summaryrefslogtreecommitdiff
path: root/glibc
diff options
context:
space:
mode:
authorFredrik Rinnestam <fredrik@crux.nu>2016-02-16 20:04:40 +0100
committerFredrik Rinnestam <fredrik@crux.nu>2016-02-16 20:04:43 +0100
commit728dbe064f95f3ac5355e23aa4468ff76c38ded5 (patch)
treebb6c488f4d4fe302538eeb7311714f9e1b42b2e2 /glibc
parent5d0e458601ecfe9493e469a4f0d86131ffdfd95c (diff)
downloadcore-728dbe064f95f3ac5355e23aa4468ff76c38ded5.tar.gz
core-728dbe064f95f3ac5355e23aa4468ff76c38ded5.tar.xz
[notify] glibc: added patches for CVE-2015-7547.
Advisory: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html Thanks for the patches Fedora!
Diffstat (limited to 'glibc')
-rw-r--r--glibc/.md5sum2
-rw-r--r--glibc/CVE-2015-7547.patch555
-rw-r--r--glibc/Pkgfile7
-rw-r--r--glibc/glibc-rh1252570.patch408
4 files changed, 970 insertions, 2 deletions
diff --git a/glibc/.md5sum b/glibc/.md5sum
index 12c68483..eb5c5be7 100644
--- a/glibc/.md5sum
+++ b/glibc/.md5sum
@@ -1,9 +1,11 @@
+49019f98ab824254ebeca5aba2f22ab1 CVE-2015-7547.patch
3972ff7405c89be7f5694bdc28fbd798 CVE-2015-8776.patch
c0e4a708857a0a50b9a3d1a5cc315763 CVE-2015-8777.patch
5cd75bfc0789559553b9c708c6b986ac CVE-2015-8778.patch
9623a770f7a9781272b8f30761cbe256 CVE-2015-8779.patch
aaad345ff18993dafe3e44ac947f7157 glibc-2.20-multilib-dirs.patch
e51e02bf552a0a1fbbdc948fb2f5e83c glibc-2.22.tar.xz
+a3089fb4572929628052c4509ac85a93 glibc-rh1252570.patch
96156bec8e05de67384dc93e72bdc313 host.conf
fbbc215a9b15ba4846f326cc88108057 hosts
87bb2a93d7887505a39fd65a2ee86b8e kernel-headers-4.1.tar.xz
diff --git a/glibc/CVE-2015-7547.patch b/glibc/CVE-2015-7547.patch
new file mode 100644
index 00000000..2a762890
--- /dev/null
+++ b/glibc/CVE-2015-7547.patch
@@ -0,0 +1,555 @@
+Index: b/resolv/nss_dns/dns-host.c
+===================================================================
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an
+ int h_namelen = 0;
+
+ if (ancount == 0)
+- return NSS_STATUS_NOTFOUND;
++ {
++ *h_errnop = HOST_NOT_FOUND;
++ return NSS_STATUS_NOTFOUND;
++ }
+
+ while (ancount-- > 0 && cp < end_of_message && had_error == 0)
+ {
+@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an
+ /* Special case here: if the resolver sent a result but it only
+ contains a CNAME while we are looking for a T_A or T_AAAA record,
+ we fail with NOTFOUND instead of TRYAGAIN. */
+- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND;
++ if (canon != NULL)
++ {
++ *h_errnop = HOST_NOT_FOUND;
++ return NSS_STATUS_NOTFOUND;
++ }
++
++ *h_errnop = NETDB_INTERNAL;
++ return NSS_STATUS_TRYAGAIN;
+ }
+
+
+@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1,
+
+ enum nss_status status = NSS_STATUS_NOTFOUND;
+
++ /* Combining the NSS status of two distinct queries requires some
++ compromise and attention to symmetry (A or AAAA queries can be
++ returned in any order). What follows is a breakdown of how this
++ code is expected to work and why. We discuss only SUCCESS,
++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns
++ that apply (though RETURN and MERGE exist). We make a distinction
++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable).
++ A recoverable TRYAGAIN is almost always due to buffer size issues
++ and returns ERANGE in errno and the caller is expected to retry
++ with a larger buffer.
++
++ Lastly, you may be tempted to make significant changes to the
++ conditions in this code to bring about symmetry between responses.
++ Please don't change anything without due consideration for
++ expected application behaviour. Some of the synthesized responses
++ aren't very well thought out and sometimes appear to imply that
++ IPv4 responses are always answer 1, and IPv6 responses are always
++ answer 2, but that's not true (see the implemetnation of send_dg
++ and send_vc to see response can arrive in any order, particlarly
++ for UDP). However, we expect it holds roughly enough of the time
++ that this code works, but certainly needs to be fixed to make this
++ a more robust implementation.
++
++ ----------------------------------------------
++ | Answer 1 Status / | Synthesized | Reason |
++ | Answer 2 Status | Status | |
++ |--------------------------------------------|
++ | SUCCESS/SUCCESS | SUCCESS | [1] |
++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] |
++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] |
++ | SUCCESS/NOTFOUND | SUCCESS | [1] |
++ | SUCCESS/UNAVAIL | SUCCESS | [1] |
++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] |
++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] |
++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] |
++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] |
++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] |
++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] |
++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] |
++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] |
++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] |
++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] |
++ | NOTFOUND/SUCCESS | SUCCESS | [3] |
++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] |
++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] |
++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] |
++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] |
++ | UNAVAIL/SUCCESS | UNAVAIL | [4] |
++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] |
++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] |
++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] |
++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] |
++ ----------------------------------------------
++
++ [1] If the first response is a success we return success.
++ This ignores the state of the second answer and in fact
++ incorrectly sets errno and h_errno to that of the second
++ answer. However because the response is a success we ignore
++ *errnop and *h_errnop (though that means you touched errno on
++ success). We are being conservative here and returning the
++ likely IPv4 response in the first answer as a success.
++
++ [2] If the first response is a recoverable TRYAGAIN we return
++ that instead of looking at the second response. The
++ expectation here is that we have failed to get an IPv4 response
++ and should retry both queries.
++
++ [3] If the first response was not a SUCCESS and the second
++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN,
++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the
++ result from the second response, otherwise the first responses
++ status is used. Again we have some odd side-effects when the
++ second response is NOTFOUND because we overwrite *errnop and
++ *h_errnop that means that a first answer of NOTFOUND might see
++ its *errnop and *h_errnop values altered. Whether it matters
++ in practice that a first response NOTFOUND has the wrong
++ *errnop and *h_errnop is undecided.
++
++ [4] If the first response is UNAVAIL we return that instead of
++ looking at the second response. The expectation here is that
++ it will have failed similarly e.g. configuration failure.
++
++ [5] Testing this code is complicated by the fact that truncated
++ second response buffers might be returned as SUCCESS if the
++ first answer is a SUCCESS. To fix this we add symmetry to
++ TRYAGAIN with the second response. If the second response
++ is a recoverable error we now return TRYAGIN even if the first
++ response was SUCCESS. */
++
+ if (anslen1 > 0)
+ status = gaih_getanswer_slice(answer1, anslen1, qname,
+ &pat, &buffer, &buflen,
+ errnop, h_errnop, ttlp,
+ &first);
++
+ if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
+ || (status == NSS_STATUS_TRYAGAIN
+ /* We want to look at the second answer in case of an
+@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1,
+ &pat, &buffer, &buflen,
+ errnop, h_errnop, ttlp,
+ &first);
++ /* Use the second response status in some cases. */
+ if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND)
+ status = status2;
++ /* Do not return a truncated second response (unless it was
++ unavoidable e.g. unrecoverable TRYAGAIN). */
++ if (status == NSS_STATUS_SUCCESS
++ && (status2 == NSS_STATUS_TRYAGAIN
++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY))
++ status = NSS_STATUS_TRYAGAIN;
+ }
+
+ return status;
+Index: b/resolv/res_query.c
+===================================================================
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp,
+ {
+ free (*answerp2);
+ *answerp2 = NULL;
++ *nanswerp2 = 0;
+ *answerp2_malloced = 0;
+ }
+ }
+@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp,
+ {
+ free (*answerp2);
+ *answerp2 = NULL;
++ *nanswerp2 = 0;
+ *answerp2_malloced = 0;
+ }
+
+@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp,
+ {
+ free (*answerp2);
+ *answerp2 = NULL;
++ *nanswerp2 = 0;
+ *answerp2_malloced = 0;
+ }
+ if (saved_herrno != -1)
+Index: b/resolv/res_send.c
+===================================================================
+--- a/resolv/res_send.c
++++ b/resolv/res_send.c
+@@ -1,3 +1,20 @@
++/* Copyright (C) 2016 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
+ /*
+ * Copyright (c) 1985, 1989, 1993
+ * The Regents of the University of California. All rights reserved.
+@@ -361,6 +378,8 @@ __libc_res_nsend(res_state statp, const
+ #ifdef USE_HOOKS
+ if (__glibc_unlikely (statp->qhook || statp->rhook)) {
+ if (anssiz < MAXPACKET && ansp) {
++ /* Always allocate MAXPACKET, callers expect
++ this specific size. */
+ u_char *buf = malloc (MAXPACKET);
+ if (buf == NULL)
+ return (-1);
+@@ -660,6 +679,77 @@ libresolv_hidden_def (res_nsend)
+
+ /* Private */
+
++/* The send_vc function is responsible for sending a DNS query over TCP
++ to the nameserver numbered NS from the res_state STATP i.e.
++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and
++ IPv6 queries at the same serially on the same socket.
++
++ Please note that for TCP there is no way to disable sending both
++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP
++ and sends the queries serially and waits for the result after each
++ sent query. This implemetnation should be corrected to honour these
++ options.
++
++ Please also note that for TCP we send both queries over the same
++ socket one after another. This technically violates best practice
++ since the server is allowed to read the first query, respond, and
++ then close the socket (to service another client). If the server
++ does this, then the remaining second query in the socket data buffer
++ will cause the server to send the client an RST which will arrive
++ asynchronously and the client's OS will likely tear down the socket
++ receive buffer resulting in a potentially short read and lost
++ response data. This will force the client to retry the query again,
++ and this process may repeat until all servers and connection resets
++ are exhausted and then the query will fail. It's not known if this
++ happens with any frequency in real DNS server implementations. This
++ implementation should be corrected to use two sockets by default for
++ parallel queries.
++
++ The query stored in BUF of BUFLEN length is sent first followed by
++ the query stored in BUF2 of BUFLEN2 length. Queries are sent
++ serially on the same socket.
++
++ Answers to the query are stored firstly in *ANSP up to a max of
++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
++ is non-NULL (to indicate that modifying the answer buffer is allowed)
++ then malloc is used to allocate a new response buffer and ANSCP and
++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
++ are needed but ANSCP is NULL, then as much of the response as
++ possible is read into the buffer, but the results will be truncated.
++ When truncation happens because of a small answer buffer the DNS
++ packets header feild TC will bet set to 1, indicating a truncated
++ message and the rest of the socket data will be read and discarded.
++
++ Answers to the query are stored secondly in *ANSP2 up to a max of
++ *ANSSIZP2 bytes, with the actual response length stored in
++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
++ is non-NULL (required for a second query) then malloc is used to
++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
++ size and *ANSP2_MALLOCED is set to 1.
++
++ The ANSP2_MALLOCED argument will eventually be removed as the
++ change in buffer pointer can be used to detect the buffer has
++ changed and that the caller should use free on the new buffer.
++
++ Note that the answers may arrive in any order from the server and
++ therefore the first and second answer buffers may not correspond to
++ the first and second queries.
++
++ It is not supported to call this function with a non-NULL ANSP2
++ but a NULL ANSCP. Put another way, you can call send_vc with a
++ single unmodifiable buffer or two modifiable buffers, but no other
++ combination is supported.
++
++ It is the caller's responsibility to free the malloc allocated
++ buffers by detecting that the pointers have changed from their
++ original values i.e. *ANSCP or *ANSP2 has changed.
++
++ If errors are encountered then *TERRNO is set to an appropriate
++ errno value and a zero result is returned for a recoverable error,
++ and a less-than zero result is returned for a non-recoverable error.
++
++ If no errors are encountered then *TERRNO is left unmodified and
++ a the length of the first response in bytes is returned. */
+ static int
+ send_vc(res_state statp,
+ const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -669,11 +759,7 @@ send_vc(res_state statp,
+ {
+ const HEADER *hp = (HEADER *) buf;
+ const HEADER *hp2 = (HEADER *) buf2;
+- u_char *ans = *ansp;
+- int orig_anssizp = *anssizp;
+- // XXX REMOVE
+- // int anssiz = *anssizp;
+- HEADER *anhp = (HEADER *) ans;
++ HEADER *anhp = (HEADER *) *ansp;
+ struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
+ int truncating, connreset, n;
+ /* On some architectures compiler might emit a warning indicating
+@@ -766,6 +852,8 @@ send_vc(res_state statp,
+ * Receive length & response
+ */
+ int recvresp1 = 0;
++ /* Skip the second response if there is no second query.
++ To do that we mark the second response as received. */
+ int recvresp2 = buf2 == NULL;
+ uint16_t rlen16;
+ read_len:
+@@ -802,40 +890,14 @@ send_vc(res_state statp,
+ u_char **thisansp;
+ int *thisresplenp;
+ if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
++ /* We have not received any responses
++ yet or we only have one response to
++ receive. */
+ thisanssizp = anssizp;
+ thisansp = anscp ?: ansp;
+ assert (anscp != NULL || ansp2 == NULL);
+ thisresplenp = &resplen;
+ } else {
+- if (*anssizp != MAXPACKET) {
+- /* No buffer allocated for the first
+- reply. We can try to use the rest
+- of the user-provided buffer. */
+-#if __GNUC_PREREQ (4, 7)
+- DIAG_PUSH_NEEDS_COMMENT;
+- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
+-#endif
+-#if _STRING_ARCH_unaligned
+- *anssizp2 = orig_anssizp - resplen;
+- *ansp2 = *ansp + resplen;
+-#else
+- int aligned_resplen
+- = ((resplen + __alignof__ (HEADER) - 1)
+- & ~(__alignof__ (HEADER) - 1));
+- *anssizp2 = orig_anssizp - aligned_resplen;
+- *ansp2 = *ansp + aligned_resplen;
+-#endif
+-#if __GNUC_PREREQ (4, 7)
+- DIAG_POP_NEEDS_COMMENT;
+-#endif
+- } else {
+- /* The first reply did not fit into the
+- user-provided buffer. Maybe the second
+- answer will. */
+- *anssizp2 = orig_anssizp;
+- *ansp2 = *ansp;
+- }
+-
+ thisanssizp = anssizp2;
+ thisansp = ansp2;
+ thisresplenp = resplen2;
+@@ -843,10 +905,14 @@ send_vc(res_state statp,
+ anhp = (HEADER *) *thisansp;
+
+ *thisresplenp = rlen;
+- if (rlen > *thisanssizp) {
+- /* Yes, we test ANSCP here. If we have two buffers
+- both will be allocatable. */
+- if (__glibc_likely (anscp != NULL)) {
++ /* Is the answer buffer too small? */
++ if (*thisanssizp < rlen) {
++ /* If the current buffer is non-NULL and it's not
++ pointing at the static user-supplied buffer then
++ we can reallocate it. */
++ if (thisansp != NULL && thisansp != ansp) {
++ /* Always allocate MAXPACKET, callers expect
++ this specific size. */
+ u_char *newp = malloc (MAXPACKET);
+ if (newp == NULL) {
+ *terrno = ENOMEM;
+@@ -858,6 +924,9 @@ send_vc(res_state statp,
+ if (thisansp == ansp2)
+ *ansp2_malloced = 1;
+ anhp = (HEADER *) newp;
++ /* A uint16_t can't be larger than MAXPACKET
++ thus it's safe to allocate MAXPACKET but
++ read RLEN bytes instead. */
+ len = rlen;
+ } else {
+ Dprint(statp->options & RES_DEBUG,
+@@ -1021,6 +1090,66 @@ reopen (res_state statp, int *terrno, in
+ return 1;
+ }
+
++/* The send_dg function is responsible for sending a DNS query over UDP
++ to the nameserver numbered NS from the res_state STATP i.e.
++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries
++ along with the ability to send the query in parallel for both stacks
++ (default) or serially (RES_SINGLKUP). It also supports serial lookup
++ with a close and reopen of the socket used to talk to the server
++ (RES_SNGLKUPREOP) to work around broken name servers.
++
++ The query stored in BUF of BUFLEN length is sent first followed by
++ the query stored in BUF2 of BUFLEN2 length. Queries are sent
++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP).
++
++ Answers to the query are stored firstly in *ANSP up to a max of
++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP
++ is non-NULL (to indicate that modifying the answer buffer is allowed)
++ then malloc is used to allocate a new response buffer and ANSCP and
++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes
++ are needed but ANSCP is NULL, then as much of the response as
++ possible is read into the buffer, but the results will be truncated.
++ When truncation happens because of a small answer buffer the DNS
++ packets header feild TC will bet set to 1, indicating a truncated
++ message, while the rest of the UDP packet is discarded.
++
++ Answers to the query are stored secondly in *ANSP2 up to a max of
++ *ANSSIZP2 bytes, with the actual response length stored in
++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2
++ is non-NULL (required for a second query) then malloc is used to
++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer
++ size and *ANSP2_MALLOCED is set to 1.
++
++ The ANSP2_MALLOCED argument will eventually be removed as the
++ change in buffer pointer can be used to detect the buffer has
++ changed and that the caller should use free on the new buffer.
++
++ Note that the answers may arrive in any order from the server and
++ therefore the first and second answer buffers may not correspond to
++ the first and second queries.
++
++ It is not supported to call this function with a non-NULL ANSP2
++ but a NULL ANSCP. Put another way, you can call send_vc with a
++ single unmodifiable buffer or two modifiable buffers, but no other
++ combination is supported.
++
++ It is the caller's responsibility to free the malloc allocated
++ buffers by detecting that the pointers have changed from their
++ original values i.e. *ANSCP or *ANSP2 has changed.
++
++ If an answer is truncated because of UDP datagram DNS limits then
++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to
++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1
++ if any progress was made reading a response from the nameserver and
++ is used by the caller to distinguish between ECONNREFUSED and
++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1).
++
++ If errors are encountered then *TERRNO is set to an appropriate
++ errno value and a zero result is returned for a recoverable error,
++ and a less-than zero result is returned for a non-recoverable error.
++
++ If no errors are encountered then *TERRNO is left unmodified and
++ a the length of the first response in bytes is returned. */
+ static int
+ send_dg(res_state statp,
+ const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -1030,8 +1159,6 @@ send_dg(res_state statp,
+ {
+ const HEADER *hp = (HEADER *) buf;
+ const HEADER *hp2 = (HEADER *) buf2;
+- u_char *ans = *ansp;
+- int orig_anssizp = *anssizp;
+ struct timespec now, timeout, finish;
+ struct pollfd pfd[1];
+ int ptimeout;
+@@ -1064,6 +1191,8 @@ send_dg(res_state statp,
+ int need_recompute = 0;
+ int nwritten = 0;
+ int recvresp1 = 0;
++ /* Skip the second response if there is no second query.
++ To do that we mark the second response as received. */
+ int recvresp2 = buf2 == NULL;
+ pfd[0].fd = EXT(statp).nssocks[ns];
+ pfd[0].events = POLLOUT;
+@@ -1227,55 +1356,56 @@ send_dg(res_state statp,
+ int *thisresplenp;
+
+ if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) {
++ /* We have not received any responses
++ yet or we only have one response to
++ receive. */
+ thisanssizp = anssizp;
+ thisansp = anscp ?: ansp;
+ assert (anscp != NULL || ansp2 == NULL);
+ thisresplenp = &resplen;
+ } else {
+- if (*anssizp != MAXPACKET) {
+- /* No buffer allocated for the first
+- reply. We can try to use the rest
+- of the user-provided buffer. */
+-#if _STRING_ARCH_unaligned
+- *anssizp2 = orig_anssizp - resplen;
+- *ansp2 = *ansp + resplen;
+-#else
+- int aligned_resplen
+- = ((resplen + __alignof__ (HEADER) - 1)
+- & ~(__alignof__ (HEADER) - 1));
+- *anssizp2 = orig_anssizp - aligned_resplen;
+- *ansp2 = *ansp + aligned_resplen;
+-#endif
+- } else {
+- /* The first reply did not fit into the
+- user-provided buffer. Maybe the second
+- answer will. */
+- *anssizp2 = orig_anssizp;
+- *ansp2 = *ansp;
+- }
+-
+ thisanssizp = anssizp2;
+ thisansp = ansp2;
+ thisresplenp = resplen2;
+ }
+
+ if (*thisanssizp < MAXPACKET
+- /* Yes, we test ANSCP here. If we have two buffers
+- both will be allocatable. */
+- && anscp
++ /* If the current buffer is non-NULL and it's not
++ pointing at the static user-supplied buffer then
++ we can reallocate it. */
++ && (thisansp != NULL && thisansp != ansp)
+ #ifdef FIONREAD
++ /* Is the size too small? */
+ && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0
+ || *thisanssizp < *thisresplenp)
+ #endif
+ ) {
++ /* Always allocate MAXPACKET, callers expect
++ this specific size. */
+ u_char *newp = malloc (MAXPACKET);
+ if (newp != NULL) {
+- *anssizp = MAXPACKET;
+- *thisansp = ans = newp;
++ *thisanssizp = MAXPACKET;
++ *thisansp = newp;
+ if (thisansp == ansp2)
+ *ansp2_malloced = 1;
+ }
+ }
++ /* We could end up with truncation if anscp was NULL
++ (not allowed to change caller's buffer) and the
++ response buffer size is too small. This isn't a
++ reliable way to detect truncation because the ioctl
++ may be an inaccurate report of the UDP message size.
++ Therefore we use this only to issue debug output.
++ To do truncation accurately with UDP we need
++ MSG_TRUNC which is only available on Linux. We
++ can abstract out the Linux-specific feature in the
++ future to detect truncation. */
++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) {
++ Dprint(statp->options & RES_DEBUG,
++ (stdout, ";; response may be truncated (UDP)\n")
++ );
++ }
++
+ HEADER *anhp = (HEADER *) *thisansp;
+ socklen_t fromlen = sizeof(struct sockaddr_in6);
+ assert (sizeof(from) <= fromlen);
+
diff --git a/glibc/Pkgfile b/glibc/Pkgfile
index d1b80ba0..dcdf11b9 100644
--- a/glibc/Pkgfile
+++ b/glibc/Pkgfile
@@ -4,11 +4,12 @@
name=glibc
version=2.22
-release=2
+release=3
source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \
http://crux.nu/files/distfiles/kernel-headers-4.1.tar.xz \
$name-2.20-multilib-dirs.patch \
- CVE-2015-8779.patch CVE-2015-8778.patch CVE-2015-8777.patch CVE-2015-8776.patch \
+ CVE-2015-8779.patch CVE-2015-8778.patch CVE-2015-8777.patch \
+ CVE-2015-8776.patch CVE-2015-7547.patch glibc-rh1252570.patch \
hosts resolv.conf nsswitch.conf host.conf ld.so.conf)
build() {
@@ -22,6 +23,8 @@ build() {
patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8778.patch
patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8777.patch
patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8776.patch
+ patch -p1 -d $SRC/$name-$version -i $SRC/glibc-rh1252570.patch
+ patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-7547.patch
mkdir $SRC/build
cd $SRC/build
diff --git a/glibc/glibc-rh1252570.patch b/glibc/glibc-rh1252570.patch
new file mode 100644
index 00000000..5e69e9a0
--- /dev/null
+++ b/glibc/glibc-rh1252570.patch
@@ -0,0 +1,408 @@
+Revert this upstream commit:
+
+commit 2212c1420c92a33b0e0bd9a34938c9814a56c0f7
+Author: Andreas Schwab <schwab@suse.de>
+Date: Thu Feb 19 15:52:08 2015 +0100
+
+ Simplify handling of nameserver configuration in resolver
+
+ Remove use of ext.nsmap member of struct __res_state and always use
+ an identity mapping betwen the nsaddr_list array and the ext.nsaddrs
+ array. The fact that a nameserver has an IPv6 address is signalled by
+ setting nsaddr_list[].sin_family to zero.
+
+reverted:
+Index: b/resolv/res_init.c
+===================================================================
+--- a/resolv/res_init.c
++++ b/resolv/res_init.c
+@@ -153,8 +153,10 @@ __res_vinit(res_state statp, int preinit
+ char *cp, **pp;
+ int n;
+ char buf[BUFSIZ];
+- int nserv = 0; /* number of nameservers read from file */
+- int have_serv6 = 0;
++ int nserv = 0; /* number of IPv4 nameservers read from file */
++#ifdef _LIBC
++ int nservall = 0; /* number of (IPv4 + IPV6) nameservers read from file */
++#endif
+ int haveenv = 0;
+ int havesearch = 0;
+ #ifdef RESOLVSORT
+@@ -183,9 +185,15 @@ __res_vinit(res_state statp, int preinit
+ statp->_flags = 0;
+ statp->qhook = NULL;
+ statp->rhook = NULL;
++ statp->_u._ext.nsinit = 0;
+ statp->_u._ext.nscount = 0;
+- for (n = 0; n < MAXNS; n++)
+- statp->_u._ext.nsaddrs[n] = NULL;
++#ifdef _LIBC
++ statp->_u._ext.nscount6 = 0;
++ for (n = 0; n < MAXNS; n++) {
++ statp->_u._ext.nsaddrs[n] = NULL;
++ statp->_u._ext.nsmap[n] = MAXNS;
++ }
++#endif
+
+ /* Allow user to override the local domain definition */
+ if ((cp = getenv("LOCALDOMAIN")) != NULL) {
+@@ -289,7 +297,11 @@ __res_vinit(res_state statp, int preinit
+ continue;
+ }
+ /* read nameservers to query */
++#ifdef _LIBC
++ if (MATCH(buf, "nameserver") && nservall < MAXNS) {
++#else
+ if (MATCH(buf, "nameserver") && nserv < MAXNS) {
++#endif
+ struct in_addr a;
+
+ cp = buf + sizeof("nameserver") - 1;
+@@ -297,12 +309,13 @@ __res_vinit(res_state statp, int preinit
+ cp++;
+ if ((*cp != '\0') && (*cp != '\n')
+ && __inet_aton(cp, &a)) {
+- statp->nsaddr_list[nserv].sin_addr = a;
+- statp->nsaddr_list[nserv].sin_family = AF_INET;
+- statp->nsaddr_list[nserv].sin_port =
++ statp->nsaddr_list[nservall].sin_addr = a;
++ statp->nsaddr_list[nservall].sin_family = AF_INET;
++ statp->nsaddr_list[nservall].sin_port =
+ htons(NAMESERVER_PORT);
+ nserv++;
+ #ifdef _LIBC
++ nservall++;
+ } else {
+ struct in6_addr a6;
+ char *el;
+@@ -344,11 +357,10 @@ __res_vinit(res_state statp, int preinit
+ }
+ }
+
+- statp->nsaddr_list[nserv].sin_family = 0;
+- statp->_u._ext.nsaddrs[nserv] = sa6;
+- statp->_u._ext.nssocks[nserv] = -1;
+- have_serv6 = 1;
+- nserv++;
++ statp->_u._ext.nsaddrs[nservall] = sa6;
++ statp->_u._ext.nssocks[nservall] = -1;
++ statp->_u._ext.nsmap[nservall] = MAXNS + 1;
++ nservall++;
+ }
+ }
+ #endif
+@@ -403,9 +415,10 @@ __res_vinit(res_state statp, int preinit
+ continue;
+ }
+ }
+- statp->nscount = nserv;
++ statp->nscount = nservall;
+ #ifdef _LIBC
+- if (have_serv6) {
++ if (nservall - nserv > 0) {
++ statp->_u._ext.nscount6 = nservall - nserv;
+ /* We try IPv6 servers again. */
+ statp->ipv6_unavail = false;
+ }
+@@ -594,7 +607,11 @@ __res_iclose(res_state statp, bool free_
+ statp->_vcsock = -1;
+ statp->_flags &= ~(RES_F_VC | RES_F_CONN);
+ }
++#ifdef _LIBC
++ for (ns = 0; ns < MAXNS; ns++)
++#else
+ for (ns = 0; ns < statp->_u._ext.nscount; ns++)
++#endif
+ if (statp->_u._ext.nsaddrs[ns]) {
+ if (statp->_u._ext.nssocks[ns] != -1) {
+ close_not_cancel_no_status(statp->_u._ext.nssocks[ns]);
+@@ -605,6 +622,8 @@ __res_iclose(res_state statp, bool free_
+ statp->_u._ext.nsaddrs[ns] = NULL;
+ }
+ }
++ if (free_addr)
++ statp->_u._ext.nsinit = 0;
+ }
+ libc_hidden_def (__res_iclose)
+
+Index: b/resolv/res_send.c
+===================================================================
+--- a/resolv/res_send.c
++++ b/resolv/res_send.c
+@@ -176,7 +176,6 @@ evNowTime(struct timespec *res) {
+
+ /* Forward. */
+
+-static struct sockaddr *get_nsaddr (res_state, int);
+ static int send_vc(res_state, const u_char *, int,
+ const u_char *, int,
+ u_char **, int *, int *, int, u_char **,
+@@ -214,21 +213,20 @@ res_ourserver_p(const res_state statp, c
+ in_port_t port = in4p->sin_port;
+ in_addr_t addr = in4p->sin_addr.s_addr;
+
+- for (ns = 0; ns < statp->nscount; ns++) {
++ for (ns = 0; ns < MAXNS; ns++) {
+ const struct sockaddr_in *srv =
+- (struct sockaddr_in *) get_nsaddr (statp, ns);
++ (struct sockaddr_in *)EXT(statp).nsaddrs[ns];
+
+- if ((srv->sin_family == AF_INET) &&
++ if ((srv != NULL) && (srv->sin_family == AF_INET) &&
+ (srv->sin_port == port) &&
+ (srv->sin_addr.s_addr == INADDR_ANY ||
+ srv->sin_addr.s_addr == addr))
+ return (1);
+ }
+ } else if (inp->sin6_family == AF_INET6) {
+- for (ns = 0; ns < statp->nscount; ns++) {
+- const struct sockaddr_in6 *srv
+- = (struct sockaddr_in6 *) get_nsaddr (statp, ns);
+- if ((srv->sin6_family == AF_INET6) &&
++ for (ns = 0; ns < MAXNS; ns++) {
++ const struct sockaddr_in6 *srv = EXT(statp).nsaddrs[ns];
++ if ((srv != NULL) && (srv->sin6_family == AF_INET6) &&
+ (srv->sin6_port == inp->sin6_port) &&
+ !(memcmp(&srv->sin6_addr, &in6addr_any,
+ sizeof (struct in6_addr)) &&
+@@ -378,48 +376,80 @@ __libc_res_nsend(res_state statp, const
+ * If the ns_addr_list in the resolver context has changed, then
+ * invalidate our cached copy and the associated timing data.
+ */
+- if (EXT(statp).nscount != 0) {
++ if (EXT(statp).nsinit) {
+ int needclose = 0;
+
+ if (EXT(statp).nscount != statp->nscount)
+ needclose++;
+ else
+- for (ns = 0; ns < statp->nscount; ns++) {
+- if (statp->nsaddr_list[ns].sin_family != 0
++ for (ns = 0; ns < MAXNS; ns++) {
++ unsigned int map = EXT(statp).nsmap[ns];
++ if (map < MAXNS
+ && !sock_eq((struct sockaddr_in6 *)
+- &statp->nsaddr_list[ns],
++ &statp->nsaddr_list[map],
+ EXT(statp).nsaddrs[ns]))
+ {
+ needclose++;
+ break;
+ }
+ }
+- if (needclose) {
++ if (needclose)
+ __res_iclose(statp, false);
+- EXT(statp).nscount = 0;
+- }
+ }
+
+ /*
+ * Maybe initialize our private copy of the ns_addr_list.
+ */
+- if (EXT(statp).nscount == 0) {
+- for (ns = 0; ns < statp->nscount; ns++) {
+- EXT(statp).nssocks[ns] = -1;
+- if (statp->nsaddr_list[ns].sin_family == 0)
+- continue;
+- if (EXT(statp).nsaddrs[ns] == NULL)
+- EXT(statp).nsaddrs[ns] =
++ if (EXT(statp).nsinit == 0) {
++ unsigned char map[MAXNS];
++
++ memset (map, MAXNS, sizeof (map));
++ for (n = 0; n < MAXNS; n++) {
++ ns = EXT(statp).nsmap[n];
++ if (ns < statp->nscount)
++ map[ns] = n;
++ else if (ns < MAXNS) {
++ free(EXT(statp).nsaddrs[n]);
++ EXT(statp).nsaddrs[n] = NULL;
++ EXT(statp).nsmap[n] = MAXNS;
++ }
++ }
++ n = statp->nscount;
++ if (statp->nscount > EXT(statp).nscount)
++ for (n = EXT(statp).nscount, ns = 0;
++ n < statp->nscount; n++) {
++ while (ns < MAXNS
++ && EXT(statp).nsmap[ns] != MAXNS)
++ ns++;
++ if (ns == MAXNS)
++ break;
++ /* NS never exceeds MAXNS, but gcc 4.9 somehow
++ does not see this. */
++ DIAG_PUSH_NEEDS_COMMENT;
++ DIAG_IGNORE_NEEDS_COMMENT (4.9,
++ "-Warray-bounds");
++ EXT(statp).nsmap[ns] = n;
++ DIAG_POP_NEEDS_COMMENT;
++ map[n] = ns++;
++ }
++ EXT(statp).nscount = n;
++ for (ns = 0; ns < EXT(statp).nscount; ns++) {
++ n = map[ns];
++ if (EXT(statp).nsaddrs[n] == NULL)
++ EXT(statp).nsaddrs[n] =
+ malloc(sizeof (struct sockaddr_in6));
+- if (EXT(statp).nsaddrs[ns] != NULL)
+- memset (mempcpy(EXT(statp).nsaddrs[ns],
++ if (EXT(statp).nsaddrs[n] != NULL) {
++ memset (mempcpy(EXT(statp).nsaddrs[n],
+ &statp->nsaddr_list[ns],
+ sizeof (struct sockaddr_in)),
+ '\0',
+ sizeof (struct sockaddr_in6)
+ - sizeof (struct sockaddr_in));
++ EXT(statp).nssocks[n] = -1;
++ n++;
++ }
+ }
+- EXT(statp).nscount = statp->nscount;
++ EXT(statp).nsinit = 1;
+ }
+
+ /*
+@@ -428,37 +458,44 @@ __libc_res_nsend(res_state statp, const
+ */
+ if (__builtin_expect ((statp->options & RES_ROTATE) != 0, 0) &&
+ (statp->options & RES_BLAST) == 0) {
+- struct sockaddr_in ina;
+- struct sockaddr_in6 *inp;
+- int lastns = statp->nscount - 1;
+- int fd;
+-
+- inp = EXT(statp).nsaddrs[0];
+- ina = statp->nsaddr_list[0];
+- fd = EXT(statp).nssocks[0];
+- for (ns = 0; ns < lastns; ns++) {
+- EXT(statp).nsaddrs[ns] = EXT(statp).nsaddrs[ns + 1];
+- statp->nsaddr_list[ns] = statp->nsaddr_list[ns + 1];
+- EXT(statp).nssocks[ns] = EXT(statp).nssocks[ns + 1];
+- }
+- EXT(statp).nsaddrs[lastns] = inp;
+- statp->nsaddr_list[lastns] = ina;
+- EXT(statp).nssocks[lastns] = fd;
++ struct sockaddr_in6 *ina;
++ unsigned int map;
++
++ n = 0;
++ while (n < MAXNS && EXT(statp).nsmap[n] == MAXNS)
++ n++;
++ if (n < MAXNS) {
++ ina = EXT(statp).nsaddrs[n];
++ map = EXT(statp).nsmap[n];
++ for (;;) {
++ ns = n + 1;
++ while (ns < MAXNS
++ && EXT(statp).nsmap[ns] == MAXNS)
++ ns++;
++ if (ns == MAXNS)
++ break;
++ EXT(statp).nsaddrs[n] = EXT(statp).nsaddrs[ns];
++ EXT(statp).nsmap[n] = EXT(statp).nsmap[ns];
++ n = ns;
++ }
++ EXT(statp).nsaddrs[n] = ina;
++ EXT(statp).nsmap[n] = map;
++ }
+ }
+
+ /*
+ * Send request, RETRY times, or until successful.
+ */
+ for (try = 0; try < statp->retry; try++) {
+- for (ns = 0; ns < statp->nscount; ns++)
++ for (ns = 0; ns < MAXNS; ns++)
+ {
+ #ifdef DEBUG
+ char tmpbuf[40];
+ #endif
+-#if defined USE_HOOKS || defined DEBUG
+- struct sockaddr *nsap = get_nsaddr (statp, ns);
+-#endif
++ struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
+
++ if (nsap == NULL)
++ goto next_ns;
+ same_ns:
+ #ifdef USE_HOOKS
+ if (__glibc_unlikely (statp->qhook != NULL)) {
+@@ -615,21 +652,6 @@ libresolv_hidden_def (res_nsend)
+
+ /* Private */
+
+-static struct sockaddr *
+-get_nsaddr (res_state statp, int n)
+-{
+-
+- if (statp->nsaddr_list[n].sin_family == 0 && EXT(statp).nsaddrs[n] != NULL)
+- /* EXT(statp).nsaddrs[n] holds an address that is larger than
+- struct sockaddr, and user code did not update
+- statp->nsaddr_list[n]. */
+- return (struct sockaddr *) EXT(statp).nsaddrs[n];
+- else
+- /* User code updated statp->nsaddr_list[n], or statp->nsaddr_list[n]
+- has the same content as EXT(statp).nsaddrs[n]. */
+- return (struct sockaddr *) (void *) &statp->nsaddr_list[n];
+-}
+-
+ static int
+ send_vc(res_state statp,
+ const u_char *buf, int buflen, const u_char *buf2, int buflen2,
+@@ -644,7 +666,7 @@ send_vc(res_state statp,
+ // XXX REMOVE
+ // int anssiz = *anssizp;
+ HEADER *anhp = (HEADER *) ans;
+- struct sockaddr *nsap = get_nsaddr (statp, ns);
++ struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns];
+ int truncating, connreset, n;
+ /* On some architectures compiler might emit a warning indicating
+ 'resplen' may be used uninitialized. However if buf2 == NULL
+@@ -677,8 +699,8 @@ send_vc(res_state statp,
+
+ if (getpeername(statp->_vcsock,
+ (struct sockaddr *)&peer, &size) < 0 ||
+- !sock_eq(&peer, (struct sockaddr_in6 *) nsap)) {
+- __res_iclose(statp, false);
++ !sock_eq(&peer, nsap)) {
++ __res_iclose(statp, false);
+ statp->_flags &= ~RES_F_VC;
+ }
+ }
+@@ -687,19 +709,20 @@ send_vc(res_state statp,
+ if (statp->_vcsock >= 0)
+ __res_iclose(statp, false);
+
+- statp->_vcsock = socket(nsap->sa_family, SOCK_STREAM, 0);
++ statp->_vcsock = socket(nsap->sin6_family, SOCK_STREAM, 0);
+ if (statp->_vcsock < 0) {
+ *terrno = errno;
+ Perror(statp, stderr, "socket(vc)", errno);
+ return (-1);
+ }
+ __set_errno (0);
+- if (connect(statp->_vcsock, nsap,
+- nsap->sa_family == AF_INET
++ if (connect(statp->_vcsock, (struct sockaddr *)nsap,
++ nsap->sin6_family == AF_INET
+ ? sizeof (struct sockaddr_in)
+ : sizeof (struct sockaddr_in6)) < 0) {
+ *terrno = errno;
+- Aerror(statp, stderr, "connect/vc", errno, nsap);
++ Aerror(statp, stderr, "connect/vc", errno,
++ (struct sockaddr *) nsap);
+ __res_iclose(statp, false);
+ return (0);
+ }
+@@ -906,7 +929,8 @@ static int
+ reopen (res_state statp, int *terrno, int ns)
+ {
+ if (EXT(statp).nssocks[ns] == -1) {
+- struct sockaddr *nsap = get_nsaddr (statp, ns);
++ struct sockaddr *nsap
++ = (struct sockaddr *) EXT(statp).nsaddrs[ns];
+ socklen_t slen;
+
+ /* only try IPv6 if IPv6 NS and if not failed before */

Generated by cgit