[Bug network/15946] New: getaddrinfo() writes DNS queries to random file descriptors under high load

[Bug network/15946] New: getaddrinfo() writes DNS queries to random file descriptors under high load

[arnaud.lb at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

            Bug ID: 15946
           Summary: getaddrinfo() writes DNS queries to random file
                    descriptors under high load
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: critical
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: arnaud.lb at gmail dot com

Created attachment 7193
  --> https://sourceware.org/bugzilla/attachment.cgi?id=7193&action=edit
reproducing code

Under high load, getaddrinfo() starts sending DNS queries to random
file descriptors, e.g. some unrelated socket connected to a remote service.

The attached code reproduces the bug on at least the following configurations:

Archlinux libc6 2.18
Debian libc6 2.6.11
Debian libc6 2.13-38
Debian libc6 2.17-92
Ubuntu libc6 2.17-0ubuntu5

What the code does is to fill the file descriptor space, closing and creating
many file descriptors, to maximize the chances of reproducing the bug:

 - a thread listens to a local unix socket
 - a thread connects to the unix socket, never writes to it, dups the
connection as much as possible (fills the fd space), closes the dups, and
starts
dup()ing again
 - lots of threads call getaddrinfo()

Under less than a minute, the listener starts reading garbage.

The garbage received by the listener seems to always be a full, well-formed,
DNS query. It seems to always be an AAAA query, even when hints.ai_family is
AF_INET. All queries are similar, only the id changes.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[ian at airs dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Ian Lance Taylor <ian at airs dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ian at airs dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[ian at airs dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #1 from Ian Lance Taylor <ian at airs dot com> ---
Let me add that this is a serious problem for some programs written in Go, as
in Go it's easy and natural to make highly concurrent calls to the name lookup
routines.  For the bug from the Go perspective see http://golang.org/issue/6336
.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |fweimer at redhat dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Rich Felker <bugdal at aerifal dot cx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |bugdal at aerifal dot cx

--- Comment #2 from Rich Felker <bugdal at aerifal dot cx> ---
Ping. This looks extremely serious and does not seem to have received any
attention so far. The Go issue thread suggests that it's likely related to some
kind of socket caching going on in glibc's resolver; if so, this caching should
just be disabled completely (replaced with new locally-opened socket per query)
unless it can easily be fixed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #3 from Andreas Schwab <schwab@linux-m68k.org> ---
The reson might be that although it is easy to reproduce it is hard to track
down.  Perhaps you can give it a try?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #4 from Rich Felker <bugdal at aerifal dot cx> ---
I can look, but I'm not at all familiar with the code. The point of my last
comment however was that when a feature has a bug that's this critical, a big
hammer (disabling/removing the caching or whatever) is generally the right
solution unless/until someone is familiar enough to fix the problem on a more
detailed level. It's a shame that there's been a release with such a critical
bug (and anything that corrupts random open files is critical) left unfixed and
even unacknowledged.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #5 from Andreas Schwab <schwab@linux-m68k.org> ---
(In reply to Rich Felker from comment #4)
> I can look, but I'm not at all familiar with the code.

Probably nobody is, since it was originally lifted from the BIND sources.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[edsrzf at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Evan Shaw <edsrzf at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |edsrzf at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |2.20

--- Comment #7 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed in 2.20.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  f9d2d03254a58d92635a311a42253eeed5a40a47 (commit)
      from  71840409ea45ab9e49d0ac70dfc1c355accf355f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f9d2d03254a58d92635a311a42253eeed5a40a47

commit f9d2d03254a58d92635a311a42253eeed5a40a47
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog         |    6 ++++++
 NEWS              |   20 ++++++++++----------
 resolv/res_send.c |    1 +
 3 files changed, 17 insertions(+), 10 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
              Flags|                            |security+

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26044-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:18 2014
Return-Path: <glibc-bugs-return-26044-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 13883 invoked by alias); 28 Aug 2014 10:26:18 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 13092 invoked by uid 55); 28 Aug 2014 10:26:10 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug regex/17069] leak in regcomp
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: regex
X-Bugzilla-Version: 2.20
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: 2.20
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17069-131-dZg2USmfT0@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17069-131@http.sourceware.org/bugzilla/>
References: <bug-17069-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00127.txt.bz2
Content-length: 9639

https://sourceware.org/bugzilla/show_bug.cgi?id=17069

--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26042-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:17 2014
Return-Path: <glibc-bugs-return-26042-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 13706 invoked by alias); 28 Aug 2014 10:26:17 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 13010 invoked by uid 55); 28 Aug 2014 10:26:09 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/17137] Directory traversal in locale environment handling (CVE-2014-0475)
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17137-131-0nf17UnL0q@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17137-131@http.sourceware.org/bugzilla/>
References: <bug-17137-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00129.txt.bz2
Content-length: 9638

https://sourceware.org/bugzilla/show_bug.cgi?id=17137

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26041-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:17 2014
Return-Path: <glibc-bugs-return-26041-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 13563 invoked by alias); 28 Aug 2014 10:26:16 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 12959 invoked by uid 55); 28 Aug 2014 10:26:08 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/17187] Out-of-bounds NUL write in iconv_open (CVE-2014-5119)
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17187-131-jItwS5HcfM@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17187-131@http.sourceware.org/bugzilla/>
References: <bug-17187-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00126.txt.bz2
Content-length: 9638

https://sourceware.org/bugzilla/show_bug.cgi?id=17187

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26040-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:16 2014
Return-Path: <glibc-bugs-return-26040-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 13498 invoked by alias); 28 Aug 2014 10:26:16 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 12995 invoked by uid 55); 28 Aug 2014 10:26:09 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nscd/16878] nscd enters busy loop on long netgroup entry via nss_ldap of nslcd
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nscd
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: siddhesh at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-16878-131-SJr3EteTBi@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-16878-131@http.sourceware.org/bugzilla/>
References: <bug-16878-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00123.txt.bz2
Content-length: 9638

https://sourceware.org/bugzilla/show_bug.cgi?id=16878

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26045-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:19 2014
Return-Path: <glibc-bugs-return-26045-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 13905 invoked by alias); 28 Aug 2014 10:26:18 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 13084 invoked by uid 55); 28 Aug 2014 10:26:10 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/17048] posix_spawn_file_actions_addopen fails to copy the path argument (CVE-2014-4043)
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17048-131-PGSlVGSDQQ@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17048-131@http.sourceware.org/bugzilla/>
References: <bug-17048-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00130.txt.bz2
Content-length: 9638

https://sourceware.org/bugzilla/show_bug.cgi?id=17048

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26043-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:18 2014
Return-Path: <glibc-bugs-return-26043-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 13779 invoked by alias); 28 Aug 2014 10:26:18 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 13077 invoked by uid 55); 28 Aug 2014 10:26:10 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nscd/16695] nscd aborts with "*** glibc detected *** /usr/sbin/nscd: realloc(): invalid next size"
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nscd
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: siddhesh at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-16695-131-nUJQhg0R8e@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-16695-131@http.sourceware.org/bugzilla/>
References: <bug-16695-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00124.txt.bz2
Content-length: 9638

https://sourceware.org/bugzilla/show_bug.cgi?id=16695

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26047-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 10:26:20 2014
Return-Path: <glibc-bugs-return-26047-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 14051 invoked by alias); 28 Aug 2014 10:26:19 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 13125 invoked by uid 55); 28 Aug 2014 10:26:10 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/16046] dl_iterate_phdr should not expose internal stub
Date: Thu, 28 Aug 2014 10:26:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-16046-131-jp4ZwWwLdH@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-16046-131@http.sourceware.org/bugzilla/>
References: <bug-16046-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00128.txt.bz2
Content-length: 9638

https://sourceware.org/bugzilla/show_bug.cgi?id=16046

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been created
        at  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b (commit)

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

commit e3050a640f18eec4bc4e3f7b7f22c5b99c47028b
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Aug 26 19:38:59 2014 +0200

    __gconv_translit_find: Disable function [BZ #17187]

    This functionality has never worked correctly, and the implementation
    contained a security vulnerability (CVE-2014-5119).

    (cherry picked from commit a1a6a401ab0a3c9f15fb7eaebbdcee24192254e8)
    (cherry picked from commit f9df71e895d3552d557e783fdb9d133328195645)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=394efd467f466be377be1066bb07d331390a5658

commit 394efd467f466be377be1066bb07d331390a5658
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Fri Aug 1 09:48:17 2014 +0200

    NEWS: Explain the s390 jmp_buf / ucontext_t ABI change reversal.

    (cherry picked from commit 95ee7fb13ba99ba265b49531c57e1cb8db629bc6)

    Typo fix as in commit 45ef66289acbab17278a73512f9b2a9d8a7ca79d and
    NEW enty adjusted to reflect revert occuring in 2.19.1 and 2.20.

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3942f5e5f7282161d31a60f84020eec1aa86bb82

commit 3942f5e5f7282161d31a60f84020eec1aa86bb82
Author: Stefan Liebler <stli@linux.vnet.ibm.com>
Date:   Thu Aug 28 16:53:13 2014 +1000

    S/390: Revert the jmp_buf/ucontext_t ABI change

    Backport of commit 2f438e20ab591641760e97458d5d1569942eced5

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a5dd31f514e3ab41bfe60cdeacd75d875006d9cc

commit a5dd31f514e3ab41bfe60cdeacd75d875006d9cc
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:05:03 2014 +0200

    manual: Update the locale documentation

    (cherry picked from commit 585367266923156ac6fb789939a923641ba5aaf4)

    Conflicts:
        manual/locale.texi

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d475d58097efe764e2567fca0ea194d5d80150ce

commit d475d58097efe764e2567fca0ea194d5d80150ce
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon May 12 15:24:12 2014 +0200

    _nl_find_locale: Improve handling of crafted locale names [BZ #17137]

    Prevent directory traversal in locale-related environment variables
    (CVE-2014-0475).

    (cherry picked from commit 4e8f95a0df7c2300b830ec12c0ae1e161bc8a8a3)

    Conflicts:
        NEWS
        localedata/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1298cdbed6596663785254f63cb92af265aee8e0

commit 1298cdbed6596663785254f63cb92af265aee8e0
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed May 28 14:41:52 2014 +0200

    setlocale: Use the heap for the copy of the locale argument

    This avoids alloca calls with potentially large arguments.

    (cherry picked from commit d183645616b0533b3acee28f1a95570bffbdf50f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5754d77ab9899688380da1a52b02f62815b3d34b

commit 5754d77ab9899688380da1a52b02f62815b3d34b
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Mon May 26 11:40:08 2014 +0530

    Use NSS_STATUS_TRYAGAIN to indicate insufficient buffer (BZ #16878)

    The netgroups nss modules in the glibc tree use NSS_STATUS_UNAVAIL
    (with errno as ERANGE) when the supplied buffer does not have
    sufficient space for the result.  This is wrong, because the canonical
    way to indicate insufficient buffer is to set the errno to ERANGE and
    the status to NSS_STATUS_TRYAGAIN, as is used by all other modules.

    This fixes nscd behaviour when the nss_ldap module returns
    NSS_STATUS_TRYAGAIN to indicate that a netgroup entry is too long to
    fit into the supplied buffer.

    (cherry picked from commit c3ec475c5dd16499aa040908e11d382c3ded9692)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b5a823c6c62a05a793aa2d6ff208d1261b46f281

commit b5a823c6c62a05a793aa2d6ff208d1261b46f281
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
Date:   Wed Mar 12 17:27:22 2014 +0530

    Provide correct buffer length to netgroup queries in nscd (BZ #16695)

    The buffer to query netgroup entries is allocated sufficient space for
    the netgroup entries and the key to be appended at the end, but it
    sends in an incorrect available length to the NSS netgroup query
    functions, resulting in overflow of the buffer in some special cases.
    The fix here is to factor in the key length when sending the available
    buffer and buffer length to the query functions.

    (cherry picked from commit c44496df2f090a56d3bf75df930592dac6bba46f)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9c4b0856b5627d443edc924ae972a27078c53112

commit 9c4b0856b5627d443edc924ae972a27078c53112
Author: Maciej W. Rozycki <macro@codesourcery.com>
Date:   Fri Jun 20 21:52:53 2014 +0100

    [BZ #16046] dl_iterate_phdr static executable test

    (cherry picked from commit 257ce7127e2f64a6a959b146786cd43de0e42b5f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ec38d177c9089db1bc62546bfaf411c0cabeb6d

commit 5ec38d177c9089db1bc62546bfaf411c0cabeb6d
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Fri Jun 20 12:41:27 2014 +0200

    Fix another memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit aa6ec754f3b4b1df81d186480c534b6486a1e6ee)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4498c0516d9f16feeca46820ba8ca2e62f916f82

commit 4498c0516d9f16feeca46820ba8ca2e62f916f82
Author: Andreas Schwab <schwab@linux-m68k.org>
Date:   Thu Jun 19 15:38:03 2014 +0200

    Fix memory leak in regexp compiler (BZ #17069)

    (cherry picked from commit 4d43ef1e7434d7d419afbcd754931cb0c794763c)

    Conflicts:
        posix/Makefile

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7b17d60f13089585c2b63d46cbc660c4b85d169d

commit 7b17d60f13089585c2b63d46cbc660c4b85d169d
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    (cherry picked from commit f9d2d03254a58d92635a311a42253eeed5a40a47)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=76aebfbb87ecc33e59d29a8adda76dfcdbc9213d

commit 76aebfbb87ecc33e59d29a8adda76dfcdbc9213d
Author: Andreas Schwab <schwab@suse.de>
Date:   Tue Feb 18 10:57:25 2014 +0100

    Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    Instead of trying to guess whether the second buffer needs to be freed
    set a flag at the place it is allocated

    (cherry picked from commit ab09bf616ad527b249aca5f2a4956fd526f0712f)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c6ce0dadcfd14973ba880f4e043058a9367f00ce

commit c6ce0dadcfd14973ba880f4e043058a9367f00ce
Author: Ondřej Bílka <neleai@seznam.cz>
Date:   Sun Feb 16 12:59:23 2014 +0100

    Deduplicate resolv/nss_dns/dns-host.c

    In resolv/nss_dns/dns-host.c one of code path duplicated code after
    that. We merge these paths.

    (cherry picked from commit ab7ac0f2cf8731fe4c3f3aea6088a7c0127b5725)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73

commit 4ad0ab7bdb6c4afb3fc561c6497759eb939d2a73
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu Feb 13 11:01:57 2014 +0100

    Fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

    (cherry picked from commit d668061994a7486a3ba9c7d5e7882d85a2883707)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=00a84253c5bc7dffb7a0a666cea21ea5e0288771

commit 00a84253c5bc7dffb7a0a666cea21ea5e0288771
Author: Andreas Schwab <schwab@suse.de>
Date:   Thu May 8 16:53:01 2014 +0200

    Fix unbound stack use in NIS NSS module

    (cherry picked from commit 315eb1d86aea489cd6325fd1c2521dcfb4fc0e1c)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=30026b69015db3f82407df83dc1118518ee1fa5c

commit 30026b69015db3f82407df83dc1118518ee1fa5c
Author: Allan McRae <allan@archlinux.org>
Date:   Sat Jun 21 17:23:55 2014 +1000

    Mention CVE-2014-4043 in NEWS

    (cherry picked from commit d03efb2f979defd473955a455d66b949961d26b2)

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa

commit e698ea2c03ddfdfa87459c1a0e53e2a4289de0fa
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jun 11 23:12:52 2014 +0200

    posix_spawn_file_actions_addopen needs to copy the path argument (BZ 17048)

    POSIX requires that we make a copy, so we allocate a new string
    and free it in posix_spawn_file_actions_destroy.

    Reported by David Reid, Alex Gaynor, and Glyph Lefkowitz.  This bug
    may have security implications.

    (cherry picked from commit 89e435f3559c53084498e9baad22172b64429362)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

-- 
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-26048-listarch-glibc-bugs=sources.redhat.com@sourceware.org Thu Aug 28 11:22:26 2014
Return-Path: <glibc-bugs-return-26048-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 23077 invoked by alias); 28 Aug 2014 11:22:26 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 23020 invoked by uid 55); 28 Aug 2014 11:22:19 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/17187] Out-of-bounds NUL write in iconv_open (CVE-2014-5119)
Date: Thu, 28 Aug 2014 11:22:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-17187-131-kONI6Clbr1@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17187-131@http.sourceware.org/bugzilla/>
References: <bug-17187-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-08/txt/msg00131.txt.bz2
Content-length: 750

https://sourceware.org/bugzilla/show_bug.cgi?id\x17187

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, allan/2.19/backport has been deleted
       was  e3050a640f18eec4bc4e3f7b7f22c5b99c47028b

- Log -----------------------------------------------------------------
e3050a640f18eec4bc4e3f7b7f22c5b99c47028b __gconv_translit_find: Disable
function [BZ #17187]
-----------------------------------------------------------------------

--
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[nilsson.dd+bz at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

David Nilsson <nilsson.dd+bz at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
                 CC|                            |nilsson.dd+bz at gmail dot com
         Resolution|FIXED                       |---

--- Comment #13 from David Nilsson <nilsson.dd+bz at gmail dot com> ---
I'm unable to reproduce the correct behaviour using a local build of f9d2d0325,
glibc-2.20 and current HEAD.

This is evaluated using the supplied test case (bug.c) which still prints DNS 
data being received on the socket. It is executed using testrun.sh found in
the repo. I have also completed a local installation of glibc-2.20.

Tried on both fresh squeeze and jessie installations.

Was asked to post here after confirming with another user in #glibc.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[jannhorn at googlemail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Jann Horn <jannhorn at googlemail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jannhorn at googlemail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[k_f at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

k_f at gentoo dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |k_f at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[jirka at fud dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Jiri Hruska <jirka at fud dot cz> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
                 CC|                            |jirka at fud dot cz
         Resolution|---                         |FIXED

--- Comment #14 from Jiri Hruska <jirka at fud dot cz> ---
That's a bug in the attached test case, though, not in glibc any more.

Line 122 should have `m = -1` instead of `m = 0`. Otherwise if the very first
dup() call fails, the close loop below will still do one iteration and close
somebody else's random file descriptor at fds[0].

To verify this, you can add the following before the `break` at line 158:
   if (errno == EMFILE) {
+    if (m == 0)
+      printf("Yo Dawg I herd you like bugs so I put a bug in your bug.c\n");
     break;
   } else {

When running the program now, every alleged error was preceded by this message
just before, and I wasn't able to trigger the bug at all when the code was
corrected as suggested above.

Marking as RESOLVED/FIXED again.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[bugdal at aerifal dot cx]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #15 from Rich Felker <bugdal at aerifal dot cx> ---
Can you confirm that with the bug in the testcase fixed it still detects the
original bug in unfixed versions of glibc?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load

[jirka at fud dot cz]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #16 from Jiri Hruska <jirka at fud dot cz> ---
Sure, I can. Running the testcase against a glibc build without the fix applied
still results in the crosstalk error messages as expected.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|getaddrinfo() writes DNS    |getaddrinfo() writes DNS
                   |queries to random file      |queries to random file
                   |descriptors under high load |descriptors under high load
                   |                            |(CVE-2013-7423)
              Alias|                            |CVE-2013-7423

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #7193|0                           |1
        is obsolete|                            |

--- Comment #17 from Andreas Schwab <schwab@linux-m68k.org> ---
Created attachment 8161
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8161&action=edit
Corrected reproducing code

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #18 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.16/master has been updated
       via  e9c2f97bf02666b01aa4af63c4e41355396acc3c (commit)
      from  627eabb20f2b70faa3698e2c0124094c6d51af8e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e9c2f97bf02666b01aa4af63c4e41355396acc3c

commit e9c2f97bf02666b01aa4af63c4e41355396acc3c
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog         |    6 ++++++
 NEWS              |    4 ++--
 resolv/res_send.c |    1 +
 3 files changed, 9 insertions(+), 2 deletions(-)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #19 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, ibm/2.18/master has been updated
       via  fec49d52bbe7af00c80f014a76357f56293e42bd (commit)
       via  45af2f6fe19b8a776373cac5a2691460179aa1a3 (commit)
       via  d4deb63367247eaddcbe10b872d39ff70659eaf4 (commit)
       via  f2b605ed8882a922c403386b2af7e7a5eecbf39f (commit)
       via  d56700df46977b14e9fe54201132fed04475cd03 (commit)
       via  3ce4555d432282fcfe963cc8809163e85ee0f71c (commit)
       via  25394eff67a3119011ffa04a1986be130a6b628d (commit)
       via  bc273d38b147d67668e92a8f39dd696e28695c30 (commit)
       via  d680656b61891159d21a535f38219cf01d5edeea (commit)
       via  c616775d2c6df31786b71b4e135fba90b4a63f89 (commit)
       via  2a8396b962b8c57a2581023b62766a3ac44c3ba4 (commit)
       via  0553c6642be2cdf6bac776fac5fd50164cb28709 (commit)
       via  a244697f97107af77f26eb7e4dfc4538c7e68b27 (commit)
       via  8b43a2274a593ce91e673db1cfac6e808134bc84 (commit)
       via  ca0dd6386ed2b5c5c6ca392547628a1228432ae0 (commit)
       via  6d153c48a17487a1bd2ae47a1d6be8df28c21130 (commit)
      from  a33fd93601cae52dd1c53f92240e11b25b053e18 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fec49d52bbe7af00c80f014a76357f56293e42bd

commit fec49d52bbe7af00c80f014a76357f56293e42bd
Merge: 45af2f6 d4deb63
Author: Tulio Magno Quites Machado Filho <tuliom@linux.vnet.ibm.com>
Date:   Tue Apr 7 10:13:59 2015 -0300

    Merge branch release/2.18/master into ibm/2.18/master

    Conflicts:
        NEWS

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=45af2f6fe19b8a776373cac5a2691460179aa1a3

commit 45af2f6fe19b8a776373cac5a2691460179aa1a3
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon May 26 18:01:31 2014 +0200

    Fix invalid file descriptor reuse while sending DNS query (BZ #15946)

    Conflicts:
        NEWS

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   63 +++++++++++
 NEWS                                               |    9 +-
 malloc/malloc.c                                    |   20 ++--
 nptl/Makefile                                      |    2 +-
 nptl/sysdeps/sparc/sparc32/pthread_spin_lock.S     |    4 +-
 nptl/sysdeps/sparc/sparc64/pthread_spin_lock.S     |    4 +-
 nptl/tst-spin4.c                                   |  109 ++++++++++++++++++++
 ports/ChangeLog.aarch64                            |   24 +++++
 ports/ChangeLog.alpha                              |    5 +
 ports/sysdeps/aarch64/dl-trampoline.S              |   30 +++++-
 ports/sysdeps/aarch64/fpu/fpu_control.h            |    3 +
 ports/sysdeps/aarch64/soft-fp/sfp-machine.h        |    2 +-
 ports/sysdeps/unix/sysv/linux/aarch64/clone.S      |    7 +-
 ports/sysdeps/unix/sysv/linux/alpha/rt_sigaction.S |   18 +++-
 resolv/res_send.c                                  |    1 +
 string/test-strcmp.c                               |   28 +++++
 sysdeps/sparc/sparc64/multiarch/memcpy-niagara2.S  |    1 +
 sysdeps/sparc/sparc64/strcmp.S                     |   31 ++++++
 sysdeps/unix/sysv/linux/sparc/bits/eventfd.h       |    2 +
 sysdeps/unix/sysv/linux/sparc/bits/resource.h      |   27 +++++
 sysdeps/x86/fpu/bits/mathinline.h                  |    6 +-
 sysdeps/x86_64/x32/symbol-hacks.h                  |    2 +-
 22 files changed, 366 insertions(+), 32 deletions(-)
 create mode 100644 nptl/tst-spin4.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)

[jim.king at simplivity dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

James E. King, III <jim.king at simplivity dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jim.king at simplivity dot com

--- Comment #20 from James E. King, III <jim.king at simplivity dot com> ---
I can also confirm that we were able to reproduce this issue easily and once
the patch was applied, we were not able to reproduce it easily any more.  It
can show up in a core looking like
https://sourceware.org/bugzilla/show_bug.cgi?id=12926 with a hang in check_pf
holding a lock, and all other threads calling getaddrinfo() are blocked waiting
for a reply that may never happen.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/15946] getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=15946

--- Comment #21 from Florian Weimer <fweimer at redhat dot com> ---
If this bug randomly picks a Netlink socket (such as the one used by
__check_pf), and SELinux is enabled (in permissive or enforcing mode), a kernel
message "SELinux:  unrecognized netlink message type=256 for sclass=30" will be
logged, or "SELinux: unrecognized netlink message: protocol=0 nlmsg_type=256
sclass=30" for newer kernel versions.

-- 
You are receiving this mail because:
You are on the CC list for the bug.