public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
@ 2015-02-23 11:24 fweimer at redhat dot com
2015-02-23 12:03 ` [Bug network/18007] " schwab@linux-m68k.org
` (15 more replies)
0 siblings, 16 replies; 17+ messages in thread
From: fweimer at redhat dot com @ 2015-02-23 11:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Bug ID: 18007
Summary: nss_files file pointer reset during iteration causes
application denial of service (CVE-2014-8121)
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: fweimer at redhat dot com
Reporter: fweimer at redhat dot com
Flags: security+
Robin Hack discovered that Samba would enter an infinite loop when processing
quota-related requests. It turns out this is a bug in the nss_files database.
Performing a lookup in the middle of an iteration (say, getwuid between
getpwent) effectively resets the file pointer, so that the iteration starts
again from the beginning.
I'll post a patch to libc-alpha shortly.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
@ 2015-02-23 12:03 ` schwab@linux-m68k.org
2015-02-23 12:06 ` fweimer at redhat dot com
` (14 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2015-02-23 12:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
Why is samba still using getpwent?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
2015-02-23 12:03 ` [Bug network/18007] " schwab@linux-m68k.org
@ 2015-02-23 12:06 ` fweimer at redhat dot com
2015-04-29 13:03 ` cvs-commit at gcc dot gnu.org
` (13 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: fweimer at redhat dot com @ 2015-02-23 12:06 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andreas Schwab from comment #1)
> Why is samba still using getpwent?
It seems that the SMB protocol has a service related to quota enumeration which
maps poorly to the POSIX APIs in this area.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
2015-02-23 12:03 ` [Bug network/18007] " schwab@linux-m68k.org
2015-02-23 12:06 ` fweimer at redhat dot com
@ 2015-04-29 13:03 ` cvs-commit at gcc dot gnu.org
2015-04-29 13:22 ` schwab@linux-m68k.org
` (12 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-04-29 13:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 03d2730b44cc2236318fd978afa2651753666c55 (commit)
from 7d0b2575416aec2717e8665287d0ab77826a0ade (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=03d2730b44cc2236318fd978afa2651753666c55
commit 03d2730b44cc2236318fd978afa2651753666c55
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 +++
NEWS | 12 +++--
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 2 +-
nss/tst-nss-getpwent.c | 118 +++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 136 insertions(+), 6 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-28119-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Apr 29 13:12:13 2015
Return-Path: <glibc-bugs-return-28119-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 100122 invoked by alias); 29 Apr 2015 13:12:13 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 98343 invoked by uid 48); 29 Apr 2015 13:12:09 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
Date: Wed, 29 Apr 2015 13:12:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: network
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-18007-131-DLafzadU8F@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18007-131@http.sourceware.org/bugzilla/>
References: <bug-18007-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-04/txt/msg00177.txt.bz2
Content-length: 521
https://sourceware.org/bugzilla/show_bug.cgi?id\x18007
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in glibc 2.22.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (2 preceding siblings ...)
2015-04-29 13:03 ` cvs-commit at gcc dot gnu.org
@ 2015-04-29 13:22 ` schwab@linux-m68k.org
2015-04-29 13:26 ` fweimer at redhat dot com
` (11 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2015-04-29 13:22 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #5 from Andreas Schwab <schwab@linux-m68k.org> ---
Not fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (3 preceding siblings ...)
2015-04-29 13:22 ` schwab@linux-m68k.org
@ 2015-04-29 13:26 ` fweimer at redhat dot com
2015-04-29 13:27 ` fweimer at redhat dot com
` (10 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: fweimer at redhat dot com @ 2015-04-29 13:26 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://sourceware.org/bugz
| |illa/show_bug.cgi?id=18356
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (4 preceding siblings ...)
2015-04-29 13:26 ` fweimer at redhat dot com
@ 2015-04-29 13:27 ` fweimer at redhat dot com
2015-04-29 13:32 ` schwab@linux-m68k.org
` (9 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: fweimer at redhat dot com @ 2015-04-29 13:27 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
--- Comment #6 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to Andreas Schwab from comment #5)
> Not fixed.
This bug covers a very specific scenario, based on the CVE description. If we
fix different things under the same CVE name, we will cause confusion, and some
downstreams will miss the other fixes. I have filed bug 18356 to cover the
other issues.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (5 preceding siblings ...)
2015-04-29 13:27 ` fweimer at redhat dot com
@ 2015-04-29 13:32 ` schwab@linux-m68k.org
2015-05-11 8:45 ` cvs-commit at gcc dot gnu.org
` (8 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2015-04-29 13:32 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #7 from Andreas Schwab <schwab@linux-m68k.org> ---
The test fails.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (6 preceding siblings ...)
2015-04-29 13:32 ` schwab@linux-m68k.org
@ 2015-05-11 8:45 ` cvs-commit at gcc dot gnu.org
2015-05-11 8:48 ` [Bug network/18007] nss state sharing " schwab@linux-m68k.org
` (7 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-05-11 8:45 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via b13b96ca05a132a12dc5f3712b99e626670716bf (commit)
from e1b6cb04f5efff7fb7415c69511d3ab3c31c6e4a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b13b96ca05a132a12dc5f3712b99e626670716bf
commit b13b96ca05a132a12dc5f3712b99e626670716bf
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Mar 25 16:35:46 2015 +0100
Separate internal state between getXXent and getXXbyYY NSS calls (bug
18007)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 38 +++++++++++++++
NEWS | 7 +--
nis/nss_compat/compat-grp.c | 6 +-
nis/nss_compat/compat-pwd.c | 6 +-
nis/nss_compat/compat-spwd.c | 16 +++---
nss/nss_files/files-XXX.c | 109 ++++++++++-------------------------------
nss/nss_files/files-alias.c | 90 +++++++++++-----------------------
nss/nss_files/files-hosts.c | 35 ++++---------
8 files changed, 122 insertions(+), 185 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (7 preceding siblings ...)
2015-05-11 8:45 ` cvs-commit at gcc dot gnu.org
@ 2015-05-11 8:48 ` schwab@linux-m68k.org
2015-05-25 19:17 ` cvs-commit at gcc dot gnu.org
` (6 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2015-05-11 8:48 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution|--- |FIXED
Summary|nss_files file pointer |nss state sharing causes
|reset during iteration |application denial of
|causes application denial |service (CVE-2014-8121)
|of service (CVE-2014-8121) |
--- Comment #9 from Andreas Schwab <schwab@linux-m68k.org> ---
Fixed now.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (8 preceding siblings ...)
2015-05-11 8:48 ` [Bug network/18007] nss state sharing " schwab@linux-m68k.org
@ 2015-05-25 19:17 ` cvs-commit at gcc dot gnu.org
2015-05-26 14:20 ` cvs-commit at gcc dot gnu.org
` (5 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-05-25 19:17 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.20/master has been updated
via 0a512fb591621e2c26efaf5ecc95e87763978386 (commit)
via 9dc3dd905a5612717ed4b577b7f07294bff614f4 (commit)
from 2aad087ddc0d14214f3d8fd1731a9b2e15f75091 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=0a512fb591621e2c26efaf5ecc95e87763978386
commit 0a512fb591621e2c26efaf5ecc95e87763978386
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Mar 25 16:35:46 2015 +0100
Separate internal state between getXXent and getXXbyYY NSS calls (bug
18007)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9dc3dd905a5612717ed4b577b7f07294bff614f4
commit 9dc3dd905a5612717ed4b577b7f07294bff614f4
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
Conflicts:
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 46 ++++++++++++++++
NEWS | 6 ++-
nis/nss_compat/compat-grp.c | 6 +-
nis/nss_compat/compat-pwd.c | 6 +-
nis/nss_compat/compat-spwd.c | 16 +++---
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 109 ++++++++++-----------------------------
nss/nss_files/files-alias.c | 90 ++++++++++----------------------
nss/nss_files/files-hosts.c | 35 ++++---------
nss/tst-nss-getpwent.c | 118 ++++++++++++++++++++++++++++++++++++++++++
10 files changed, 251 insertions(+), 183 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-28348-listarch-glibc-bugs=sources.redhat.com@sourceware.org Mon May 25 19:57:49 2015
Return-Path: <glibc-bugs-return-28348-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 56945 invoked by alias); 25 May 2015 19:57:49 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 56887 invoked by uid 48); 25 May 2015 19:57:45 -0000
From: "P at draigBrady dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/10354] posix_spawn should use vfork() in more cases than presently
Date: Mon, 25 May 2015 19:57:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: P at draigBrady dot com
X-Bugzilla-Status: REOPENED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: drepper.fsp at gmail dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-10354-131-eCskBJQNkq@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-10354-131@http.sourceware.org/bugzilla/>
References: <bug-10354-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-05/txt/msg00213.txt.bz2
Content-length: 438
https://sourceware.org/bugzilla/show_bug.cgi?id=10354
--- Comment #10 from Pádraig Brady <P at draigBrady dot com> ---
preliminary timing of @musllibc's posix_spawn vs fork+exec shows
it ~25x faster for large parent processes. (~360µs vs 9ms for 40MB in small
mappings). For a trivial staic binary the difference is 280µs vs 450µs
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-28349-listarch-glibc-bugs=sources.redhat.com@sourceware.org Mon May 25 20:18:53 2015
Return-Path: <glibc-bugs-return-28349-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 81750 invoked by alias); 25 May 2015 20:18:53 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 81667 invoked by uid 48); 25 May 2015 20:18:48 -0000
From: "bugdal at aerifal dot cx" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/10354] posix_spawn should use vfork() in more cases than presently
Date: Mon, 25 May 2015 20:18:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: bugdal at aerifal dot cx
X-Bugzilla-Status: REOPENED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: drepper.fsp at gmail dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-10354-131-tYF99YS9Oh@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-10354-131@http.sourceware.org/bugzilla/>
References: <bug-10354-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-05/txt/msg00214.txt.bz2
Content-length: 311
https://sourceware.org/bugzilla/show_bug.cgi?id\x10354
--- Comment #11 from Rich Felker <bugdal at aerifal dot cx> ---
Comment 10 is quoting some of my tweets, starting with:
https://twitter.com/RichFelker/status/602313644026761216
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (9 preceding siblings ...)
2015-05-25 19:17 ` cvs-commit at gcc dot gnu.org
@ 2015-05-26 14:20 ` cvs-commit at gcc dot gnu.org
2015-05-26 20:54 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-05-26 14:20 UTC (permalink / raw)
To: glibc-bugs
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8", Size: 11147 bytes --]
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #11 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.19/master has been updated
via a9a40adad97c1259f4eb0f768278cc2070c014e1 (commit)
via ed21c85d5090667e3ab7d3a7e98dde43842aa70c (commit)
from 19250b9c8d4aec32b7a6ddfb97cc6e61d4e91208 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a9a40adad97c1259f4eb0f768278cc2070c014e1
commit a9a40adad97c1259f4eb0f768278cc2070c014e1
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Mar 25 16:35:46 2015 +0100
Separate internal state between getXXent and getXXbyYY NSS calls (bug
18007)
Conflicts:
NEWS
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ed21c85d5090667e3ab7d3a7e98dde43842aa70c
commit ed21c85d5090667e3ab7d3a7e98dde43842aa70c
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
Conflicts:
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 46 ++++++++++++++++
NEWS | 6 ++-
nis/nss_compat/compat-grp.c | 6 +-
nis/nss_compat/compat-pwd.c | 6 +-
nis/nss_compat/compat-spwd.c | 16 +++---
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 109 ++++++++++-----------------------------
nss/nss_files/files-alias.c | 90 ++++++++++----------------------
nss/nss_files/files-hosts.c | 35 ++++---------
nss/tst-nss-getpwent.c | 118 ++++++++++++++++++++++++++++++++++++++++++
10 files changed, 251 insertions(+), 183 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-28351-listarch-glibc-bugs=sources.redhat.com@sourceware.org Tue May 26 17:03:43 2015
Return-Path: <glibc-bugs-return-28351-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 45367 invoked by alias); 26 May 2015 17:03:43 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 45344 invoked by uid 48); 26 May 2015 17:03:40 -0000
From: "dvpappas at msn dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/18453] New: Incorrect codes for IBM875
Date: Tue, 26 May 2015 17:03:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dvpappas at msn dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-18453-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-05/txt/msg00216.txt.bz2
Content-length: 1159
https://sourceware.org/bugzilla/show_bug.cgi?id=18453
Bug ID: 18453
Summary: Incorrect codes for IBM875
Product: glibc
Version: 2.21
Status: NEW
Severity: normal
Priority: P2
Component: localedata
Assignee: unassigned at sourceware dot org
Reporter: dvpappas at msn dot com
CC: libc-locales at sourceware dot org
Target Milestone: ---
In charmap for IBM875 there is a mistake on 4 letters.
According to ΙΒΜ specification:
1. 0xB4 is "GREEK SMALL LETTER IOTA WITH DIALYTIKA" and is the equivalent to
U+03CA.
2. 0xCC is "GREEK SMALL LETTER IOTA WITH DIALYTIKA AND TONOS" and is the
equivalent to U+0390.
3. 0xB8 is "GREEK SMALL LETTER UPSILON WITH DIALYTIKA" and is the equivalent to
U+03CB.
4. 0xCD us "GREEK SMALL LETTER UPSILON WITH DIALYTIKA AND TONOS" and is the
equivalent to U+03CB.
In "localedata/charmaps/IBM875" the two IOTA's and UPSILON's above are reversed
and when converting to or from IBM875 the conversion is wrong.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-28352-listarch-glibc-bugs=sources.redhat.com@sourceware.org Tue May 26 17:09:55 2015
Return-Path: <glibc-bugs-return-28352-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 60188 invoked by alias); 26 May 2015 17:09:55 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 58454 invoked by uid 48); 26 May 2015 17:09:51 -0000
From: "dvpappas at msn dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/18453] Incorrect codes for IBM875
Date: Tue, 26 May 2015 17:09:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dvpappas at msn dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc attachments.created
Message-ID: <bug-18453-131-eTjFhvZ5t4@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18453-131@http.sourceware.org/bugzilla/>
References: <bug-18453-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-05/txt/msg00217.txt.bz2
Content-length: 594
https://sourceware.org/bugzilla/show_bug.cgi?id\x18453
Dimitris Pappas <dvpappas at msn dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dvpappas at msn dot com
--- Comment #1 from Dimitris Pappas <dvpappas at msn dot com> ---
Created attachment 8334
--> https://sourceware.org/bugzilla/attachment.cgi?idƒ34&actioníit
Corrected letter codes and description
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (10 preceding siblings ...)
2015-05-26 14:20 ` cvs-commit at gcc dot gnu.org
@ 2015-05-26 20:54 ` cvs-commit at gcc dot gnu.org
2015-07-21 3:11 ` vapier at gentoo dot org
` (3 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-05-26 20:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #12 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, ibm/2.18/master has been updated
via 335863ea7cbc2c4c2a1947039565b781cf488a8f (commit)
via 53d405329ab189725e72b317f18cd939c6ad240a (commit)
from 3c7fb252298c48ef424e65fe63ea818d688f1088 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=335863ea7cbc2c4c2a1947039565b781cf488a8f
commit 335863ea7cbc2c4c2a1947039565b781cf488a8f
Author: Andreas Schwab <schwab@suse.de>
Date: Wed Mar 25 16:35:46 2015 +0100
Separate internal state between getXXent and getXXbyYY NSS calls (bug
18007)
Conflicts:
NEWS
nss/nss_files/files-hosts.c
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=53d405329ab189725e72b317f18cd939c6ad240a
commit 53d405329ab189725e72b317f18cd939c6ad240a
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
Conflicts:
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 46 ++++++++++++++++
NEWS | 6 ++-
nis/nss_compat/compat-grp.c | 6 +-
nis/nss_compat/compat-pwd.c | 6 +-
nis/nss_compat/compat-spwd.c | 16 +++---
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 109 ++++++++++-----------------------------
nss/nss_files/files-alias.c | 90 ++++++++++----------------------
nss/nss_files/files-hosts.c | 44 +++++----------
nss/tst-nss-getpwent.c | 118 ++++++++++++++++++++++++++++++++++++++++++
10 files changed, 255 insertions(+), 188 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-28358-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed May 27 05:39:13 2015
Return-Path: <glibc-bugs-return-28358-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 52259 invoked by alias); 27 May 2015 05:39:12 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 51650 invoked by uid 48); 27 May 2015 05:39:08 -0000
From: "baurthefirst at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug localedata/15578] The kk_KZ locale update
Date: Wed, 27 May 2015 05:39:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: localedata
X-Bugzilla-Version: 2.18
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: baurthefirst at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields:
Message-ID: <bug-15578-131-eXmYjKMF60@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-15578-131@http.sourceware.org/bugzilla/>
References: <bug-15578-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-05/txt/msg00223.txt.bz2
Content-length: 218
https://sourceware.org/bugzilla/show_bug.cgi?id\x15578
--- Comment #5 from Baurzhan Muftakhidinov <baurthefirst at gmail dot com> ---
Ping
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (11 preceding siblings ...)
2015-05-26 20:54 ` cvs-commit at gcc dot gnu.org
@ 2015-07-21 3:11 ` vapier at gentoo dot org
2015-07-21 3:12 ` vapier at gentoo dot org
` (2 subsequent siblings)
15 siblings, 0 replies; 17+ messages in thread
From: vapier at gentoo dot org @ 2015-07-21 3:11 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.gentoo.org/sho
| |w_bug.cgi?id=552692
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (12 preceding siblings ...)
2015-07-21 3:11 ` vapier at gentoo dot org
@ 2015-07-21 3:12 ` vapier at gentoo dot org
2015-09-22 9:59 ` schwab@linux-m68k.org
2015-10-19 11:13 ` cvs-commit at gcc dot gnu.org
15 siblings, 0 replies; 17+ messages in thread
From: vapier at gentoo dot org @ 2015-07-21 3:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Mike Frysinger <vapier at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |vapier at gentoo dot org
Target Milestone|--- |2.22
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (13 preceding siblings ...)
2015-07-21 3:12 ` vapier at gentoo dot org
@ 2015-09-22 9:59 ` schwab@linux-m68k.org
2015-10-19 11:13 ` cvs-commit at gcc dot gnu.org
15 siblings, 0 replies; 17+ messages in thread
From: schwab@linux-m68k.org @ 2015-09-22 9:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
Andreas Schwab <schwab@linux-m68k.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends on| |18991
Referenced Bugs:
https://sourceware.org/bugzilla/show_bug.cgi?id=18991
[Bug 18991] nss_files skips large entry in database
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
* [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
` (14 preceding siblings ...)
2015-09-22 9:59 ` schwab@linux-m68k.org
@ 2015-10-19 11:13 ` cvs-commit at gcc dot gnu.org
15 siblings, 0 replies; 17+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-10-19 11:13 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #14 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.21/master has been updated
via e871e19b5f19d2e6595e911b0a5b1c19cda20cc7 (commit)
from f2cdbadd8a078482d3b9fc2b59e888c64cc4efae (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e871e19b5f19d2e6595e911b0a5b1c19cda20cc7
commit e871e19b5f19d2e6595e911b0a5b1c19cda20cc7
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
(cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55)
Conflicts:
ChangeLog
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 +++
NEWS | 7 ++-
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 2 +-
nss/tst-nss-getpwent.c | 118 +++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 134 insertions(+), 3 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-30219-listarch-glibc-bugs=sources.redhat.com@sourceware.org Mon Oct 19 11:23:12 2015
Return-Path: <glibc-bugs-return-30219-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 55599 invoked by alias); 19 Oct 2015 11:23:11 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 55544 invoked by uid 55); 19 Oct 2015 11:23:06 -0000
From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug network/18007] nss state sharing causes application denial of service (CVE-2014-8121)
Date: Mon, 19 Oct 2015 11:23:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: network
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: cvs-commit at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: 2.22
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields:
Message-ID: <bug-18007-131-ZFGtfwkljJ@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18007-131@http.sourceware.org/bugzilla/>
References: <bug-18007-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-10/txt/msg00256.txt.bz2
Content-length: 5317
https://sourceware.org/bugzilla/show_bug.cgi?id=18007
--- Comment #15 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.19/master has been updated
via 83e9e8b0464dcff36930b8bb53d04ac3b551b5a3 (commit)
from 012adb33827608d3b78e3832a1948b468b549946 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=83e9e8b0464dcff36930b8bb53d04ac3b551b5a3
commit 83e9e8b0464dcff36930b8bb53d04ac3b551b5a3
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Apr 29 14:41:25 2015 +0200
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing
certain quota-related requests. We eventually tracked this down to a
glibc issue.
Running a (simplified) test case under strace shows that /etc/passwd
is continuously opened and closed:
…
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717
lseek(3, 2717, SEEK_SET) = 2717
close(3) = 0
open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
lseek(3, 0, SEEK_CUR) = 0
…
The lookup function implementation in
nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is
supposed skip closing the input file if it was already open.
/* Reset file pointer to beginning or open file. */
\
status = internal_setent (keep_stream); \
\
if (status == NSS_STATUS_SUCCESS) \
{
\
/* Tell getent function that we have repositioned the file pointer.
*/ \
last_use = getby;
\
\
while ((status = internal_getent (result, buffer, buflen, errnop
\
H_ERRNO_ARG EXTRA_ARGS_VALUE)) \
== NSS_STATUS_SUCCESS) \
{ break_if_match } \
\
if (! keep_stream) \
internal_endent (); \
}
\
keep_stream is initialized from the stayopen flag in internal_setent.
internal_setent is called from the set*ent implementation as:
status = internal_setent (stayopen);
However, for non-host database, this flag is always 0, per the
STAYOPEN magic in nss/getXXent_r.c.
Thus, the fix is this:
- status = internal_setent (stayopen);
+ status = internal_setent (1);
This is not a behavioral change even for the hosts database (where the
application can specify the stayopen flag) because with a call to
sethostent(0), the file handle is still not closed in the
implementation of gethostent.
(cherry picked from commit 03d2730b44cc2236318fd978afa2651753666c55)
Conflicts:
ChangeLog
NEWS
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 +++
NEWS | 7 ++-
nss/Makefile | 2 +-
nss/nss_files/files-XXX.c | 2 +-
nss/tst-nss-getpwent.c | 118 +++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 134 insertions(+), 3 deletions(-)
create mode 100644 nss/tst-nss-getpwent.c
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-30220-listarch-glibc-bugs=sources.redhat.com@sourceware.org Mon Oct 19 11:46:58 2015
Return-Path: <glibc-bugs-return-30220-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 53539 invoked by alias); 19 Oct 2015 11:46:57 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 53476 invoked by uid 48); 19 Oct 2015 11:46:54 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug network/12926] getaddrinfo()/make_request() may spin forever
Date: Mon, 19 Oct 2015 11:46:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: network
X-Bugzilla-Version: 2.13
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution:
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security?
X-Bugzilla-Changed-Fields:
Message-ID: <bug-12926-131-LVmsFOlEHM@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-12926-131@http.sourceware.org/bugzilla/>
References: <bug-12926-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-10/txt/msg00257.txt.bz2
Content-length: 543
https://sourceware.org/bugzilla/show_bug.cgi?id\x12926
--- Comment #10 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to James E. King, III from comment #8)
> If the other issue resolves this, please post here letting us know
> so we can re-resolve this.
Netlink is a best-effort transport just like UDP, so messages can get lost. We
need to add timeout-and-retry loops to the Netlink interfaces (and consolidate
them to a single implementation).
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 17+ messages in thread
end of thread, other threads:[~2015-10-19 11:13 UTC | newest]
Thread overview: 17+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-02-23 11:24 [Bug network/18007] New: nss_files file pointer reset during iteration causes application denial of service (CVE-2014-8121) fweimer at redhat dot com
2015-02-23 12:03 ` [Bug network/18007] " schwab@linux-m68k.org
2015-02-23 12:06 ` fweimer at redhat dot com
2015-04-29 13:03 ` cvs-commit at gcc dot gnu.org
2015-04-29 13:22 ` schwab@linux-m68k.org
2015-04-29 13:26 ` fweimer at redhat dot com
2015-04-29 13:27 ` fweimer at redhat dot com
2015-04-29 13:32 ` schwab@linux-m68k.org
2015-05-11 8:45 ` cvs-commit at gcc dot gnu.org
2015-05-11 8:48 ` [Bug network/18007] nss state sharing " schwab@linux-m68k.org
2015-05-25 19:17 ` cvs-commit at gcc dot gnu.org
2015-05-26 14:20 ` cvs-commit at gcc dot gnu.org
2015-05-26 20:54 ` cvs-commit at gcc dot gnu.org
2015-07-21 3:11 ` vapier at gentoo dot org
2015-07-21 3:12 ` vapier at gentoo dot org
2015-09-22 9:59 ` schwab@linux-m68k.org
2015-10-19 11:13 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).