summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2015-01-21 12:43:11 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-01-28 21:22:23 +0000
commitf03bf84c179f69ef4800ed92a4a9d9401d0e5966 (patch)
tree6882931cdebe19b7d0ed91980953921168a18949
parentccb86249b2b29686303ed04aac74887f0fa490df (diff)
downloadopenembedded-core-f03bf84c179f69ef4800ed92a4a9d9401d0e5966.tar.gz
openembedded-core-f03bf84c179f69ef4800ed92a4a9d9401d0e5966.tar.bz2
openembedded-core-f03bf84c179f69ef4800ed92a4a9d9401d0e5966.zip
glibc: CVE-2014-9402 endless loop in getaddr_r
The getnetbyname function in glibc 2.21 in earlier will enter an infinite loop if the DNS backend is activated in the system Name Service Switch configuration, and the DNS resolver receives a positive answer while processing the network name. Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch65
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 66 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch b/meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch
new file mode 100644
index 0000000000..ba1da67b76
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2014-9402_endless-loop-in-getaddr_r.patch
@@ -0,0 +1,65 @@
+CVE-2014-9402 endless loop in getaddr_r
+
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=11e3417af6e354f1942c68a271ae51e892b2814d
+
+Upstream-Status: Backport
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+From 11e3417af6e354f1942c68a271ae51e892b2814d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 15 Dec 2014 17:41:13 +0100
+Subject: [PATCH] Avoid infinite loop in nss_dns getnetbyname [BZ #17630]
+
+---
+ ChangeLog | 6 ++++++
+ NEWS | 7 +++++--
+ resolv/nss_dns/dns-network.c | 4 ++--
+ 3 files changed, 13 insertions(+), 4 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -24,7 +24,10 @@ Version 2.20
+ 17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
+ 17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
+ 17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
+- 17625.
++ 17625, 17630.
++
++* The nss_dns implementation of getnetbyname could run into an infinite loop
++ if the DNS response contained a PTR record of an unexpected format.
+
+ * CVE-2104-7817 The wordexp function could ignore the WRDE_NOCMD flag
+ under certain input conditions resulting in the execution of a shell for
+Index: git/resolv/nss_dns/dns-network.c
+===================================================================
+--- git.orig/resolv/nss_dns/dns-network.c
++++ git/resolv/nss_dns/dns-network.c
+@@ -398,8 +398,8 @@ getanswer_r (const querybuf *answer, int
+
+ case BYNAME:
+ {
+- char **ap = result->n_aliases++;
+- while (*ap != NULL)
++ char **ap;
++ for (ap = result->n_aliases; *ap != NULL; ++ap)
+ {
+ /* Check each alias name for being of the forms:
+ 4.3.2.1.in-addr.arpa = net 1.2.3.4
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,9 @@
++2014-12-16 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #17630]
++ * resolv/nss_dns/dns-network.c (getanswer_r): Iterate over alias
++ names.
++
+ 2014-12-15 Jeff Law <law@redhat.com>
+
+ [BZ #16617]
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index f67fbfdf0d..8a8b296def 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -44,6 +44,7 @@ EGLIBCPATCHES = "\
CVEPATCHES = "\
file://CVE-2014-7817-wordexp-fails-to-honour-WRDE_NOCMD.patch \
file://CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch \
+ file://CVE-2014-9402_endless-loop-in-getaddr_r.patch \
"
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \