diff options
| author | Carlos O'Donell <carlos@systemhalted.org> | 2016-02-16 21:26:37 -0500 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com> | 2016-02-25 16:02:40 -0300 |
| commit | d5a4840c6b4025302f485b9271e4c72d315221f5 (patch) | |
| tree | b7bcb509a4b43c62c32f366a36abbc485118b03c /NEWS | |
| parent | eda498975dd49f616d8af26e5224ca39c8feeb8c (diff) | |
| download | glibc-d5a4840c6b4025302f485b9271e4c72d315221f5.tar.gz glibc-d5a4840c6b4025302f485b9271e4c72d315221f5.tar.xz glibc-d5a4840c6b4025302f485b9271e4c72d315221f5.zip | |
CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665).
* A stack-based buffer overflow was found in libresolv when invoked from libnss_dns, allowing specially crafted DNS responses to seize control of execution flow in the DNS client. The buffer overflow occurs in the functions send_dg (send datagram) and send_vc (send TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family. The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response of a query writing beyond the alloca allocated buffer created by _nss_dns_gethostbyname4_r. Buffer management is simplified to remove the overflow. Thanks to the Google Security Team and Red Hat for reporting the security impact of this issue, and Robert Holiday of Ciena for reporting the related bug 18665. (CVE-2015-7547) See also: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html (cherry picked from commit 16d0a0ce7613552301786bf05d7eba8784b5732c) Conflicts: NEWS resolv/res_send.c
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/NEWS b/NEWS index 9392e32845..53cf5a4d85 100644 --- a/NEWS +++ b/NEWS @@ -10,7 +10,21 @@ Version 2.20.1 * The following bugs are resolved with this release: 16009, 16617, 16618, 17266, 17269, 17370, 17371, 17460, 17485, 17555, - 17625, 17630, 17801, 18032, 18694, 18928, 19018. + 17625, 17630, 17801, 18032, 18665, 18694, 18928, 19018. + +* A stack-based buffer overflow was found in libresolv when invoked from + libnss_dns, allowing specially crafted DNS responses to seize control + of execution flow in the DNS client. The buffer overflow occurs in + the functions send_dg (send datagram) and send_vc (send TCP) for the + NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC + family. The use of AF_UNSPEC triggers the low-level resolver code to + send out two parallel queries for A and AAAA. A mismanagement of the + buffers used for those queries could result in the response of a query + writing beyond the alloca allocated buffer created by + _nss_dns_gethostbyname4_r. Buffer management is simplified to remove + the overflow. Thanks to the Google Security Team and Red Hat for + reporting the security impact of this issue, and Robert Holiday of + Ciena for reporting the related bug 18665. (CVE-2015-7547) * The LD_POINTER_GUARD environment variable can no longer be used to disable the pointer guard feature. It is always enabled. |