diff options
| author | Florian Weimer <fweimer@redhat.com> | 2016-04-29 10:35:34 +0200 |
|---|---|---|
| committer | Gabriel F. T. Gomes <gftg@linux.vnet.ibm.com> | 2016-05-24 11:35:31 -0300 |
| commit | 1029487ab3b2ef65ec9364cb15c44ee9c571224f (patch) | |
| tree | bcdf22236e9d5a9a13688ff53cc0d0700f366e7c /NEWS | |
| parent | edbab2450a084a275d418fba871a8c7b48001a71 (diff) | |
| download | glibc-1029487ab3b2ef65ec9364cb15c44ee9c571224f.tar.gz glibc-1029487ab3b2ef65ec9364cb15c44ee9c571224f.tar.xz glibc-1029487ab3b2ef65ec9364cb15c44ee9c571224f.zip | |
CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion [BZ #20010]
When converting a struct hostent response to struct gaih_addrtuple, the gethosts macro (which is called from gaih_inet) used alloca, without malloc fallback for large responses. This commit changes this code to use calloc unconditionally. This commit also consolidated a second hostent-to-gaih_addrtuple conversion loop (in gaih_inet) to use the new conversion function. (cherry picked from commit 4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9)
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/NEWS b/NEWS index 138aee2e91..afca6c2be7 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,11 @@ Version 2.20.1 17625, 17630, 17801, 18032, 18080, 18508, 18665, 18694, 18928, 19018, 19682. +* Previously, getaddrinfo copied large amounts of address data to the stack, + even after the fix for CVE-2013-4458 has been applied, potentially + resulting in a stack overflow. getaddrinfo now uses a heap allocation + instead. Reported by Michael Petlan. (CVE-2016-3706) + * A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client. The buffer overflow occurs in |