[Bug network/18287] New: (CVE-2015-1781)

[Bug network/18287] New: (CVE-2015-1781)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

            Bug ID: 18287
           Summary: (CVE-2015-1781)
           Product: glibc
           Version: 2.20
            Status: NEW
          Severity: normal
          Priority: P2
         Component: network
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
             Flags: security+

Arjun Shankar of Red Hat discovered that the nss_dns code does not adjust the
buffer length when the buffer start pointer is aligned.  As a result, a buffer
overflow can occur in the implementation of functions such as gethostbyname_r,
and crafted DNS responses might cause application crashes or result in
arbitrary code execution.

This can only happen if these functions are called with a misaligned buffer.  I
looked at quite a bit of source code, and tested applications with a patched
glibc that logs misaligned buffers.  I did not observe any such misaligned
buffers.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/18287] (CVE-2015-1781)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
Created attachment 8257
  --> https://sourceware.org/bugzilla/attachment.cgi?id=8257&action=edit
Patch by Arjun Shankar

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/18287] Buffer overflow in getanswer_r, resolv/nss_dns/dns-host.c (CVE-2015-1781)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|(CVE-2015-1781)             |Buffer overflow in
                   |                            |getanswer_r,
                   |                            |resolv/nss_dns/dns-host.c
                   |                            |(CVE-2015-1781)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/18287] Buffer overflow in getanswer_r, resolv/nss_dns/dns-host.c (CVE-2015-1781)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Fixed in <https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386>
for glibc 2.22.

This was introduced in glibc 2.6 with commit
2f1687b96b25af512b095c9ebfa283f63c13bb78, the fix for bug 4381.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/18287] Buffer overflow in getanswer_r, resolv/nss_dns/dns-host.c (CVE-2015-1781)

[vapier at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

Mike Frysinger <vapier at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.gentoo.org/sho
                   |                            |w_bug.cgi?id=547296
   Target Milestone|---                         |2.22

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/18287] Buffer overflow in getanswer_r, resolv/nss_dns/dns-host.c (CVE-2015-1781)

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  e07aabba73ea62e7dfa0512507c92efb851fbdbe (commit)
      from  c77dd7eb9b7f7cf87fdb1c0f6f1922d8735412eb (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e07aabba73ea62e7dfa0512507c92efb851fbdbe

commit e07aabba73ea62e7dfa0512507c92efb851fbdbe
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Sep 22 13:20:18 2015 +0200

    Add test case for bug 18287

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog      |    5 +
 nss/Makefile   |    3 +-
 nss/bug18287.c |  235 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 242 insertions(+), 1 deletions(-)
 create mode 100644 nss/bug18287.c

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug network/18287] Buffer overflow in getanswer_r, resolv/nss_dns/dns-host.c (CVE-2015-1781)

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=18287

--- Comment #4 from Florian Weimer <fweimer at redhat dot com> ---
(In reply to cvs-commit@gcc.gnu.org from comment #3)
> commit e07aabba73ea62e7dfa0512507c92efb851fbdbe
> Author: Florian Weimer <fweimer@redhat.com>
> Date:   Tue Sep 22 13:20:18 2015 +0200
> 
>     Add test case for bug 18287

Disregard that, wrong bug number.

-- 
You are receiving this mail because:
You are on the CC list for the bug.