ports/core
4
3
Fork 0
Code Issues 3 Pull Requests Activity

[notify] glibc: reverted CVE-2015-5180 patch - caused resolv problems for some users

Browse Source
This commit is contained in:
Fredrik Rinnestam 2017-06-21 16:54:25 +02:00
parent f7f26b8373
commit 228d2d2799
4 changed files with 9 additions and 321 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
glibc/.md5sum
View File

@ -1,5 +1,5 @@
aaad345ff18993dafe3e44ac947f7157 glibc-2.20-multilib-dirs.patch
655f50d41e24dcd37447fd6c63ce3f7f glibc-2.24-updates.patch
052018e4621ea8e3d7d8f1b711fcdaa3 glibc-2.24-updates.patch
97dc5517f92016f3d70d83e3162ad318 glibc-2.24.tar.xz
96156bec8e05de67384dc93e72bdc313 host.conf
fbbc215a9b15ba4846f326cc88108057 hosts

6
glibc/.signature
View File

@ -1,6 +1,6 @@
untrusted comment: verify with /etc/ports/core.pub
RWRJc1FUaeVeqtVJlLAe7fOw0aoY6VbVJ3a+OMe5w4BXxwC61vgHxotrmJkZTRVXMHlKgv0Y1NNWgW+jzI3oKP6NrQcCPCf/QQQ=
SHA256 (Pkgfile) = 116fd143fdc2ac6e0ccfe5fbbcbc5a206c9ac8abf962ca4b5ddf3fafdcfd60b6
RWRJc1FUaeVeqseqsi+1KI6tEwCOPga+iLAQvj05VaANUoS7dJW09bkmtVwDVezNbiVn6m4q2fOc6UPbyTSPGuFhRM9moY9o/gI=
SHA256 (Pkgfile) = 34d333fdda050939723f57075b9263b17cf75788e283d9ebeee637dfd3811dfd
SHA256 (.footprint) = 9bfd444359441e61174162207102b96597aa3a7051b4c5d8401d9d0e2713ec81
SHA256 (glibc-2.24.tar.xz) = 99d4a3e8efd144d71488e478f62587578c0f4e1fa0b4eed47ee3d4975ebeb5d3
SHA256 (kernel-headers-4.9.5.tar.xz) = 5783ad8f668ee71561fae370fbcdc477aaa6df249bd85635b87a8c204aeb4aa9
@ -10,4 +10,4 @@ SHA256 (resolv.conf) = 72ccb58768a72a771ec37142bc361a18478a07ec9de6e925a20760794
SHA256 (nsswitch.conf) = 859b8984e5e90aff3cce8f9779996ae4033b280d2122840e9411e2f44a1c2e61
SHA256 (host.conf) = 1bffc6575eb6204458758c34656cd44d87e7d89f545055f8857dd8906b7fb277
SHA256 (ld.so.conf) = 441a37924864b5b063208922ea04a926cd9654e74ed3f160b9d455b56d23387f
SHA256 (glibc-2.24-updates.patch) = d74245b3a34b4bcd119ac1da145ee01af77f98c0d3c4bee763049582e8582971
SHA256 (glibc-2.24-updates.patch) = 11839138c7d82544894df8fb6b505aa7afa1a07e79965a64b2a0dac7a1b0aa64

2
glibc/Pkgfile
View File

@ -4,7 +4,7 @@
name=glibc
version=2.24
release=6
release=7
source=(http://ftpmirror.gnu.org/gnu/glibc/glibc-2.24.tar.xz \
http://crux.nu/files/distfiles/kernel-headers-4.9.5.tar.xz \
$name-2.20-multilib-dirs.patch \

320
glibc/glibc-2.24-updates.patch
View File

@ -1,8 +1,8 @@
diff --git a/ChangeLog b/ChangeLog
index c44c926094..cd6b5a92e9 100644
index c44c926094..24693b184a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,565 @@
@@ -1,3 +1,551 @@
+2017-06-14 Florian Weimer <fweimer@redhat.com>
+
+ * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard.
@ -262,20 +262,6 @@ index c44c926094..cd6b5a92e9 100644
+ * sysdeps/x86_64/sysdep.h (JUMPTARGET): Check SHARED instead
+ of PIC.
+
+2016-12-31 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18784]
+ CVE-2015-5180
+ * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from
+ T_UNSPEC. Adjust value.
+ * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it.
+ * resolv/res_query.c (__libc_res_nquery): Likewise.
+ * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range
+ QTYPEs.
+ * resolv/tst-resolv-qtypes.c: New file.
+ * resolv/Makefile (xtests): Add tst-resolv-qtypes.
+ (tst-resolv-qtypes): Link against libresolv and libpthread.
+
+2017-02-02 Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+ * sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
@ -623,10 +609,10 @@ index 03fd89c13e..ee379f5852 100644
ifndef avoid-generated
diff --git a/NEWS b/NEWS
index b0447e7169..c4c082b415 100644
index b0447e7169..4a042dbe2b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,29 @@ See the end for copying conditions.
@@ -5,6 +5,17 @@ See the end for copying conditions.
Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
using `glibc' in the "product" field.
@ -640,18 +626,6 @@ index b0447e7169..c4c082b415 100644
+ (denial of service) in some Go applications compiled with gccgo. Reported
+ by Andreas Schwab. (CVE-2016-6323)
+
+* The DNS stub resolver functions would crash due to a NULL pointer
+ dereference when processing a query with a valid DNS question type which
+ was used internally in the implementation. The stub resolver now uses a
+ question type which is outside the range of valid question type values.
+ (CVE-2015-5180)
+
+The following bugs are resolved with this release:
+
+ [21209] Ignore and remove LD_HWCAP_MASK for AT_SECURE programs
+ [21289] Fix symbol redirect for fts_set
+ [21386] Assertion in fork for distinct parent PID is incorrect
+ [21624] Unsafe alloca allows local attackers to alias stack and heap (CVE-2017-1000366)
+
Version 2.24
@ -1460,22 +1434,6 @@ index 8d8ce5813b..a87028047b 100644
} *__gconv_t;
/* Transliteration using the locale's data. */
diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
index 2e735ede4c..7c0deed9ae 100644
--- a/include/arpa/nameser_compat.h
+++ b/include/arpa/nameser_compat.h
@@ -1,8 +1,8 @@
#ifndef _ARPA_NAMESER_COMPAT_
#include <resolv/arpa/nameser_compat.h>
-/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
- T_A and T_AAAA). */
-#define T_UNSPEC 62321
+/* The number is outside the 16-bit RR type range and is used
+ internally by the implementation. */
+#define T_QUERY_A_AND_AAAA 439963904
#endif
diff --git a/io/fts.h b/io/fts.h
index 127a0d2721..b6b45206c8 100644
--- a/io/fts.h
@ -3036,276 +2994,6 @@ index d933f9c92a..7cdb06a611 100644
__execve (buffer, argv, envp);
diff --git a/resolv/Makefile b/resolv/Makefile
index 8be41d3ae1..a4c86b9762 100644
--- a/resolv/Makefile
+++ b/resolv/Makefile
@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
extra-libs += libanl
routines += gai_sigqueue
tests += tst-res_hconf_reorder
+
+# This test sends millions of packets and is rather slow.
+xtests += tst-resolv-qtypes
endif
extra-libs-others = $(extra-libs)
libresolv-routines := gethnamaddr res_comp res_debug \
@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
$(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
$(evaluate-test)
+
+$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index 5f9e35701b..d16fa4b8ed 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
int olderr = errno;
enum nss_status status;
- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
+ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
host_buffer.buf->buf, 2048, &host_buffer.ptr,
&ans2p, &nans2p, &resplen2, &ans2p_malloced);
if (n >= 0)
diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
index 12f9730199..d80b5318e5 100644
--- a/resolv/res_mkquery.c
+++ b/resolv/res_mkquery.c
@@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
int n;
u_char *dnptrs[20], **dpp, **lastdnptr;
+ if (class < 0 || class > 65535
+ || type < 0 || type > 65535)
+ return -1;
+
#ifdef DEBUG
if (statp->options & RES_DEBUG)
printf(";; res_nmkquery(%s, %s, %s, %s)\n",
diff --git a/resolv/res_query.c b/resolv/res_query.c
index 944d1a90f5..07dc6f6583 100644
--- a/resolv/res_query.c
+++ b/resolv/res_query.c
@@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
int n, use_malloc = 0;
u_int oflags = statp->_flags;
- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
+ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
u_char *buf = alloca (bufsize);
u_char *query1 = buf;
int nquery1 = -1;
@@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
printf(";; res_query(%s, %d, %d)\n", name, class, type);
#endif
- if (type == T_UNSPEC)
+ if (type == T_QUERY_A_AND_AAAA)
{
n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
query1, bufsize);
@@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
if (__builtin_expect (n <= 0, 0) && !use_malloc) {
/* Retry just in case res_nmkquery failed because of too
short buffer. Shouldn't happen. */
- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
+ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
buf = malloc (bufsize);
if (buf != NULL) {
query1 = buf;
diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
new file mode 100644
index 0000000000..b3e60c693b
--- /dev/null
+++ b/resolv/tst-resolv-qtypes.c
@@ -0,0 +1,185 @@
+/* Exercise low-level query functions with different QTYPEs.
+ Copyright (C) 2016 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <resolv.h>
+#include <string.h>
+#include <support/check.h>
+#include <support/check_nss.h>
+#include <support/resolv_test.h>
+#include <support/support.h>
+#include <support/test-driver.h>
+#include <support/xmemstream.h>
+
+/* If ture, the response function will send the actual response packet
+ over TCP instead of UDP. */
+static volatile bool force_tcp;
+
+/* Send back a fake resource record matching the QTYPE. */
+static void
+response (const struct resolv_response_context *ctx,
+ struct resolv_response_builder *b,
+ const char *qname, uint16_t qclass, uint16_t qtype)
+{
+ if (force_tcp && ctx->tcp)
+ {
+ resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
+ resolv_response_add_question (b, qname, qclass, qtype);
+ return;
+ }
+
+ resolv_response_init (b, (struct resolv_response_flags) { });
+ resolv_response_add_question (b, qname, qclass, qtype);
+ resolv_response_section (b, ns_s_an);
+ resolv_response_open_record (b, qname, qclass, qtype, 0);
+ resolv_response_add_data (b, &qtype, sizeof (qtype));
+ resolv_response_close_record (b);
+}
+
+static const const char *domain = "www.example.com";
+
+static int
+wrap_res_query (int type, unsigned char *answer, int answer_length)
+{
+ return res_query (domain, C_IN, type, answer, answer_length);
+}
+
+static int
+wrap_res_search (int type, unsigned char *answer, int answer_length)
+{
+ return res_query (domain, C_IN, type, answer, answer_length);
+}
+
+static int
+wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
+{
+ return res_querydomain ("www", "example.com", C_IN, type,
+ answer, answer_length);
+}
+
+static int
+wrap_res_send (int type, unsigned char *answer, int answer_length)
+{
+ unsigned char buf[512];
+ int ret = res_mkquery (QUERY, domain, C_IN, type,
+ (const unsigned char *) "", 0, NULL,
+ buf, sizeof (buf));
+ if (type < 0 || type >= 65536)
+ {
+ /* res_mkquery fails for out-of-range record types. */
+ TEST_VERIFY_EXIT (ret == -1);
+ return -1;
+ }
+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
+ return res_send (buf, ret, answer, answer_length);
+}
+
+static int
+wrap_res_nquery (int type, unsigned char *answer, int answer_length)
+{
+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
+}
+
+static int
+wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
+{
+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
+}
+
+static int
+wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
+{
+ return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
+ answer, answer_length);
+}
+
+static int
+wrap_res_nsend (int type, unsigned char *answer, int answer_length)
+{
+ unsigned char buf[512];
+ int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
+ (const unsigned char *) "", 0, NULL,
+ buf, sizeof (buf));
+ if (type < 0 || type >= 65536)
+ {
+ /* res_mkquery fails for out-of-range record types. */
+ TEST_VERIFY_EXIT (ret == -1);
+ return -1;
+ }
+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
+ return res_nsend (&_res, buf, ret, answer, answer_length);
+}
+
+static void
+test_function (const char *fname,
+ int (*func) (int type,
+ unsigned char *answer, int answer_length))
+{
+ unsigned char buf[512];
+ for (int tcp = 0; tcp < 2; ++tcp)
+ {
+ force_tcp = tcp;
+ for (unsigned int type = 1; type <= 65535; ++type)
+ {
+ if (test_verbose)
+ printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
+ type, fname, tcp);
+ int ret = func (type, buf, sizeof (buf));
+ if (ret != 47)
+ FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
+ fname,tcp, type, ret);
+ /* One question, one answer record. */
+ TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
+ /* Question section. */
+ static const char qname[] = "\3www\7example\3com";
+ size_t qname_length = sizeof (qname);
+ TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
+ /* RDATA part of answer. */
+ uint16_t type16 = type;
+ TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
+ }
+ }
+
+ TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
+ TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
+}
+
+static int
+do_test (void)
+{
+ struct resolv_redirect_config config =
+ {
+ .response_callback = response,
+ };
+ struct resolv_test *obj = resolv_test_start (config);
+
+ test_function ("res_query", &wrap_res_query);
+ test_function ("res_search", &wrap_res_search);
+ test_function ("res_querydomain", &wrap_res_querydomain);
+ test_function ("res_send", &wrap_res_send);
+
+ test_function ("res_nquery", &wrap_res_nquery);
+ test_function ("res_nsearch", &wrap_res_nsearch);
+ test_function ("res_nquerydomain", &wrap_res_nquerydomain);
+ test_function ("res_nsend", &wrap_res_nsend);
+
+ resolv_test_end (obj);
+ return 0;
+}
+
+#define TIMEOUT 300
+#include <support/test-driver.c>
diff --git a/scripts/backport-support.sh b/scripts/backport-support.sh
new file mode 100644
index 0000000000..2ece7ce575