From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 81039 invoked by alias); 4 Feb 2019 13:56:57 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 81022 invoked by uid 89); 4 Feb 2019 13:56:57 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.2 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.4 required=5.0 tests=BAYES_00,KAM_NUMSUBJECT,SPF_HELO_PASS autolearn=no version=3.3.2 spammy=conflicts, acceptable, queries, our X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00,KAM_NUMSUBJECT,SPF_HELO_PASS autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on sourceware.org X-Spam-Level: X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Mon, 04 Feb 2019 13:56:56 +0000 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7AFB981DED; Mon, 4 Feb 2019 13:56:55 +0000 (UTC) Received: from oldenburg2.str.redhat.com (dhcp-192-219.str.redhat.com [10.33.192.219]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D5B8B892C0; Mon, 4 Feb 2019 13:56:54 +0000 (UTC) From: Florian Weimer To: Aurelien Jarno Cc: libc-stable@sourceware.org Subject: Re: Backporting CVE-2016-10739 References: <20190204134254.GA13816@aurel32.net> Date: Tue, 01 Jan 2019 00:00:00 -0000 In-Reply-To: <20190204134254.GA13816@aurel32.net> (Aurelien Jarno's message of "Mon, 4 Feb 2019 14:42:54 +0100") Message-ID: <87o97rpsgq.fsf@oldenburg2.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Mon, 04 Feb 2019 13:56:55 +0000 (UTC) X-IsSubscribed: yes X-SW-Source: 2019-02/txt/msg00003.txt.bz2 * Aurelien Jarno: > I am looking at backporting fixes for CVE-2016-10739 (ie commit > 108bc404) in the 2.28 branch first, and probably in the 2.24 branch > later. I would need some guidance how to proceed: I planned to do it last week, but didn't finish it. > - Is it acceptable to also to backport commit 5e30b8ef ("resolv: > Reformat inet_addr, inet_aton to GNU style")? Without this patch, > there's a lot of conflicts that are a pain to fix. Yes absolutely. > - According to the commit message 6ca53a24 ("resolv: Do not send queries > for non-host-names in nss_dns [BZ #24112]"), also needs to be > backported. Is it fine to do so? Yes, the queries are pointless. > - The commit introduces a new symbol, which is something we usually do > not want in a stable branch. However the __inet_aton_exact symbol is > added under GLIBC_PRIVATE. Therefore I wonder if it is acceptable for > a stable branch. I planned to commit *another* commit which avoids the addition of the GLIBC_PRIVATE symbol, with some code duplication. Basically, use attribute_hidden instead of libc_hidden_proto for the declaration of __inet_aton_exact, and also build resolv/inet_addr.c for nscd. We do not always do that, but it seems easy enough to do it here, and it makes our QE people happy. If you want to do it, I can help you with that. Thanks, Florian