addr; | |
| +- typedef char *host_addr_list_t[2]; | |
| +- host_addr_list_t *h_addr_ptrs; | |
| +- size_t size_needed; | |
| +- int addr_size; | |
| +- | |
| + switch (af) | |
| + { | |
| + default: | |
| +@@ -226,7 +224,10 @@ __nss_hostname_digits_dots (const char * | |
| + /* This is not possible. We cannot represent an IPv6 address | |
| + in an `struct in_addr' variable. */ | |
| + *h_errnop = HOST_NOT_FOUND; | |
| +- *result = NULL; | |
| ++ if (buffer_size == NULL) | |
| ++ *status = NSS_STATUS_NOTFOUND; | |
| ++ else | |
| ++ *result = NULL; | |
| + goto done; | |
| + | |
| + case AF_INET6: | |
| +@@ -234,42 +235,6 @@ __nss_hostname_digits_dots (const char * | |
| + break; | |
| + } | |
| + | |
| +- size_needed = (sizeof (*host_addr) | |
| +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); | |
| +- | |
| +- if (buffer_size == NULL && buflen < size_needed) | |
| +- { | |
| +- if (h_errnop != NULL) | |
| +- *h_errnop = TRY_AGAIN; | |
| +- __set_errno (ERANGE); | |
| +- goto done; | |
| +- } | |
| +- else if (buffer_size != NULL && *buffer_size < size_needed) | |
| +- { | |
| +- char *new_buf; | |
| +- *buffer_size = size_needed; | |
| +- new_buf = realloc (*buffer, *buffer_size); | |
| +- | |
| +- if (new_buf == NULL) | |
| +- { | |
| +- save = errno; | |
| +- free (*buffer); | |
| +- __set_errno (save); | |
| +- *buffer = NULL; | |
| +- *buffer_size = 0; | |
| +- *result = NULL; | |
| +- goto done; | |
| +- } | |
| +- *buffer = new_buf; | |
| +- } | |
| +- | |
| +- memset (*buffer, '\0', size_needed); | |
| +- | |
| +- host_addr = (host_addr_t *) *buffer; | |
| +- h_addr_ptrs = (host_addr_list_t *) | |
| +- ((char *) host_addr + sizeof (*host_addr)); | |
| +- hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); | |
| +- | |
| + for (cp = name;; ++cp) | |
| + { | |
| + if (!*cp) | |
| +@@ -282,7 +247,9 @@ __nss_hostname_digits_dots (const char * | |
| + if (inet_pton (AF_INET6, name, host_addr) <= 0) | |
| + { | |
| + *h_errnop = HOST_NOT_FOUND; | |
| +- if (buffer_size) | |
| ++ if (buffer_size == NULL) | |
| ++ *status = NSS_STATUS_NOTFOUND; | |
| ++ else | |
| + *result = NULL; | |
| + goto done; | |
| + } | |
| +Index: b/nss/getXXbyYY_r.c | |
| +=================================================================== | |
| +--- a/nss/getXXbyYY_r.c | |
| ++++ b/nss/getXXbyYY_r.c | |
| +@@ -180,6 +180,9 @@ INTERNAL (REENTRANT_NAME) (ADD_PARAMS, L | |
| + case -1: | |
| + return errno; | |
| + case 1: | |
| ++#ifdef NEED_H_ERRNO | |
| ++ any_service = true; | |
| ++#endif | |
| + goto done; | |
| + } | |
| + #endif | |
| +Index: b/nss/test-digits-dots.c | |
| +=================================================================== | |
| +--- /dev/null | |
| ++++ b/nss/test-digits-dots.c | |
| +@@ -0,0 +1,38 @@ | |
| ++/* Copyright (C) 2013 Free Software Foundation, Inc. | |
| ++ This file is part of the GNU C Library. | |
| ++ | |
| ++ The GNU C Library is free software; you can redistribute it and/or | |
| ++ modify it under the terms of the GNU Lesser General Public | |
| ++ License as published by the Free Software Foundation; either | |
| ++ version 2.1 of the License, or (at your option) any later version. | |
| ++ | |
| ++ The GNU C Library is distributed in the hope that it will be useful, | |
| ++ but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| ++ Lesser General Public License for more details. | |
| ++ | |
| ++ You should have received a copy of the GNU Lesser General Public | |
| ++ License along with the GNU C Library; if not, see | |
| ++ <http://www.gnu.org/licenses/>. */ | |
| ++ | |
| ++/* Testcase for BZ #15014 */ | |
| ++ | |
| ++#include <stdlib.h> | |
| ++#include <netdb.h> | |
| ++#include <errno.h> | |
| ++ | |
| ++static int | |
| ++do_test (void) | |
| ++{ | |
| ++ char buf[32]; | |
| ++ struct hostent *result = NULL; | |
| ++ struct hostent ret; | |
| ++ int h_err = 0; | |
| ++ int err; | |
| ++ | |
| ++ err = gethostbyname_r ("1.2.3.4", &ret, buf, sizeof (buf), &result, &h_err); | |
| ++ return err == ERANGE && h_err == NETDB_INTERNAL ? EXIT_SUCCESS : EXIT_FAILURE; | |
| ++} | |
| ++ | |
| ++#define TEST_FUNCTION do_test () | |
| ++#include "../test-skeleton.c" | |
| +Index: b/nss/Makefile | |
| +=================================================================== | |
| +--- a/nss/Makefile | |
| ++++ b/nss/Makefile | |
| +@@ -47,7 +47,7 @@ routines-$(OPTION_EGLIBC_INET) += digits | |
| + others := getent | |
| + install-bin := getent | |
| + | |
| +-tests = tst-nss-test1 | |
| ++tests = tst-nss-test1 test-digits-dots | |
| + tests-$(OPTION_EGLIBC_INET) += test-netdb | |
| + xtests-$(OPTION_EGLIBC_INET) += bug-erange | |
| + |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment