| Summary: | <sys-libs/glibc-2.21-r1: buffer overflow in gethostbyname_r() and related functions with misaligned buffer (CVE-2015-1781) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | hanno, toolchain |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/04/21/4 | ||
| See Also: | https://sourceware.org/bugzilla/show_bug.cgi?id=18287 | ||
| Whiteboard: | A2 [glsa cve cleanup] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 563524 | ||
| Bug Blocks: | |||
this has been fixed for glibc 2.22 and 2.21.1, and i've backported it to our glibc 2.21-r1 ebuild. but that's just now hitting ~arch so it'll be a little while before we can stabilize. (In reply to SpanKY from comment #1) > this has been fixed for glibc 2.22 and 2.21.1, and i've backported it to our > glibc 2.21-r1 ebuild. but that's just now hitting ~arch so it'll be a > little while before we can stabilize. Been 60+ days, are we ready for stabilization? (In reply to Yury German from comment #2) glibc-2.21 is already stable for most arches via bug 563524 (In reply to SpanKY from comment #3) > (In reply to Yury German from comment #2) > > glibc-2.21 is already stable for most arches via bug 563524 Thank you for reply! New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). This issue was resolved and addressed in GLSA 201602-02 at https://security.gentoo.org/glsa/201602-02 by GLSA coordinator Tobias Heinlein (keytoaster). |
From ${URL} : Arjun Shankar of Red Hat discovered that the nss_dns code does not adjust the buffer length when the buffer start pointer is aligned. As a result, a buffer overflow can occur in the implementation of functions such as gethostbyname_r, and crafted DNS responses might cause application crashes or result in arbitrary code execution. This can only happen if these functions are called with a misaligned buffer. I looked at quite a bit of source code, and tested applications with a patched glibc that logs misaligned buffers. I did not observe any such misaligned buffers. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18287 Upstream commit: https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.