wok-next rev 17546
glibc: CVE-2015-0235 fix
author | Pascal Bellard <pascal.bellard@slitaz.org> |
---|---|
date | Thu Jan 29 11:14:15 2015 +0100 (2015-01-29) |
parents | 30d223dc104f |
children | 45fa4cc38520 |
files | glibc/receipt glibc/stuff/glibc-2.14.1-CVE-2015-0235.patch |
line diff
1.1 --- a/glibc/receipt Tue Jan 27 17:35:53 2015 +0100 1.2 +++ b/glibc/receipt Thu Jan 29 11:14:15 2015 +0100 1.3 @@ -26,7 +26,9 @@ 1.4 # Glibc Bug Sort Relocatable Objects Patch 1.5 patch -Np1 -i $stuff/glibc-2.14.1-sort-1.patch 1.6 # Fix a bug that prevents Glibc from building with GCC-4.6.2 1.7 - patch -Np1 -i stuff/glibc-2.14.1-gcc_fix-1.patch 1.8 + patch -Np1 -i $stuff/glibc-2.14.1-gcc_fix-1.patch 1.9 + # GHOST 1.10 + patch -Np1 -i $stuff/glibc-2.14.1-CVE-2015-0235.patch 1.11 1.12 # Build in a separate directory. 1.13 mkdir ../glibc-build && cd ../glibc-build 1.14 @@ -92,6 +94,8 @@ 1.15 patch -Np1 -i $stuff/glibc-2.14-reexport-rpc-interface.patch 1.16 # http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=bdd816a3 (only fedora branch...) 1.17 patch -Np1 -i $stuff/glibc-2.14-reinstall-nis-rpc-headers.patch 1.18 + # GHOST 1.19 + patch -Np1 -i $stuff/glibc-2.14.1-CVE-2015-0235.patch 1.20 1.21 # Fix a stack imbalance that occurs under some conditions: 1.22 sed -i '195,213 s/PRIVATE_FUTEX/FUTEX_CLOCK_REALTIME/' \
2.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 2.2 +++ b/glibc/stuff/glibc-2.14.1-CVE-2015-0235.patch Thu Jan 29 11:14:15 2015 +0100 2.3 @@ -0,0 +1,137 @@ 2.4 +CVE-2015-0235 GHOST 2.5 +From https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd 2.6 +--- glibc-2.14.1/nss/digits_dots.c 2.7 ++++ glibc-2.14.1/nss/digits_dots.c 2.8 +@@ -47,7 +47,10 @@ 2.9 + { 2.10 + if (h_errnop) 2.11 + *h_errnop = NETDB_INTERNAL; 2.12 +- *result = NULL; 2.13 ++ if (buffer_size == NULL) 2.14 ++ *status = NSS_STATUS_TRYAGAIN; 2.15 ++ else 2.16 ++ *result = NULL; 2.17 + return -1; 2.18 + } 2.19 + 2.20 +@@ -84,14 +87,16 @@ 2.21 + } 2.22 + 2.23 + size_needed = (sizeof (*host_addr) 2.24 +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); 2.25 ++ sizeof (*h_addr_ptrs) 2.26 ++ + sizeof (*h_allias_ptr) + strlen (name) + 1); 2.27 + 2.28 + if (buffer_size == NULL) 2.29 + { 2.30 + if (buflen < size_needed) 2.31 + { 2.32 ++ *status = NSS_STATUS_TRYAGAIN; 2.33 + if (h_errnop != NULL) 2.34 +- *h_errnop = TRY_AGAIN; 2.35 ++ *h_errnop = NETDB_INTERNAL; 2.36 + __set_errno (ERANGE); 2.37 + goto done; 2.38 + } 2.39 +@@ -110,7 +115,7 @@ 2.40 + *buffer_size = 0; 2.41 + __set_errno (save); 2.42 + if (h_errnop != NULL) 2.43 +- *h_errnop = TRY_AGAIN; 2.44 ++ *h_errnop = NETDB_INTERNAL; 2.45 + *result = NULL; 2.46 + goto done; 2.47 + } 2.48 +@@ -150,7 +155,9 @@ 2.49 + if (! ok) 2.50 + { 2.51 + *h_errnop = HOST_NOT_FOUND; 2.52 +- if (buffer_size) 2.53 ++ if (buffer_size == NULL) 2.54 ++ *status = NSS_STATUS_NOTFOUND: 2.55 ++ else 2.56 + *result = NULL; 2.57 + goto done; 2.58 + } 2.59 +@@ -202,15 +209,6 @@ 2.60 + 2.61 + if ((isxdigit (name[0]) && strchr (name, ':') != NULL) || name[0] == ':') 2.62 + { 2.63 +- const char *cp; 2.64 +- char *hostname; 2.65 +- typedef unsigned char host_addr_t[16]; 2.66 +- host_addr_t *host_addr; 2.67 +- typedef char *host_addr_list_t[2]; 2.68 +- host_addr_list_t *h_addr_ptrs; 2.69 +- size_t size_needed; 2.70 +- int addr_size; 2.71 +- 2.72 + switch (af) 2.73 + { 2.74 + default: 2.75 +@@ -226,7 +224,10 @@ 2.76 + /* This is not possible. We cannot represent an IPv6 address 2.77 + in an `struct in_addr' variable. */ 2.78 + *h_errnop = HOST_NOT_FOUND; 2.79 +- *result = NULL; 2.80 ++ if (buffer_size == NULL) 2.81 ++ *status = NSS_STATUS_NOTFOUND; 2.82 ++ else 2.83 ++ *result = NULL; 2.84 + goto done; 2.85 + 2.86 + case AF_INET6: 2.87 +@@ -234,42 +235,6 @@ 2.88 + break; 2.89 + } 2.90 + 2.91 +- size_needed = (sizeof (*host_addr) 2.92 +- + sizeof (*h_addr_ptrs) + strlen (name) + 1); 2.93 +- 2.94 +- if (buffer_size == NULL && buflen < size_needed) 2.95 +- { 2.96 +- if (h_errnop != NULL) 2.97 +- *h_errnop = TRY_AGAIN; 2.98 +- __set_errno (ERANGE); 2.99 +- goto done; 2.100 +- } 2.101 +- else if (buffer_size != NULL && *buffer_size < size_needed) 2.102 +- { 2.103 +- char *new_buf; 2.104 +- *buffer_size = size_needed; 2.105 +- new_buf = realloc (*buffer, *buffer_size); 2.106 +- 2.107 +- if (new_buf == NULL) 2.108 +- { 2.109 +- save = errno; 2.110 +- free (*buffer); 2.111 +- __set_errno (save); 2.112 +- *buffer = NULL; 2.113 +- *buffer_size = 0; 2.114 +- *result = NULL; 2.115 +- goto done; 2.116 +- } 2.117 +- *buffer = new_buf; 2.118 +- } 2.119 +- 2.120 +- memset (*buffer, '\0', size_needed); 2.121 +- 2.122 +- host_addr = (host_addr_t *) *buffer; 2.123 +- h_addr_ptrs = (host_addr_list_t *) 2.124 +- ((char *) host_addr + sizeof (*host_addr)); 2.125 +- hostname = (char *) h_addr_ptrs + sizeof (*h_addr_ptrs); 2.126 +- 2.127 + for (cp = name;; ++cp) 2.128 + { 2.129 + if (!*cp) 2.130 +@@ -282,7 +247,9 @@ 2.131 + if (inet_pton (AF_INET6, name, host_addr) <= 0) 2.132 + { 2.133 + *h_errnop = HOST_NOT_FOUND; 2.134 +- if (buffer_size) 2.135 ++ if (buffer_size == NULL) 2.136 ++ *status = NSS_STATUS_NOTFOUND: 2.137 ++ else 2.138 + *result = NULL; 2.139 + goto done; 2.140 + }