summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorEfraim Flashner <efraim@flashner.co.il>2017-08-02 20:48:12 +0300
committerEfraim Flashner <efraim@flashner.co.il>2017-08-02 21:51:31 +0300
commit575e5e4e51e01aed1044cd8ba9e00a9631eba794 (patch)
tree2739923ae722d649290716b2cd2513e757052eef
parent2c5cf844302e06086647a137f01a35f777ae25d7 (diff)
gnu: glibc@2.24: Fix CVE-2015-5180.
* gnu/packages/base.scm (glibc@2.24)[source]: Add patch. * gnu/packages/patches/glibc-CVE-2015-5180.patch: New file. * gnu/local.mk (dist_patch_DATA): Register it.
-rw-r--r--gnu/local.mk1
-rw-r--r--gnu/packages/base.scm1
-rw-r--r--gnu/packages/patches/glibc-CVE-2015-5180.patch311
3 files changed, 313 insertions, 0 deletions
diff --git a/gnu/local.mk b/gnu/local.mk
index db8be36fb4..5cc8b64aa0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -644,6 +644,7 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
+ %D%/packages/patches/glibc-CVE-2015-5180.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \
%D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index 2040f84bf1..f23db9a778 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -933,6 +933,7 @@ GLIBC/HURD for a Hurd host"
"glibc-versioned-locpath.patch"
"glibc-o-largefile.patch"
"glibc-vectorized-strcspn-guards.patch"
+ "glibc-CVE-2015-5180.patch"
"glibc-CVE-2017-1000366-pt1.patch"
"glibc-CVE-2017-1000366-pt2.patch"
"glibc-CVE-2017-1000366-pt3.patch"))))))
diff --git a/gnu/packages/patches/glibc-CVE-2015-5180.patch b/gnu/packages/patches/glibc-CVE-2015-5180.patch
new file mode 100644
index 0000000000..92e3740fc1
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2015-5180.patch
@@ -0,0 +1,311 @@
+From b3b37f1a5559a7620e31c8053ed1b44f798f2b6d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Sat, 31 Dec 2016 20:22:09 +0100
+Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
+ #18784]
+
+Also rename T_UNSPEC because an upcoming public header file
+update will use that name.
+
+(cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
+---
+ ChangeLog | 14 ++++
+ NEWS | 6 ++
+ include/arpa/nameser_compat.h | 6 +-
+ resolv/Makefile | 5 ++
+ resolv/nss_dns/dns-host.c | 2 +-
+ resolv/res_mkquery.c | 4 +
+ resolv/res_query.c | 6 +-
+ resolv/tst-resolv-qtypes.c | 185 ++++++++++++++++++++++++++++++++++++++++++
+ 8 files changed, 221 insertions(+), 7 deletions(-)
+ create mode 100644 resolv/tst-resolv-qtypes.c
+
+diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
+index 2e735ed..7c0deed 100644
+--- a/include/arpa/nameser_compat.h
++++ b/include/arpa/nameser_compat.h
+@@ -1,8 +1,8 @@
+ #ifndef _ARPA_NAMESER_COMPAT_
+ #include <resolv/arpa/nameser_compat.h>
+
+-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
+- T_A and T_AAAA). */
+-#define T_UNSPEC 62321
++/* The number is outside the 16-bit RR type range and is used
++ internally by the implementation. */
++#define T_QUERY_A_AND_AAAA 439963904
+
+ #endif
+diff --git a/resolv/Makefile b/resolv/Makefile
+index 8be41d3..a4c86b9 100644
+--- a/resolv/Makefile
++++ b/resolv/Makefile
+@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
+ extra-libs += libanl
+ routines += gai_sigqueue
+ tests += tst-res_hconf_reorder
++
++# This test sends millions of packets and is rather slow.
++xtests += tst-resolv-qtypes
+ endif
+ extra-libs-others = $(extra-libs)
+ libresolv-routines := gethnamaddr res_comp res_debug \
+@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
+ $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
+ $(evaluate-test)
++
++$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 5f9e357..d16fa4b 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
+
+ int olderr = errno;
+ enum nss_status status;
+- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
++ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
+ host_buffer.buf->buf, 2048, &host_buffer.ptr,
+ &ans2p, &nans2p, &resplen2, &ans2p_malloced);
+ if (n >= 0)
+diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
+index 12f9730..d80b531 100644
+--- a/resolv/res_mkquery.c
++++ b/resolv/res_mkquery.c
+@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
+ int n;
+ u_char *dnptrs[20], **dpp, **lastdnptr;
+
++ if (class < 0 || class > 65535
++ || type < 0 || type > 65535)
++ return -1;
++
+ #ifdef DEBUG
+ if (statp->options & RES_DEBUG)
+ printf(";; res_nmkquery(%s, %s, %s, %s)\n",
+diff --git a/resolv/res_query.c b/resolv/res_query.c
+index 944d1a9..07dc6f6 100644
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
+ int n, use_malloc = 0;
+ u_int oflags = statp->_flags;
+
+- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
++ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
+ u_char *buf = alloca (bufsize);
+ u_char *query1 = buf;
+ int nquery1 = -1;
+@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
+ printf(";; res_query(%s, %d, %d)\n", name, class, type);
+ #endif
+
+- if (type == T_UNSPEC)
++ if (type == T_QUERY_A_AND_AAAA)
+ {
+ n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
+ query1, bufsize);
+@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
+ if (__builtin_expect (n <= 0, 0) && !use_malloc) {
+ /* Retry just in case res_nmkquery failed because of too
+ short buffer. Shouldn't happen. */
+- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
++ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
+ buf = malloc (bufsize);
+ if (buf != NULL) {
+ query1 = buf;
+diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
+new file mode 100644
+index 0000000..b3e60c6
+--- /dev/null
++++ b/resolv/tst-resolv-qtypes.c
+@@ -0,0 +1,185 @@
++/* Exercise low-level query functions with different QTYPEs.
++ Copyright (C) 2016 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <resolv.h>
++#include <string.h>
++#include <support/check.h>
++#include <support/check_nss.h>
++#include <support/resolv_test.h>
++#include <support/support.h>
++#include <support/test-driver.h>
++#include <support/xmemstream.h>
++
++/* If ture, the response function will send the actual response packet
++ over TCP instead of UDP. */
++static volatile bool force_tcp;
++
++/* Send back a fake resource record matching the QTYPE. */
++static void
++response (const struct resolv_response_context *ctx,
++ struct resolv_response_builder *b,
++ const char *qname, uint16_t qclass, uint16_t qtype)
++{
++ if (force_tcp && ctx->tcp)
++ {
++ resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
++ resolv_response_add_question (b, qname, qclass, qtype);
++ return;
++ }
++
++ resolv_response_init (b, (struct resolv_response_flags) { });
++ resolv_response_add_question (b, qname, qclass, qtype);
++ resolv_response_section (b, ns_s_an);
++ resolv_response_open_record (b, qname, qclass, qtype, 0);
++ resolv_response_add_data (b, &qtype, sizeof (qtype));
++ resolv_response_close_record (b);
++}
++
++static const const char *domain = "www.example.com";
++
++static int
++wrap_res_query (int type, unsigned char *answer, int answer_length)
++{
++ return res_query (domain, C_IN, type, answer, answer_length);
++}
++
++static int
++wrap_res_search (int type, unsigned char *answer, int answer_length)
++{
++ return res_query (domain, C_IN, type, answer, answer_length);
++}
++
++static int
++wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
++{
++ return res_querydomain ("www", "example.com", C_IN, type,
++ answer, answer_length);
++}
++
++static int
++wrap_res_send (int type, unsigned char *answer, int answer_length)
++{
++ unsigned char buf[512];
++ int ret = res_mkquery (QUERY, domain, C_IN, type,
++ (const unsigned char *) "", 0, NULL,
++ buf, sizeof (buf));
++ if (type < 0 || type >= 65536)
++ {
++ /* res_mkquery fails for out-of-range record types. */
++ TEST_VERIFY_EXIT (ret == -1);
++ return -1;
++ }
++ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
++ return res_send (buf, ret, answer, answer_length);
++}
++
++static int
++wrap_res_nquery (int type, unsigned char *answer, int answer_length)
++{
++ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
++}
++
++static int
++wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
++{
++ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
++}
++
++static int
++wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
++{
++ return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
++ answer, answer_length);
++}
++
++static int
++wrap_res_nsend (int type, unsigned char *answer, int answer_length)
++{
++ unsigned char buf[512];
++ int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
++ (const unsigned char *) "", 0, NULL,
++ buf, sizeof (buf));
++ if (type < 0 || type >= 65536)
++ {
++ /* res_mkquery fails for out-of-range record types. */
++ TEST_VERIFY_EXIT (ret == -1);
++ return -1;
++ }
++ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
++ return res_nsend (&_res, buf, ret, answer, answer_length);
++}
++
++static void
++test_function (const char *fname,
++ int (*func) (int type,
++ unsigned char *answer, int answer_length))
++{
++ unsigned char buf[512];
++ for (int tcp = 0; tcp < 2; ++tcp)
++ {
++ force_tcp = tcp;
++ for (unsigned int type = 1; type <= 65535; ++type)
++ {
++ if (test_verbose)
++ printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
++ type, fname, tcp);
++ int ret = func (type, buf, sizeof (buf));
++ if (ret != 47)
++ FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
++ fname,tcp, type, ret);
++ /* One question, one answer record. */
++ TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
++ /* Question section. */
++ static const char qname[] = "\3www\7example\3com";
++ size_t qname_length = sizeof (qname);
++ TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
++ /* RDATA part of answer. */
++ uint16_t type16 = type;
++ TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
++ }
++ }
++
++ TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
++ TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
++}
++
++static int
++do_test (void)
++{
++ struct resolv_redirect_config config =
++ {
++ .response_callback = response,
++ };
++ struct resolv_test *obj = resolv_test_start (config);
++
++ test_function ("res_query", &wrap_res_query);
++ test_function ("res_search", &wrap_res_search);
++ test_function ("res_querydomain", &wrap_res_querydomain);
++ test_function ("res_send", &wrap_res_send);
++
++ test_function ("res_nquery", &wrap_res_nquery);
++ test_function ("res_nsearch", &wrap_res_nsearch);
++ test_function ("res_nquerydomain", &wrap_res_nquerydomain);
++ test_function ("res_nsend", &wrap_res_nsend);
++
++ resolv_test_end (obj);
++ return 0;
++}
++
++#define TIMEOUT 300
++#include <support/test-driver.c>
+--
+2.9.3
+