gnu: glibc@2.24: Fix CVE-2015-5180.
* gnu/packages/base.scm (glibc@2.24)[source]: Add patch. * gnu/packages/patches/glibc-CVE-2015-5180.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
This commit is contained in:
parent
2c5cf84430
commit
575e5e4e51
|
@ -644,6 +644,7 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/ghostscript-runpath.patch \
|
||||
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
|
||||
%D%/packages/patches/glib-tests-timer.patch \
|
||||
%D%/packages/patches/glibc-CVE-2015-5180.patch \
|
||||
%D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
|
||||
%D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
|
||||
%D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
|
||||
|
|
|
@ -933,6 +933,7 @@ GLIBC/HURD for a Hurd host"
|
|||
"glibc-versioned-locpath.patch"
|
||||
"glibc-o-largefile.patch"
|
||||
"glibc-vectorized-strcspn-guards.patch"
|
||||
"glibc-CVE-2015-5180.patch"
|
||||
"glibc-CVE-2017-1000366-pt1.patch"
|
||||
"glibc-CVE-2017-1000366-pt2.patch"
|
||||
"glibc-CVE-2017-1000366-pt3.patch"))))))
|
||||
|
|
|
@ -0,0 +1,311 @@
|
|||
From b3b37f1a5559a7620e31c8053ed1b44f798f2b6d Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Sat, 31 Dec 2016 20:22:09 +0100
|
||||
Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
|
||||
#18784]
|
||||
|
||||
Also rename T_UNSPEC because an upcoming public header file
|
||||
update will use that name.
|
||||
|
||||
(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
|
||||
---
|
||||
ChangeLog | 14 ++++
|
||||
NEWS | 6 ++
|
||||
include/arpa/nameser_compat.h | 6 +-
|
||||
resolv/Makefile | 5 ++
|
||||
resolv/nss_dns/dns-host.c | 2 +-
|
||||
resolv/res_mkquery.c | 4 +
|
||||
resolv/res_query.c | 6 +-
|
||||
resolv/tst-resolv-qtypes.c | 185 ++++++++++++++++++++++++++++++++++++++++++
|
||||
8 files changed, 221 insertions(+), 7 deletions(-)
|
||||
create mode 100644 resolv/tst-resolv-qtypes.c
|
||||
|
||||
diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
|
||||
index 2e735ed..7c0deed 100644
|
||||
--- a/include/arpa/nameser_compat.h
|
||||
+++ b/include/arpa/nameser_compat.h
|
||||
@@ -1,8 +1,8 @@
|
||||
#ifndef _ARPA_NAMESER_COMPAT_
|
||||
#include <resolv/arpa/nameser_compat.h>
|
||||
|
||||
-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
|
||||
- T_A and T_AAAA). */
|
||||
-#define T_UNSPEC 62321
|
||||
+/* The number is outside the 16-bit RR type range and is used
|
||||
+ internally by the implementation. */
|
||||
+#define T_QUERY_A_AND_AAAA 439963904
|
||||
|
||||
#endif
|
||||
diff --git a/resolv/Makefile b/resolv/Makefile
|
||||
index 8be41d3..a4c86b9 100644
|
||||
--- a/resolv/Makefile
|
||||
+++ b/resolv/Makefile
|
||||
@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
|
||||
extra-libs += libanl
|
||||
routines += gai_sigqueue
|
||||
tests += tst-res_hconf_reorder
|
||||
+
|
||||
+# This test sends millions of packets and is rather slow.
|
||||
+xtests += tst-resolv-qtypes
|
||||
endif
|
||||
extra-libs-others = $(extra-libs)
|
||||
libresolv-routines := gethnamaddr res_comp res_debug \
|
||||
@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
|
||||
$(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
|
||||
$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
|
||||
$(evaluate-test)
|
||||
+
|
||||
+$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
|
||||
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
|
||||
index 5f9e357..d16fa4b 100644
|
||||
--- a/resolv/nss_dns/dns-host.c
|
||||
+++ b/resolv/nss_dns/dns-host.c
|
||||
@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
|
||||
|
||||
int olderr = errno;
|
||||
enum nss_status status;
|
||||
- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
|
||||
+ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
|
||||
host_buffer.buf->buf, 2048, &host_buffer.ptr,
|
||||
&ans2p, &nans2p, &resplen2, &ans2p_malloced);
|
||||
if (n >= 0)
|
||||
diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
|
||||
index 12f9730..d80b531 100644
|
||||
--- a/resolv/res_mkquery.c
|
||||
+++ b/resolv/res_mkquery.c
|
||||
@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
|
||||
int n;
|
||||
u_char *dnptrs[20], **dpp, **lastdnptr;
|
||||
|
||||
+ if (class < 0 || class > 65535
|
||||
+ || type < 0 || type > 65535)
|
||||
+ return -1;
|
||||
+
|
||||
#ifdef DEBUG
|
||||
if (statp->options & RES_DEBUG)
|
||||
printf(";; res_nmkquery(%s, %s, %s, %s)\n",
|
||||
diff --git a/resolv/res_query.c b/resolv/res_query.c
|
||||
index 944d1a9..07dc6f6 100644
|
||||
--- a/resolv/res_query.c
|
||||
+++ b/resolv/res_query.c
|
||||
@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
|
||||
int n, use_malloc = 0;
|
||||
u_int oflags = statp->_flags;
|
||||
|
||||
- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
|
||||
+ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
|
||||
u_char *buf = alloca (bufsize);
|
||||
u_char *query1 = buf;
|
||||
int nquery1 = -1;
|
||||
@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
|
||||
printf(";; res_query(%s, %d, %d)\n", name, class, type);
|
||||
#endif
|
||||
|
||||
- if (type == T_UNSPEC)
|
||||
+ if (type == T_QUERY_A_AND_AAAA)
|
||||
{
|
||||
n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
|
||||
query1, bufsize);
|
||||
@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
|
||||
if (__builtin_expect (n <= 0, 0) && !use_malloc) {
|
||||
/* Retry just in case res_nmkquery failed because of too
|
||||
short buffer. Shouldn't happen. */
|
||||
- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
|
||||
+ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
|
||||
buf = malloc (bufsize);
|
||||
if (buf != NULL) {
|
||||
query1 = buf;
|
||||
diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
|
||||
new file mode 100644
|
||||
index 0000000..b3e60c6
|
||||
--- /dev/null
|
||||
+++ b/resolv/tst-resolv-qtypes.c
|
||||
@@ -0,0 +1,185 @@
|
||||
+/* Exercise low-level query functions with different QTYPEs.
|
||||
+ Copyright (C) 2016 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <http://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <resolv.h>
|
||||
+#include <string.h>
|
||||
+#include <support/check.h>
|
||||
+#include <support/check_nss.h>
|
||||
+#include <support/resolv_test.h>
|
||||
+#include <support/support.h>
|
||||
+#include <support/test-driver.h>
|
||||
+#include <support/xmemstream.h>
|
||||
+
|
||||
+/* If ture, the response function will send the actual response packet
|
||||
+ over TCP instead of UDP. */
|
||||
+static volatile bool force_tcp;
|
||||
+
|
||||
+/* Send back a fake resource record matching the QTYPE. */
|
||||
+static void
|
||||
+response (const struct resolv_response_context *ctx,
|
||||
+ struct resolv_response_builder *b,
|
||||
+ const char *qname, uint16_t qclass, uint16_t qtype)
|
||||
+{
|
||||
+ if (force_tcp && ctx->tcp)
|
||||
+ {
|
||||
+ resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
|
||||
+ resolv_response_add_question (b, qname, qclass, qtype);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ resolv_response_init (b, (struct resolv_response_flags) { });
|
||||
+ resolv_response_add_question (b, qname, qclass, qtype);
|
||||
+ resolv_response_section (b, ns_s_an);
|
||||
+ resolv_response_open_record (b, qname, qclass, qtype, 0);
|
||||
+ resolv_response_add_data (b, &qtype, sizeof (qtype));
|
||||
+ resolv_response_close_record (b);
|
||||
+}
|
||||
+
|
||||
+static const const char *domain = "www.example.com";
|
||||
+
|
||||
+static int
|
||||
+wrap_res_query (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ return res_query (domain, C_IN, type, answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_search (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ return res_query (domain, C_IN, type, answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ return res_querydomain ("www", "example.com", C_IN, type,
|
||||
+ answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_send (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ unsigned char buf[512];
|
||||
+ int ret = res_mkquery (QUERY, domain, C_IN, type,
|
||||
+ (const unsigned char *) "", 0, NULL,
|
||||
+ buf, sizeof (buf));
|
||||
+ if (type < 0 || type >= 65536)
|
||||
+ {
|
||||
+ /* res_mkquery fails for out-of-range record types. */
|
||||
+ TEST_VERIFY_EXIT (ret == -1);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
|
||||
+ return res_send (buf, ret, answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_nquery (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
|
||||
+ answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+wrap_res_nsend (int type, unsigned char *answer, int answer_length)
|
||||
+{
|
||||
+ unsigned char buf[512];
|
||||
+ int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
|
||||
+ (const unsigned char *) "", 0, NULL,
|
||||
+ buf, sizeof (buf));
|
||||
+ if (type < 0 || type >= 65536)
|
||||
+ {
|
||||
+ /* res_mkquery fails for out-of-range record types. */
|
||||
+ TEST_VERIFY_EXIT (ret == -1);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
|
||||
+ return res_nsend (&_res, buf, ret, answer, answer_length);
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+test_function (const char *fname,
|
||||
+ int (*func) (int type,
|
||||
+ unsigned char *answer, int answer_length))
|
||||
+{
|
||||
+ unsigned char buf[512];
|
||||
+ for (int tcp = 0; tcp < 2; ++tcp)
|
||||
+ {
|
||||
+ force_tcp = tcp;
|
||||
+ for (unsigned int type = 1; type <= 65535; ++type)
|
||||
+ {
|
||||
+ if (test_verbose)
|
||||
+ printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
|
||||
+ type, fname, tcp);
|
||||
+ int ret = func (type, buf, sizeof (buf));
|
||||
+ if (ret != 47)
|
||||
+ FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
|
||||
+ fname,tcp, type, ret);
|
||||
+ /* One question, one answer record. */
|
||||
+ TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
|
||||
+ /* Question section. */
|
||||
+ static const char qname[] = "\3www\7example\3com";
|
||||
+ size_t qname_length = sizeof (qname);
|
||||
+ TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
|
||||
+ /* RDATA part of answer. */
|
||||
+ uint16_t type16 = type;
|
||||
+ TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
|
||||
+ TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ struct resolv_redirect_config config =
|
||||
+ {
|
||||
+ .response_callback = response,
|
||||
+ };
|
||||
+ struct resolv_test *obj = resolv_test_start (config);
|
||||
+
|
||||
+ test_function ("res_query", &wrap_res_query);
|
||||
+ test_function ("res_search", &wrap_res_search);
|
||||
+ test_function ("res_querydomain", &wrap_res_querydomain);
|
||||
+ test_function ("res_send", &wrap_res_send);
|
||||
+
|
||||
+ test_function ("res_nquery", &wrap_res_nquery);
|
||||
+ test_function ("res_nsearch", &wrap_res_nsearch);
|
||||
+ test_function ("res_nquerydomain", &wrap_res_nquerydomain);
|
||||
+ test_function ("res_nsend", &wrap_res_nsend);
|
||||
+
|
||||
+ resolv_test_end (obj);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define TIMEOUT 300
|
||||
+#include <support/test-driver.c>
|
||||
--
|
||||
2.9.3
|
||||
|
Loading…
Reference in New Issue