[notify] glibc-3: reverted CVE-2015-5180 patch - caused resolv problems for some users

4 files changed, 9 insertions, 321 deletions

diff --git a/glibc-32/.md5sum b/glibc-32/.md5sum
index 9d607eed..2177e3e8 100644
--- a/glibc-32/.md5sum
+++ b/glibc-32/.md5sum
@@ -1,4 +1,4 @@
-655f50d41e24dcd37447fd6c63ce3f7f  glibc-2.24-updates.patch
+052018e4621ea8e3d7d8f1b711fcdaa3  glibc-2.24-updates.patch
 97dc5517f92016f3d70d83e3162ad318  glibc-2.24.tar.xz
 ac19b5dac0b160aa59a2e265998c3e91  kernel-headers-4.9.5.tar.xz
 a8f4549c716cd37244fbf1ed059497f8  lib32.conf
diff --git a/glibc-32/.signature b/glibc-32/.signature
index c30b41d8..184f37fc 100644
--- a/glibc-32/.signature
+++ b/glibc-32/.signature
@@ -1,8 +1,8 @@
 untrusted comment: verify with /etc/ports/core.pub
-RWRJc1FUaeVeqnoY9f/WUSSU2kP4f/7u3nFnlwSRMb0MI28wvBXZ/yzOWqBPJzoeN30mfQjnKkfSkZ92JX4mMBXGN4XjPIKRmAs=
-SHA256 (Pkgfile) = 70412cb73d56e5faa146698396967763dac1c80187d3813e2e426d3da36971d0
+RWRJc1FUaeVeqgHIVZCdS2I9jSvM+uPwpamx0V9TvLkWLquTugBPkS5Fhy+AuARhAk2tuHHyo1P8446Ui+0G5BLJ/LqNyLC5QA0=
+SHA256 (Pkgfile) = 62d282b0fe37b75aaf5ba15e589eb11f499de60bc9b265a8891e4f77711cec63
 SHA256 (.footprint) = 0af47db3e8a5ea832d1f971ca56f7718a59167c0214375307a508ff46b327119
 SHA256 (glibc-2.24.tar.xz) = 99d4a3e8efd144d71488e478f62587578c0f4e1fa0b4eed47ee3d4975ebeb5d3
 SHA256 (kernel-headers-4.9.5.tar.xz) = 5783ad8f668ee71561fae370fbcdc477aaa6df249bd85635b87a8c204aeb4aa9
-SHA256 (glibc-2.24-updates.patch) = d74245b3a34b4bcd119ac1da145ee01af77f98c0d3c4bee763049582e8582971
+SHA256 (glibc-2.24-updates.patch) = 11839138c7d82544894df8fb6b505aa7afa1a07e79965a64b2a0dac7a1b0aa64
 SHA256 (lib32.conf) = 2f174d2bcefe1c29327690514f34d6970fffdd54398320ca23a11b5f1e3c9b2d
diff --git a/glibc-32/Pkgfile b/glibc-32/Pkgfile
index 91f2a992..7e3032ca 100644
--- a/glibc-32/Pkgfile
+++ b/glibc-32/Pkgfile
@@ -4,7 +4,7 @@
 
 name=glibc-32
 version=2.24
-release=6
+release=7
 source=(http://ftpmirror.gnu.org/gnu/glibc/glibc-2.24.tar.xz \
 	http://crux.nu/files/distfiles/kernel-headers-4.9.5.tar.xz \
 	glibc-2.24-updates.patch lib32.conf) 
diff --git a/glibc-32/glibc-2.24-updates.patch b/glibc-32/glibc-2.24-updates.patch
index 0fc9dd2c..e6e9084c 100644
--- a/glibc-32/glibc-2.24-updates.patch
+++ b/glibc-32/glibc-2.24-updates.patch
@@ -1,8 +1,8 @@
 diff --git a/ChangeLog b/ChangeLog
-index c44c926094..cd6b5a92e9 100644
+index c44c926094..24693b184a 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,565 @@
+@@ -1,3 +1,551 @@
 +2017-06-14  Florian Weimer  <fweimer@redhat.com>
 +
 +	* sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.
@@ -262,20 +262,6 @@ index c44c926094..cd6b5a92e9 100644
 +	* sysdeps/x86_64/sysdep.h (JUMPTARGET): Check SHARED instead
 +	of PIC.
 +
-+2016-12-31  Florian Weimer  <fweimer@redhat.com>
-+
-+	[BZ #18784]
-+	CVE-2015-5180
-+	* include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
-+	T_UNSPEC.  Adjust value.
-+	* resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
-+	* resolv/res_query.c (__libc_res_nquery): Likewise.
-+	* resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
-+	QTYPEs.
-+	* resolv/tst-resolv-qtypes.c: New file.
-+	* resolv/Makefile (xtests): Add tst-resolv-qtypes.
-+	(tst-resolv-qtypes): Link against libresolv and libpthread.
-+
 +2017-02-02  Siddhesh Poyarekar  <siddhesh@sourceware.org>
 +
 +	* sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
@@ -623,10 +609,10 @@ index 03fd89c13e..ee379f5852 100644
  
  ifndef avoid-generated
 diff --git a/NEWS b/NEWS
-index b0447e7169..c4c082b415 100644
+index b0447e7169..4a042dbe2b 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,29 @@ See the end for copying conditions.
+@@ -5,6 +5,17 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -640,18 +626,6 @@ index b0447e7169..c4c082b415 100644
 +  (denial of service) in some Go applications compiled with gccgo.  Reported
 +  by Andreas Schwab.  (CVE-2016-6323)
 +
-+* The DNS stub resolver functions would crash due to a NULL pointer
-+  dereference when processing a query with a valid DNS question type which
-+  was used internally in the implementation.  The stub resolver now uses a
-+  question type which is outside the range of valid question type values.
-+  (CVE-2015-5180)
-+
-+The following bugs are resolved with this release:
-+
-+  [21209] Ignore and remove LD_HWCAP_MASK for AT_SECURE programs
-+  [21289] Fix symbol redirect for fts_set
-+  [21386] Assertion in fork for distinct parent PID is incorrect
-+  [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
 +
  Version 2.24
  
@@ -1460,22 +1434,6 @@ index 8d8ce5813b..a87028047b 100644
  } *__gconv_t;
  
  /* Transliteration using the locale's data.  */
-diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
-index 2e735ede4c..7c0deed9ae 100644
---- a/include/arpa/nameser_compat.h
-+++ b/include/arpa/nameser_compat.h
-@@ -1,8 +1,8 @@
- #ifndef _ARPA_NAMESER_COMPAT_
- #include <resolv/arpa/nameser_compat.h>
- 
--/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
--   T_A and T_AAAA).  */
--#define T_UNSPEC 62321
-+/* The number is outside the 16-bit RR type range and is used
-+   internally by the implementation.  */
-+#define T_QUERY_A_AND_AAAA 439963904
- 
- #endif
 diff --git a/io/fts.h b/io/fts.h
 index 127a0d2721..b6b45206c8 100644
 --- a/io/fts.h
@@ -3036,276 +2994,6 @@ index d933f9c92a..7cdb06a611 100644
  
        __execve (buffer, argv, envp);
  
-diff --git a/resolv/Makefile b/resolv/Makefile
-index 8be41d3ae1..a4c86b9762 100644
---- a/resolv/Makefile
-+++ b/resolv/Makefile
-@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
- extra-libs += libanl
- routines += gai_sigqueue
- tests += tst-res_hconf_reorder
-+
-+# This test sends millions of packets and is rather slow.
-+xtests += tst-resolv-qtypes
- endif
- extra-libs-others = $(extra-libs)
- libresolv-routines := gethnamaddr res_comp res_debug	\
-@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
- $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
- 	$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
- 	$(evaluate-test)
-+
-+$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
-diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
-index 5f9e35701b..d16fa4b8ed 100644
---- a/resolv/nss_dns/dns-host.c
-+++ b/resolv/nss_dns/dns-host.c
-@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
- 
-   int olderr = errno;
-   enum nss_status status;
--  int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
-+  int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
- 			      host_buffer.buf->buf, 2048, &host_buffer.ptr,
- 			      &ans2p, &nans2p, &resplen2, &ans2p_malloced);
-   if (n >= 0)
-diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
-index 12f9730199..d80b5318e5 100644
---- a/resolv/res_mkquery.c
-+++ b/resolv/res_mkquery.c
-@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
- 	int n;
- 	u_char *dnptrs[20], **dpp, **lastdnptr;
- 
-+	if (class < 0 || class > 65535
-+	    || type < 0 || type > 65535)
-+	  return -1;
-+
- #ifdef DEBUG
- 	if (statp->options & RES_DEBUG)
- 		printf(";; res_nmkquery(%s, %s, %s, %s)\n",
-diff --git a/resolv/res_query.c b/resolv/res_query.c
-index 944d1a90f5..07dc6f6583 100644
---- a/resolv/res_query.c
-+++ b/resolv/res_query.c
-@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
- 	int n, use_malloc = 0;
- 	u_int oflags = statp->_flags;
- 
--	size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
-+	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
- 	u_char *buf = alloca (bufsize);
- 	u_char *query1 = buf;
- 	int nquery1 = -1;
-@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
- 		printf(";; res_query(%s, %d, %d)\n", name, class, type);
- #endif
- 
--	if (type == T_UNSPEC)
-+	if (type == T_QUERY_A_AND_AAAA)
- 	  {
- 	    n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
- 			     query1, bufsize);
-@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
- 	if (__builtin_expect (n <= 0, 0) && !use_malloc) {
- 		/* Retry just in case res_nmkquery failed because of too
- 		   short buffer.  Shouldn't happen.  */
--		bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
-+		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
- 		buf = malloc (bufsize);
- 		if (buf != NULL) {
- 			query1 = buf;
-diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
-new file mode 100644
-index 0000000000..b3e60c693b
---- /dev/null
-+++ b/resolv/tst-resolv-qtypes.c
-@@ -0,0 +1,185 @@
-+/* Exercise low-level query functions with different QTYPEs.
-+   Copyright (C) 2016 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
-+#include <resolv.h>
-+#include <string.h>
-+#include <support/check.h>
-+#include <support/check_nss.h>
-+#include <support/resolv_test.h>
-+#include <support/support.h>
-+#include <support/test-driver.h>
-+#include <support/xmemstream.h>
-+
-+/* If ture, the response function will send the actual response packet
-+   over TCP instead of UDP.  */
-+static volatile bool force_tcp;
-+
-+/* Send back a fake resource record matching the QTYPE.  */
-+static void
-+response (const struct resolv_response_context *ctx,
-+          struct resolv_response_builder *b,
-+          const char *qname, uint16_t qclass, uint16_t qtype)
-+{
-+  if (force_tcp && ctx->tcp)
-+    {
-+      resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
-+      resolv_response_add_question (b, qname, qclass, qtype);
-+      return;
-+    }
-+
-+  resolv_response_init (b, (struct resolv_response_flags) { });
-+  resolv_response_add_question (b, qname, qclass, qtype);
-+  resolv_response_section (b, ns_s_an);
-+  resolv_response_open_record (b, qname, qclass, qtype, 0);
-+  resolv_response_add_data (b, &qtype, sizeof (qtype));
-+  resolv_response_close_record (b);
-+}
-+
-+static const const char *domain = "www.example.com";
-+
-+static int
-+wrap_res_query (int type, unsigned char *answer, int answer_length)
-+{
-+  return res_query (domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_search (int type, unsigned char *answer, int answer_length)
-+{
-+  return res_query (domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
-+{
-+  return res_querydomain ("www", "example.com", C_IN, type,
-+                           answer, answer_length);
-+}
-+
-+static int
-+wrap_res_send (int type, unsigned char *answer, int answer_length)
-+{
-+  unsigned char buf[512];
-+  int ret = res_mkquery (QUERY, domain, C_IN, type,
-+                         (const unsigned char *) "", 0, NULL,
-+                         buf, sizeof (buf));
-+  if (type < 0 || type >= 65536)
-+    {
-+      /* res_mkquery fails for out-of-range record types.  */
-+      TEST_VERIFY_EXIT (ret == -1);
-+      return -1;
-+    }
-+  TEST_VERIFY_EXIT (ret > 12);  /* DNS header length.  */
-+  return res_send (buf, ret, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nquery (int type, unsigned char *answer, int answer_length)
-+{
-+  return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
-+{
-+  return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
-+{
-+  return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
-+                           answer, answer_length);
-+}
-+
-+static int
-+wrap_res_nsend (int type, unsigned char *answer, int answer_length)
-+{
-+  unsigned char buf[512];
-+  int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
-+                         (const unsigned char *) "", 0, NULL,
-+                         buf, sizeof (buf));
-+  if (type < 0 || type >= 65536)
-+    {
-+      /* res_mkquery fails for out-of-range record types.  */
-+      TEST_VERIFY_EXIT (ret == -1);
-+      return -1;
-+    }
-+  TEST_VERIFY_EXIT (ret > 12);  /* DNS header length.  */
-+  return res_nsend (&_res, buf, ret, answer, answer_length);
-+}
-+
-+static void
-+test_function (const char *fname,
-+               int (*func) (int type,
-+                            unsigned char *answer, int answer_length))
-+{
-+  unsigned char buf[512];
-+  for (int tcp = 0; tcp < 2; ++tcp)
-+    {
-+      force_tcp = tcp;
-+      for (unsigned int type = 1; type <= 65535; ++type)
-+        {
-+          if (test_verbose)
-+            printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
-+                    type, fname, tcp);
-+          int ret = func (type, buf, sizeof (buf));
-+          if (ret != 47)
-+            FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
-+                        fname,tcp, type, ret);
-+          /* One question, one answer record.  */
-+          TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
-+          /* Question section.  */
-+          static const char qname[] = "\3www\7example\3com";
-+          size_t qname_length = sizeof (qname);
-+          TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
-+          /* RDATA part of answer.  */
-+          uint16_t type16 = type;
-+          TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
-+        }
-+    }
-+
-+  TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
-+  TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
-+}
-+
-+static int
-+do_test (void)
-+{
-+  struct resolv_redirect_config config =
-+    {
-+      .response_callback = response,
-+    };
-+  struct resolv_test *obj = resolv_test_start (config);
-+
-+  test_function ("res_query", &wrap_res_query);
-+  test_function ("res_search", &wrap_res_search);
-+  test_function ("res_querydomain", &wrap_res_querydomain);
-+  test_function ("res_send", &wrap_res_send);
-+
-+  test_function ("res_nquery", &wrap_res_nquery);
-+  test_function ("res_nsearch", &wrap_res_nsearch);
-+  test_function ("res_nquerydomain", &wrap_res_nquerydomain);
-+  test_function ("res_nsend", &wrap_res_nsend);
-+
-+  resolv_test_end (obj);
-+  return 0;
-+}
-+
-+#define TIMEOUT 300
-+#include <support/test-driver.c>
 diff --git a/scripts/backport-support.sh b/scripts/backport-support.sh
 new file mode 100644
 index 0000000000..2ece7ce575