summary refs log tree commit diff
path: root/NEWS
diff options
context:
space:
mode:
authorCarlos O'Donell <carlos@systemhalted.org>2016-02-16 21:26:37 -0500
committerCarlos O'Donell <carlos@systemhalted.org>2016-02-16 21:29:32 -0500
commite9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (patch)
tree67e2907fdad7c2a466e1aa996d48495c6016e3b3 /NEWS
parent2c8f75f79bd6f3f4b3400a9f1a01a75e3086006b (diff)
downloadglibc-e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca.tar.gz
glibc-e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca.tar.xz
glibc-e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca.zip
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from
  libnss_dns, allowing specially crafted DNS responses to seize control
  of execution flow in the DNS client.  The buffer overflow occurs in
  the functions send_dg (send datagram) and send_vc (send TCP) for the
  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
  family.  The use of AF_UNSPEC triggers the low-level resolver code to
  send out two parallel queries for A and AAAA.  A mismanagement of the
  buffers used for those queries could result in the response of a query
  writing beyond the alloca allocated buffer created by
  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
  the overflow.  Thanks to the Google Security Team and Red Hat for
  reporting the security impact of this issue, and Robert Holiday of
  Ciena for reporting the related bug 18665. (CVE-2015-7547)

See also:
https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS14
1 files changed, 14 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 93c09bee07..f80ce9cb59 100644
--- a/NEWS
+++ b/NEWS
@@ -79,6 +79,20 @@ Security related changes:
   depending on the length of the string passed as an argument to the
   functions.  Reported by Joseph Myers.
 
+* A stack-based buffer overflow was found in libresolv when invoked from
+  libnss_dns, allowing specially crafted DNS responses to seize control
+  of execution flow in the DNS client.  The buffer overflow occurs in
+  the functions send_dg (send datagram) and send_vc (send TCP) for the
+  NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC
+  family.  The use of AF_UNSPEC triggers the low-level resolver code to
+  send out two parallel queries for A and AAAA.  A mismanagement of the
+  buffers used for those queries could result in the response of a query
+  writing beyond the alloca allocated buffer created by
+  _nss_dns_gethostbyname4_r.  Buffer management is simplified to remove
+  the overflow.  Thanks to the Google Security Team and Red Hat for
+  reporting the security impact of this issue, and Robert Holiday of
+  Ciena for reporting the related bug 18665. (CVE-2015-7547)
+
 * The following bugs are resolved with this release:
 
   [The release manager will add the list generated by