Date: Wednesday, April 22, 2015 @ 13:58:30
  Author: allan
Revision: 237898

upgpkg: glibc 2.21-3

upstream patch bump, fixes CVE-2015-1781

Modified:
  glibc/trunk/PKGBUILD
  glibc/trunk/glibc-2.21-roundup.patch

--------------------------+
 PKGBUILD                 |    8 ++++----
 glibc-2.21-roundup.patch |   41 ++++++++++++++++++++++++++++++++++-------
 2 files changed, 38 insertions(+), 11 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2015-04-22 08:27:41 UTC (rev 237897)
+++ PKGBUILD    2015-04-22 11:58:30 UTC (rev 237898)
@@ -8,13 +8,13 @@
 
 pkgname=glibc
 pkgver=2.21
-pkgrel=2
+pkgrel=3
 pkgdesc="GNU C Library"
 arch=('i686' 'x86_64')
 url="http://www.gnu.org/software/libc";
 license=('GPL' 'LGPL')
 groups=('base')
-depends=('linux-api-headers>=3.16' 'tzdata' 'filesystem>=2013.01')
+depends=('linux-api-headers>=3.18' 'tzdata' 'filesystem')
 makedepends=('gcc>=4.9')
 backup=(etc/gai.conf
         etc/locale.gen
@@ -27,7 +27,7 @@
         locale-gen)
 md5sums=('9cb398828e8f84f57d1f7d5588cf40cd'
          'SKIP'
-         'bf9d96b11c76b113606aae102da63d9d'
+         'feb826d5f4965e9892ee6e851fec43a9'
          '07ac979b6ab5eeb778d55f041529d623'
          '476e9113489f93b348b21e144b6a8fcf')
 validpgpkeys=('F37CDAB708E65EA183FD1AF625EF0A436C2A4AFF')  # Carlos O'Donell
@@ -35,7 +35,7 @@
 prepare() {
   cd ${srcdir}/glibc-${pkgver}
 
-  # glibc-2.21..75adf430
+  # glibc-2.21..01b07c70
   patch -p1 -i $srcdir/glibc-2.21-roundup.patch
 
   mkdir ${srcdir}/glibc-build

Modified: glibc-2.21-roundup.patch
===================================================================
--- glibc-2.21-roundup.patch    2015-04-22 08:27:41 UTC (rev 237897)
+++ glibc-2.21-roundup.patch    2015-04-22 11:58:30 UTC (rev 237898)
@@ -1,8 +1,14 @@
 diff --git a/ChangeLog b/ChangeLog
-index dc1ed1b..45579de 100644
+index dc1ed1b..26feb07 100644
 --- a/ChangeLog
 +++ b/ChangeLog
-@@ -1,3 +1,9 @@
+@@ -1,3 +1,15 @@
++2015-04-21  Arjun Shankar  <arjun...@lostca.se>
++
++      [BZ #18287]
++      * resolv/nss_dns/dns-host.c (getanswer_r): Adjust buffer length
++      based on padding.  (CVE-2015-1781)
++
 +2015-02-10  Evangelos Foutras  <evange...@foutrelis.com>
 +
 +      [BZ #17949]
@@ -12,7 +18,7 @@
  2015-02-06  Carlos O'Donell  <car...@systemhalted.org>
  
        * version.h (RELEASE): Set to "stable".
-@@ -7,6 +13,7 @@
+@@ -7,6 +19,7 @@
        * sysdeps/unix/sysv/linux/hppa/pthread.h: Sync with pthread.h.
  
  2015-02-05  Paul Pluzhnikov  <ppluzhni...@google.com>
@@ -21,10 +27,10 @@
        [BZ #16618]
        * stdio-common/tst-sscanf.c (main): Test for buffer overflow.
 diff --git a/NEWS b/NEWS
-index 617cdbb..ff79f0d 100644
+index 617cdbb..c9f6b58 100644
 --- a/NEWS
 +++ b/NEWS
-@@ -5,6 +5,12 @@ See the end for copying conditions.
+@@ -5,6 +5,19 @@ See the end for copying conditions.
  Please send GNU C library bug reports via <http://sourceware.org/bugzilla/>
  using `glibc' in the "product" field.
  
@@ -32,12 +38,19 @@
 +
 +* The following bugs are resolved with this release:
 +
-+  17949.
++  17949, 18287.
++
++* A buffer overflow in gethostbyname_r and related functions performing DNS
++  requests has been fixed.  If the NSS functions were called with a
++  misaligned buffer, the buffer length change due to pointer alignment was
++  not taken into account.  This could result in application crashes or,
++  potentially arbitrary code execution, using crafted, but syntactically
++  valid DNS responses.  (CVE-2015-1781)
 +
  Version 2.21
  
  * The following bugs are resolved with this release:
-@@ -21,10 +27,11 @@ Version 2.21
+@@ -21,10 +34,11 @@ Version 2.21
    17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
    17892.
  
@@ -53,6 +66,20 @@
  
  * A new semaphore algorithm has been implemented in generic C code for all
    machines. Previous custom assembly implementations of semaphore were
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index f715ab0..40069a7 100644
+--- a/resolv/nss_dns/dns-host.c
++++ b/resolv/nss_dns/dns-host.c
+@@ -615,7 +615,8 @@ getanswer_r (const querybuf *answer, int anslen, const 
char *qname, int qtype,
+   int have_to_map = 0;
+   uintptr_t pad = -(uintptr_t) buffer % __alignof__ (struct host_data);
+   buffer += pad;
+-  if (__glibc_unlikely (buflen < sizeof (struct host_data) + pad))
++  buflen = buflen > pad ? buflen - pad : 0;
++  if (__glibc_unlikely (buflen < sizeof (struct host_data)))
+     {
+       /* The buffer is too small.  */
+     too_small:
 diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.S 
b/sysdeps/i386/i686/multiarch/mempcpy_chk.S
 index 207b648..b6fa202 100644
 --- a/sysdeps/i386/i686/multiarch/mempcpy_chk.S

Reply via email to