Bug 1332914 - glibc: Backport nss_dns hardening patches
Summary: glibc: Backport nss_dns hardening patches
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Florian Weimer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-04 11:09 UTC by Florian Weimer
Modified: 2016-05-15 04:54 UTC (History)
9 users (show)

Fixed In Version: glibc-2.22-15.fc23, glibc-2.23.1-7.fc24
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-15 04:54:09 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Sourceware 19830 None None None 2016-05-04 11:09:10 UTC
Sourceware 19831 None None None 2016-05-04 11:13:13 UTC
Sourceware 19862 None None None 2016-05-04 11:14:07 UTC
Sourceware 19865 None None None 2016-05-04 11:13:33 UTC
Sourceware 19868 None None None 2016-05-04 11:14:28 UTC

Description Florian Weimer 2016-05-04 11:09:11 UTC
commit f749498fa53df9ead81e291cd9378d67483c2452
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 15:11:41 2016 +0200

    nss_dns: Validate RDATA length against packet length [BZ #19830]
    
    In _nss_dns_getcanonname_r, a check for the availability of RR metadata
    was missing as well.

commit d29fb41f4431ca35ea360498ef9d37558ce90d76
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Apr 11 10:55:43 2016 +0200

    nss_dns: Fix assertion failure in _nss_dns_getcanonname_r [BZ #19865]

commit 5e0c421cc07e2d06945b863ed3bb92395472705d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 16:39:12 2016 +0200

    nss_dns: Check address length before creating addrinfo result [BZ #19831]
    
    Previously, we allocated room in the result space before the check,
    leaving uninitialized data there in case the check failed.
    
    This also consolidates the behavior between single (A or AAAA) and
    dual (A and AAAA in parallel) queries.  Single queries checked
    the record length against the QTYPE, not the RRTYPE.


And perhaps:

commit b9b026c9c00db1a1b5b4a3caa28162655a04a882
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 16:12:32 2016 +0200

    resolv, nss_dns: Remove remaining syslog logging [BZ #19862]
    
    The fix for bug 14841 only removed part of the logging.


commit a12f9431b3808e78b9ed397e4fce7de69410d94d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 17:15:57 2016 +0200

    nss_dns: Skip over non-PTR records in the netent code [BZ #19868]
    
    This requires additional checks for the RDATA length and the
    availability of record metadata.

Comment 1 Fedora Update System 2016-05-07 17:19:05 UTC
glibc-2.22-15.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-68abc0be35

Comment 2 Fedora Update System 2016-05-08 16:25:12 UTC
glibc-2.22-15.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-68abc0be35

Comment 3 Florian Weimer 2016-05-09 09:42:18 UTC
New 2.23 backports:

commit 1e5ac8a1daa360cd9632e5056e4bdf29e18ac2c7
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 17:15:57 2016 +0200

    nss_dns: Skip over non-PTR records in the netent code [BZ #19868]
    
    This requires additional checks for the RDATA length and the
    availability of record metadata.
    
    (cherry picked from commit a12f9431b3808e78b9ed397e4fce7de69410d94d)

commit 730244f49ad8f46308f5513e58365eed370423cb
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 16:39:12 2016 +0200

    nss_dns: Check address length before creating addrinfo result [BZ #19831]
    
    Previously, we allocated room in the result space before the check,
    leaving uninitialized data there in case the check failed.
    
    This also consolidates the behavior between single (A or AAAA) and
    dual (A and AAAA in parallel) queries.  Single queries checked
    the record length against the QTYPE, not the RRTYPE.
    
    (cherry picked from commit 5e0c421cc07e2d06945b863ed3bb92395472705d)

commit 1e51b4d367fcee5fc7767265e2b1469457ee64e1
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 16:12:32 2016 +0200

    resolv, nss_dns: Remove remaining syslog logging [BZ #19862]
    
    The fix for bug 14841 only removed part of the logging.
    
    (cherry picked from commit b9b026c9c00db1a1b5b4a3caa28162655a04a882)

commit f233c608d11434aa4a802ded6acdcac1f092729f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Apr 27 15:11:41 2016 +0200

    nss_dns: Validate RDATA length against packet length [BZ #19830]
    
    In _nss_dns_getcanonname_r, a check for the availability of RR metadata
    was missing as well.
    
    (cherry picked from commit f749498fa53df9ead81e291cd9378d67483c2452)

commit 49203a513f86e5238d43da23505a600bef1a5d7a
Author: Florian Weimer <fweimer@redhat.com>
Date:   Mon Apr 11 10:55:43 2016 +0200

    nss_dns: Fix assertion failure in _nss_dns_getcanonname_r [BZ #19865]
    
    (cherry picked from commit d29fb41f4431ca35ea360498ef9d37558ce90d76)

Comment 4 Fedora Update System 2016-05-09 14:56:25 UTC
glibc-2.23.1-6.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74

Comment 5 Fedora Update System 2016-05-10 17:57:18 UTC
glibc-2.22-15.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-05-10 20:29:57 UTC
glibc-2.23.1-6.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74

Comment 7 Fedora Update System 2016-05-11 13:54:44 UTC
glibc-2.23.1-7.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74

Comment 8 Fedora Update System 2016-05-12 09:43:52 UTC
glibc-2.23.1-7.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b321728d74

Comment 9 Fedora Update System 2016-05-14 23:29:49 UTC
glibc-2.23.1-7.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.