* [committed 2.34 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.35 " Siddhesh Poyarekar
` (8 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable; +Cc: Romain Geissler
From: Romain Geissler <romain.geissler@amadeus.com>
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
---
nss/Makefile | 20 ++++++++++++++++++++
nss/tst-nss-gai-hv2-canonname.c | 3 +++
sysdeps/posix/getaddrinfo.c | 4 +---
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/nss/Makefile b/nss/Makefile
index 18a27d79d2..69fa5f37c0 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -147,6 +147,15 @@ endif
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
nss_test_gai_hv2_canonname.os
+ifeq ($(run-built-tests),yes)
+ifneq (no,$(PERL))
+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
+endif
+endif
+
+generated += mtrace-tst-nss-gai-hv2-canonname.out \
+ tst-nss-gai-hv2-canonname.mtrace
+
include ../Rules
ifeq (yes,$(have-selinux))
@@ -214,3 +223,14 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+
+tst-nss-gai-hv2-canonname-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
+ $(objpfx)tst-nss-gai-hv2-canonname.out
+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
+ && $(common-objpfx)malloc/mtrace \
+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
+ $(evaluate-test)
diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
index d5f10c07d6..7db53cf09d 100644
--- a/nss/tst-nss-gai-hv2-canonname.c
+++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
+#include <mcheck.h>
#include <support/check.h>
#include <support/xstdio.h>
#include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
static int
do_test (void)
{
+ mtrace ();
+
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
struct addrinfo hints = {};
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 10dc63542f..d6046a707f 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
if (malloc_name)
free ((char *) name);
free (addrmem);
- if (res.free_at)
- free (res.at);
- free (res.canon);
+ gaih_result_reset (&res);
return result;
}
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.35 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.34 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.36 " Siddhesh Poyarekar
` (7 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable; +Cc: Romain Geissler
From: Romain Geissler <romain.geissler@amadeus.com>
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
---
nss/Makefile | 20 ++++++++++++++++++++
nss/tst-nss-gai-hv2-canonname.c | 3 +++
sysdeps/posix/getaddrinfo.c | 4 +---
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/nss/Makefile b/nss/Makefile
index ed1c05158e..6cac7dd83b 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -147,6 +147,15 @@ endif
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
nss_test_gai_hv2_canonname.os
+ifeq ($(run-built-tests),yes)
+ifneq (no,$(PERL))
+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
+endif
+endif
+
+generated += mtrace-tst-nss-gai-hv2-canonname.out \
+ tst-nss-gai-hv2-canonname.mtrace
+
include ../Rules
ifeq (yes,$(have-selinux))
@@ -215,6 +224,17 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+tst-nss-gai-hv2-canonname-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
+ $(objpfx)tst-nss-gai-hv2-canonname.out
+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
+ && $(common-objpfx)malloc/mtrace \
+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
+ $(evaluate-test)
+
# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
# functions can load testing NSS modules via DT_RPATH.
LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
index d5f10c07d6..7db53cf09d 100644
--- a/nss/tst-nss-gai-hv2-canonname.c
+++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
+#include <mcheck.h>
#include <support/check.h>
#include <support/xstdio.h>
#include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
static int
do_test (void)
{
+ mtrace ();
+
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
struct addrinfo hints = {};
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index ad7891a953..f4c08d6e3b 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
if (malloc_name)
free ((char *) name);
free (addrmem);
- if (res.free_at)
- free (res.at);
- free (res.canon);
+ gaih_result_reset (&res);
return result;
}
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.36 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.34 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.35 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.37 " Siddhesh Poyarekar
` (6 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable; +Cc: Romain Geissler
From: Romain Geissler <romain.geissler@amadeus.com>
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
---
nss/Makefile | 20 ++++++++++++++++++++
nss/tst-nss-gai-hv2-canonname.c | 3 +++
sysdeps/posix/getaddrinfo.c | 4 +---
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/nss/Makefile b/nss/Makefile
index f0af87e6f1..7a52c68791 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -148,6 +148,15 @@ endif
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
nss_test_gai_hv2_canonname.os
+ifeq ($(run-built-tests),yes)
+ifneq (no,$(PERL))
+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
+endif
+endif
+
+generated += mtrace-tst-nss-gai-hv2-canonname.out \
+ tst-nss-gai-hv2-canonname.mtrace
+
include ../Rules
ifeq (yes,$(have-selinux))
@@ -216,6 +225,17 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+tst-nss-gai-hv2-canonname-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
+ $(objpfx)tst-nss-gai-hv2-canonname.out
+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
+ && $(common-objpfx)malloc/mtrace \
+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
+ $(evaluate-test)
+
# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
# functions can load testing NSS modules via DT_RPATH.
LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
index d5f10c07d6..7db53cf09d 100644
--- a/nss/tst-nss-gai-hv2-canonname.c
+++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
+#include <mcheck.h>
#include <support/check.h>
#include <support/xstdio.h>
#include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
static int
do_test (void)
{
+ mtrace ();
+
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
struct addrinfo hints = {};
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index 7a43a3bf4c..f975dcd2bc 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
if (malloc_name)
free ((char *) name);
free (addrmem);
- if (res.free_at)
- free (res.at);
- free (res.canon);
+ gaih_result_reset (&res);
return result;
}
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.37 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (2 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.36 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.38 " Siddhesh Poyarekar
` (5 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable; +Cc: Romain Geissler
From: Romain Geissler <romain.geissler@amadeus.com>
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
---
nss/Makefile | 20 ++++++++++++++++++++
nss/tst-nss-gai-hv2-canonname.c | 3 +++
sysdeps/posix/getaddrinfo.c | 4 +---
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/nss/Makefile b/nss/Makefile
index e3d21e9a89..6ef5bf23b3 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -148,6 +148,15 @@ endif
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
nss_test_gai_hv2_canonname.os
+ifeq ($(run-built-tests),yes)
+ifneq (no,$(PERL))
+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
+endif
+endif
+
+generated += mtrace-tst-nss-gai-hv2-canonname.out \
+ tst-nss-gai-hv2-canonname.mtrace
+
include ../Rules
ifeq (yes,$(have-selinux))
@@ -216,6 +225,17 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+tst-nss-gai-hv2-canonname-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
+ $(objpfx)tst-nss-gai-hv2-canonname.out
+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
+ && $(common-objpfx)malloc/mtrace \
+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
+ $(evaluate-test)
+
# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
# functions can load testing NSS modules via DT_RPATH.
LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
index d5f10c07d6..7db53cf09d 100644
--- a/nss/tst-nss-gai-hv2-canonname.c
+++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
+#include <mcheck.h>
#include <support/check.h>
#include <support/xstdio.h>
#include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
static int
do_test (void)
{
+ mtrace ();
+
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
struct addrinfo hints = {};
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index b4e8ea3880..69f38bbfb9 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
if (malloc_name)
free ((char *) name);
free (addrmem);
- if (res.free_at)
- free (res.at);
- free (res.canon);
+ gaih_result_reset (&res);
return result;
}
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.38 1/2] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (3 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.37 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.34 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS Siddhesh Poyarekar
` (4 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable; +Cc: Romain Geissler
From: Romain Geissler <romain.geissler@amadeus.com>
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
---
nss/Makefile | 20 ++++++++++++++++++++
nss/tst-nss-gai-hv2-canonname.c | 3 +++
sysdeps/posix/getaddrinfo.c | 4 +---
3 files changed, 24 insertions(+), 3 deletions(-)
diff --git a/nss/Makefile b/nss/Makefile
index 8a5126ecf3..668ba34b18 100644
--- a/nss/Makefile
+++ b/nss/Makefile
@@ -149,6 +149,15 @@ endif
extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \
nss_test_gai_hv2_canonname.os
+ifeq ($(run-built-tests),yes)
+ifneq (no,$(PERL))
+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
+endif
+endif
+
+generated += mtrace-tst-nss-gai-hv2-canonname.out \
+ tst-nss-gai-hv2-canonname.mtrace
+
include ../Rules
ifeq (yes,$(have-selinux))
@@ -217,6 +226,17 @@ endif
$(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
$(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
+tst-nss-gai-hv2-canonname-ENV = \
+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
+ $(objpfx)tst-nss-gai-hv2-canonname.out
+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
+ && $(common-objpfx)malloc/mtrace \
+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
+ $(evaluate-test)
+
# Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
# functions can load testing NSS modules via DT_RPATH.
LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
index d5f10c07d6..7db53cf09d 100644
--- a/nss/tst-nss-gai-hv2-canonname.c
+++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
+#include <mcheck.h>
#include <support/check.h>
#include <support/xstdio.h>
#include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
static int
do_test (void)
{
+ mtrace ();
+
__nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
struct addrinfo hints = {};
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
index b2236b105c..13082305d3 100644
--- a/sysdeps/posix/getaddrinfo.c
+++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
if (malloc_name)
free ((char *) name);
free (addrmem);
- if (res.free_at)
- free (res.at);
- free (res.canon);
+ gaih_result_reset (&res);
return result;
}
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.34 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (4 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.38 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.35 " Siddhesh Poyarekar
` (3 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable
These are tracked in BZ #30884 and BZ #30843.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
---
NEWS | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/NEWS b/NEWS
index d5bfe718e7..e16f9968f3 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,15 @@ Security related changes:
corresponds to the / directory through an unprivileged mount
namespace. Reported by Qualys.
+ CVE-2023-4806: When an NSS plugin only implements the
+ _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
+ memory that was freed during buffer resizing, potentially causing a
+ crash or read or write to arbitrary memory.
+
+ CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
+ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+ AI_ALL and AI_V4MAPPED flags set.
+
The following bugs are resolved with this release:
[11053] regex: Wrong results with backreferences
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.35 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (5 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.34 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.36 " Siddhesh Poyarekar
` (2 subsequent siblings)
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable
These are tracked in BZ #30884 and BZ #30843.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
---
NEWS | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/NEWS b/NEWS
index 94adcee263..36da15a922 100644
--- a/NEWS
+++ b/NEWS
@@ -86,6 +86,17 @@ The following bugs are resolved with this release:
[30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with
-D_FILE_OFFSET_BITS=64
+Security related changes:
+
+ CVE-2023-4806: When an NSS plugin only implements the
+ _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
+ memory that was freed during buffer resizing, potentially causing a
+ crash or read or write to arbitrary memory.
+
+ CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
+ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+ AI_ALL and AI_V4MAPPED flags set.
+
\f
Version 2.35
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.36 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (6 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.35 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.37 " Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.38 " Siddhesh Poyarekar
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable
These are tracked in BZ #30884 and BZ #30843.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
---
NEWS | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/NEWS b/NEWS
index 8923c70820..ae55ffb53a 100644
--- a/NEWS
+++ b/NEWS
@@ -27,6 +27,15 @@ Security related changes:
2048 bytes, getaddrinfo may potentially disclose stack contents via
the returned address data, or crash.
+ CVE-2023-4806: When an NSS plugin only implements the
+ _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
+ memory that was freed during buffer resizing, potentially causing a
+ crash or read or write to arbitrary memory.
+
+ CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
+ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+ AI_ALL and AI_V4MAPPED flags set.
+
The following bugs are resolved with this release:
[12154] Do not fail DNS resolution for CNAMEs which are not host names
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.37 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (7 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.36 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
2023-09-26 22:54 ` [committed 2.38 " Siddhesh Poyarekar
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable
These are tracked in BZ #30884 and BZ #30843.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
---
NEWS | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/NEWS b/NEWS
index d6cd902bd3..3725cc4820 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,15 @@ Security related changes:
2048 bytes, getaddrinfo may potentially disclose stack contents via
the returned address data, or crash.
+ CVE-2023-4806: When an NSS plugin only implements the
+ _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
+ memory that was freed during buffer resizing, potentially causing a
+ crash or read or write to arbitrary memory.
+
+ CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
+ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+ AI_ALL and AI_V4MAPPED flags set.
+
The following bugs are resolved with this release:
[20975] Deferred cancellation triggers in __check_pf and looses lock leading to deadlock
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread
* [committed 2.38 2/2] Document CVE-2023-4806 and CVE-2023-5156 in NEWS
2023-09-26 22:54 [committed 2.34, 2.35, 2.36, 2.37, 2.38] CVE-2023-5156 Siddhesh Poyarekar
` (8 preceding siblings ...)
2023-09-26 22:54 ` [committed 2.37 " Siddhesh Poyarekar
@ 2023-09-26 22:54 ` Siddhesh Poyarekar
9 siblings, 0 replies; 11+ messages in thread
From: Siddhesh Poyarekar @ 2023-09-26 22:54 UTC (permalink / raw)
To: libc-stable
These are tracked in BZ #30884 and BZ #30843.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
---
NEWS | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/NEWS b/NEWS
index dfee278a9c..f1b1b0a3b4 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,15 @@ Security related changes:
2048 bytes, getaddrinfo may potentially disclose stack contents via
the returned address data, or crash.
+ CVE-2023-4806: When an NSS plugin only implements the
+ _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
+ memory that was freed during buffer resizing, potentially causing a
+ crash or read or write to arbitrary memory.
+
+ CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
+ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
+ AI_ALL and AI_V4MAPPED flags set.
+
The following bugs are resolved with this release:
[30723] posix_memalign repeatedly scans long bin lists
--
2.41.0
^ permalink raw reply [flat|nested] 11+ messages in thread