| Summary: | glibc: Backport nss_dns hardening patches | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> |
| Component: | glibc | Assignee: | Florian Weimer <fweimer> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | arjun.is, codonell, dj, fweimer, jakub, law, mfabian, pfrankli, siddhesh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | glibc-2.22-15.fc23, glibc-2.23.1-7.fc24 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-15 04:54:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
glibc-2.22-15.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-68abc0be35 glibc-2.22-15.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-68abc0be35 New 2.23 backports:
commit 1e5ac8a1daa360cd9632e5056e4bdf29e18ac2c7
Author: Florian Weimer <fweimer>
Date: Wed Apr 27 17:15:57 2016 +0200
nss_dns: Skip over non-PTR records in the netent code [BZ #19868]
This requires additional checks for the RDATA length and the
availability of record metadata.
(cherry picked from commit a12f9431b3808e78b9ed397e4fce7de69410d94d)
commit 730244f49ad8f46308f5513e58365eed370423cb
Author: Florian Weimer <fweimer>
Date: Wed Apr 27 16:39:12 2016 +0200
nss_dns: Check address length before creating addrinfo result [BZ #19831]
Previously, we allocated room in the result space before the check,
leaving uninitialized data there in case the check failed.
This also consolidates the behavior between single (A or AAAA) and
dual (A and AAAA in parallel) queries. Single queries checked
the record length against the QTYPE, not the RRTYPE.
(cherry picked from commit 5e0c421cc07e2d06945b863ed3bb92395472705d)
commit 1e51b4d367fcee5fc7767265e2b1469457ee64e1
Author: Florian Weimer <fweimer>
Date: Wed Apr 27 16:12:32 2016 +0200
resolv, nss_dns: Remove remaining syslog logging [BZ #19862]
The fix for bug 14841 only removed part of the logging.
(cherry picked from commit b9b026c9c00db1a1b5b4a3caa28162655a04a882)
commit f233c608d11434aa4a802ded6acdcac1f092729f
Author: Florian Weimer <fweimer>
Date: Wed Apr 27 15:11:41 2016 +0200
nss_dns: Validate RDATA length against packet length [BZ #19830]
In _nss_dns_getcanonname_r, a check for the availability of RR metadata
was missing as well.
(cherry picked from commit f749498fa53df9ead81e291cd9378d67483c2452)
commit 49203a513f86e5238d43da23505a600bef1a5d7a
Author: Florian Weimer <fweimer>
Date: Mon Apr 11 10:55:43 2016 +0200
nss_dns: Fix assertion failure in _nss_dns_getcanonname_r [BZ #19865]
(cherry picked from commit d29fb41f4431ca35ea360498ef9d37558ce90d76)
glibc-2.23.1-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74 glibc-2.22-15.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. glibc-2.23.1-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74 glibc-2.23.1-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74 glibc-2.23.1-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74 glibc-2.23.1-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
commit f749498fa53df9ead81e291cd9378d67483c2452 Author: Florian Weimer <fweimer> Date: Wed Apr 27 15:11:41 2016 +0200 nss_dns: Validate RDATA length against packet length [BZ #19830] In _nss_dns_getcanonname_r, a check for the availability of RR metadata was missing as well. commit d29fb41f4431ca35ea360498ef9d37558ce90d76 Author: Florian Weimer <fweimer> Date: Mon Apr 11 10:55:43 2016 +0200 nss_dns: Fix assertion failure in _nss_dns_getcanonname_r [BZ #19865] commit 5e0c421cc07e2d06945b863ed3bb92395472705d Author: Florian Weimer <fweimer> Date: Wed Apr 27 16:39:12 2016 +0200 nss_dns: Check address length before creating addrinfo result [BZ #19831] Previously, we allocated room in the result space before the check, leaving uninitialized data there in case the check failed. This also consolidates the behavior between single (A or AAAA) and dual (A and AAAA in parallel) queries. Single queries checked the record length against the QTYPE, not the RRTYPE. And perhaps: commit b9b026c9c00db1a1b5b4a3caa28162655a04a882 Author: Florian Weimer <fweimer> Date: Wed Apr 27 16:12:32 2016 +0200 resolv, nss_dns: Remove remaining syslog logging [BZ #19862] The fix for bug 14841 only removed part of the logging. commit a12f9431b3808e78b9ed397e4fce7de69410d94d Author: Florian Weimer <fweimer> Date: Wed Apr 27 17:15:57 2016 +0200 nss_dns: Skip over non-PTR records in the netent code [BZ #19868] This requires additional checks for the RDATA length and the availability of record metadata.