From 51db69204a2a5f84d12620db7bb1a42c84ca69d1 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 17 Feb 2016 09:21:04 +0100 Subject: [PATCH] glibc: added patches for CVE-2015-7547 --- glibc/.md5sum | 2 + glibc/CVE-2015-7547.patch | 555 ++++++++++++++++++++++++++++++++++++ glibc/Pkgfile | 8 +- glibc/glibc-rh1252570.patch | 408 ++++++++++++++++++++++++++ 4 files changed, 970 insertions(+), 3 deletions(-) create mode 100644 glibc/CVE-2015-7547.patch create mode 100644 glibc/glibc-rh1252570.patch diff --git a/glibc/.md5sum b/glibc/.md5sum index 16239a5..9002a17 100644 --- a/glibc/.md5sum +++ b/glibc/.md5sum @@ -1,8 +1,10 @@ +49019f98ab824254ebeca5aba2f22ab1 CVE-2015-7547.patch 3972ff7405c89be7f5694bdc28fbd798 CVE-2015-8776.patch c0e4a708857a0a50b9a3d1a5cc315763 CVE-2015-8777.patch 5cd75bfc0789559553b9c708c6b986ac CVE-2015-8778.patch 9623a770f7a9781272b8f30761cbe256 CVE-2015-8779.patch e51e02bf552a0a1fbbdc948fb2f5e83c glibc-2.22.tar.xz +a3089fb4572929628052c4509ac85a93 glibc-rh1252570.patch 96156bec8e05de67384dc93e72bdc313 host.conf fbbc215a9b15ba4846f326cc88108057 hosts f7fefce570a3c776e26e778c5e401490 ld.so.conf diff --git a/glibc/CVE-2015-7547.patch b/glibc/CVE-2015-7547.patch new file mode 100644 index 0000000..2a76289 --- /dev/null +++ b/glibc/CVE-2015-7547.patch @@ -0,0 +1,555 @@ +Index: b/resolv/nss_dns/dns-host.c +=================================================================== +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *an + int h_namelen = 0; + + if (ancount == 0) +- return NSS_STATUS_NOTFOUND; ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } + + while (ancount-- > 0 && cp < end_of_message && had_error == 0) + { +@@ -1208,7 +1211,14 @@ gaih_getanswer_slice (const querybuf *an + /* Special case here: if the resolver sent a result but it only + contains a CNAME while we are looking for a T_A or T_AAAA record, + we fail with NOTFOUND instead of TRYAGAIN. */ +- return canon == NULL ? NSS_STATUS_TRYAGAIN : NSS_STATUS_NOTFOUND; ++ if (canon != NULL) ++ { ++ *h_errnop = HOST_NOT_FOUND; ++ return NSS_STATUS_NOTFOUND; ++ } ++ ++ *h_errnop = NETDB_INTERNAL; ++ return NSS_STATUS_TRYAGAIN; + } + + +@@ -1222,11 +1232,101 @@ gaih_getanswer (const querybuf *answer1, + + enum nss_status status = NSS_STATUS_NOTFOUND; + ++ /* Combining the NSS status of two distinct queries requires some ++ compromise and attention to symmetry (A or AAAA queries can be ++ returned in any order). What follows is a breakdown of how this ++ code is expected to work and why. We discuss only SUCCESS, ++ TRYAGAIN, NOTFOUND and UNAVAIL, since they are the only returns ++ that apply (though RETURN and MERGE exist). We make a distinction ++ between TRYAGAIN (recoverable) and TRYAGAIN' (not-recoverable). ++ A recoverable TRYAGAIN is almost always due to buffer size issues ++ and returns ERANGE in errno and the caller is expected to retry ++ with a larger buffer. ++ ++ Lastly, you may be tempted to make significant changes to the ++ conditions in this code to bring about symmetry between responses. ++ Please don't change anything without due consideration for ++ expected application behaviour. Some of the synthesized responses ++ aren't very well thought out and sometimes appear to imply that ++ IPv4 responses are always answer 1, and IPv6 responses are always ++ answer 2, but that's not true (see the implemetnation of send_dg ++ and send_vc to see response can arrive in any order, particlarly ++ for UDP). However, we expect it holds roughly enough of the time ++ that this code works, but certainly needs to be fixed to make this ++ a more robust implementation. ++ ++ ---------------------------------------------- ++ | Answer 1 Status / | Synthesized | Reason | ++ | Answer 2 Status | Status | | ++ |--------------------------------------------| ++ | SUCCESS/SUCCESS | SUCCESS | [1] | ++ | SUCCESS/TRYAGAIN | TRYAGAIN | [5] | ++ | SUCCESS/TRYAGAIN' | SUCCESS | [1] | ++ | SUCCESS/NOTFOUND | SUCCESS | [1] | ++ | SUCCESS/UNAVAIL | SUCCESS | [1] | ++ | TRYAGAIN/SUCCESS | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN | TRYAGAIN | [2] | ++ | TRYAGAIN/TRYAGAIN' | TRYAGAIN | [2] | ++ | TRYAGAIN/NOTFOUND | TRYAGAIN | [2] | ++ | TRYAGAIN/UNAVAIL | TRYAGAIN | [2] | ++ | TRYAGAIN'/SUCCESS | SUCCESS | [3] | ++ | TRYAGAIN'/TRYAGAIN | TRYAGAIN | [3] | ++ | TRYAGAIN'/TRYAGAIN' | TRYAGAIN' | [3] | ++ | TRYAGAIN'/NOTFOUND | TRYAGAIN' | [3] | ++ | TRYAGAIN'/UNAVAIL | UNAVAIL | [3] | ++ | NOTFOUND/SUCCESS | SUCCESS | [3] | ++ | NOTFOUND/TRYAGAIN | TRYAGAIN | [3] | ++ | NOTFOUND/TRYAGAIN' | TRYAGAIN' | [3] | ++ | NOTFOUND/NOTFOUND | NOTFOUND | [3] | ++ | NOTFOUND/UNAVAIL | UNAVAIL | [3] | ++ | UNAVAIL/SUCCESS | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN | UNAVAIL | [4] | ++ | UNAVAIL/TRYAGAIN' | UNAVAIL | [4] | ++ | UNAVAIL/NOTFOUND | UNAVAIL | [4] | ++ | UNAVAIL/UNAVAIL | UNAVAIL | [4] | ++ ---------------------------------------------- ++ ++ [1] If the first response is a success we return success. ++ This ignores the state of the second answer and in fact ++ incorrectly sets errno and h_errno to that of the second ++ answer. However because the response is a success we ignore ++ *errnop and *h_errnop (though that means you touched errno on ++ success). We are being conservative here and returning the ++ likely IPv4 response in the first answer as a success. ++ ++ [2] If the first response is a recoverable TRYAGAIN we return ++ that instead of looking at the second response. The ++ expectation here is that we have failed to get an IPv4 response ++ and should retry both queries. ++ ++ [3] If the first response was not a SUCCESS and the second ++ response is not NOTFOUND (had a SUCCESS, need to TRYAGAIN, ++ or failed entirely e.g. TRYAGAIN' and UNAVAIL) then use the ++ result from the second response, otherwise the first responses ++ status is used. Again we have some odd side-effects when the ++ second response is NOTFOUND because we overwrite *errnop and ++ *h_errnop that means that a first answer of NOTFOUND might see ++ its *errnop and *h_errnop values altered. Whether it matters ++ in practice that a first response NOTFOUND has the wrong ++ *errnop and *h_errnop is undecided. ++ ++ [4] If the first response is UNAVAIL we return that instead of ++ looking at the second response. The expectation here is that ++ it will have failed similarly e.g. configuration failure. ++ ++ [5] Testing this code is complicated by the fact that truncated ++ second response buffers might be returned as SUCCESS if the ++ first answer is a SUCCESS. To fix this we add symmetry to ++ TRYAGAIN with the second response. If the second response ++ is a recoverable error we now return TRYAGIN even if the first ++ response was SUCCESS. */ ++ + if (anslen1 > 0) + status = gaih_getanswer_slice(answer1, anslen1, qname, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ + if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND + || (status == NSS_STATUS_TRYAGAIN + /* We want to look at the second answer in case of an +@@ -1242,8 +1342,15 @@ gaih_getanswer (const querybuf *answer1, + &pat, &buffer, &buflen, + errnop, h_errnop, ttlp, + &first); ++ /* Use the second response status in some cases. */ + if (status != NSS_STATUS_SUCCESS && status2 != NSS_STATUS_NOTFOUND) + status = status2; ++ /* Do not return a truncated second response (unless it was ++ unavoidable e.g. unrecoverable TRYAGAIN). */ ++ if (status == NSS_STATUS_SUCCESS ++ && (status2 == NSS_STATUS_TRYAGAIN ++ && *errnop == ERANGE && *h_errnop != NO_RECOVERY)) ++ status = NSS_STATUS_TRYAGAIN; + } + + return status; +Index: b/resolv/res_query.c +=================================================================== +--- a/resolv/res_query.c ++++ b/resolv/res_query.c +@@ -396,6 +396,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + } +@@ -447,6 +448,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + +@@ -521,6 +523,7 @@ __libc_res_nsearch(res_state statp, + { + free (*answerp2); + *answerp2 = NULL; ++ *nanswerp2 = 0; + *answerp2_malloced = 0; + } + if (saved_herrno != -1) +Index: b/resolv/res_send.c +=================================================================== +--- a/resolv/res_send.c ++++ b/resolv/res_send.c +@@ -1,3 +1,20 @@ ++/* Copyright (C) 2016 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ + /* + * Copyright (c) 1985, 1989, 1993 + * The Regents of the University of California. All rights reserved. +@@ -361,6 +378,8 @@ __libc_res_nsend(res_state statp, const + #ifdef USE_HOOKS + if (__glibc_unlikely (statp->qhook || statp->rhook)) { + if (anssiz < MAXPACKET && ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *buf = malloc (MAXPACKET); + if (buf == NULL) + return (-1); +@@ -660,6 +679,77 @@ libresolv_hidden_def (res_nsend) + + /* Private */ + ++/* The send_vc function is responsible for sending a DNS query over TCP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports sending both IPv4 and ++ IPv6 queries at the same serially on the same socket. ++ ++ Please note that for TCP there is no way to disable sending both ++ queries, unlike UDP, which honours RES_SNGLKUP and RES_SNGLKUPREOP ++ and sends the queries serially and waits for the result after each ++ sent query. This implemetnation should be corrected to honour these ++ options. ++ ++ Please also note that for TCP we send both queries over the same ++ socket one after another. This technically violates best practice ++ since the server is allowed to read the first query, respond, and ++ then close the socket (to service another client). If the server ++ does this, then the remaining second query in the socket data buffer ++ will cause the server to send the client an RST which will arrive ++ asynchronously and the client's OS will likely tear down the socket ++ receive buffer resulting in a potentially short read and lost ++ response data. This will force the client to retry the query again, ++ and this process may repeat until all servers and connection resets ++ are exhausted and then the query will fail. It's not known if this ++ happens with any frequency in real DNS server implementations. This ++ implementation should be corrected to use two sockets by default for ++ parallel queries. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ serially on the same socket. ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header feild TC will bet set to 1, indicating a truncated ++ message and the rest of the socket data will be read and discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_vc(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -669,11 +759,7 @@ send_vc(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; +- // XXX REMOVE +- // int anssiz = *anssizp; +- HEADER *anhp = (HEADER *) ans; ++ HEADER *anhp = (HEADER *) *ansp; + struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns]; + int truncating, connreset, n; + /* On some architectures compiler might emit a warning indicating +@@ -766,6 +852,8 @@ send_vc(res_state statp, + * Receive length & response + */ + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + uint16_t rlen16; + read_len: +@@ -802,40 +890,14 @@ send_vc(res_state statp, + u_char **thisansp; + int *thisresplenp; + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if __GNUC_PREREQ (4, 7) +- DIAG_PUSH_NEEDS_COMMENT; +- DIAG_IGNORE_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); +-#endif +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +-#if __GNUC_PREREQ (4, 7) +- DIAG_POP_NEEDS_COMMENT; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; +@@ -843,10 +905,14 @@ send_vc(res_state statp, + anhp = (HEADER *) *thisansp; + + *thisresplenp = rlen; +- if (rlen > *thisanssizp) { +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- if (__glibc_likely (anscp != NULL)) { ++ /* Is the answer buffer too small? */ ++ if (*thisanssizp < rlen) { ++ /* If the current buffer is non-NULL and it's not ++ pointing at the static user-supplied buffer then ++ we can reallocate it. */ ++ if (thisansp != NULL && thisansp != ansp) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp == NULL) { + *terrno = ENOMEM; +@@ -858,6 +924,9 @@ send_vc(res_state statp, + if (thisansp == ansp2) + *ansp2_malloced = 1; + anhp = (HEADER *) newp; ++ /* A uint16_t can't be larger than MAXPACKET ++ thus it's safe to allocate MAXPACKET but ++ read RLEN bytes instead. */ + len = rlen; + } else { + Dprint(statp->options & RES_DEBUG, +@@ -1021,6 +1090,66 @@ reopen (res_state statp, int *terrno, in + return 1; + } + ++/* The send_dg function is responsible for sending a DNS query over UDP ++ to the nameserver numbered NS from the res_state STATP i.e. ++ EXT(statp).nssocks[ns]. The function supports IPv4 and IPv6 queries ++ along with the ability to send the query in parallel for both stacks ++ (default) or serially (RES_SINGLKUP). It also supports serial lookup ++ with a close and reopen of the socket used to talk to the server ++ (RES_SNGLKUPREOP) to work around broken name servers. ++ ++ The query stored in BUF of BUFLEN length is sent first followed by ++ the query stored in BUF2 of BUFLEN2 length. Queries are sent ++ in parallel (default) or serially (RES_SINGLKUP or RES_SNGLKUPREOP). ++ ++ Answers to the query are stored firstly in *ANSP up to a max of ++ *ANSSIZP bytes. If more than *ANSSIZP bytes are needed and ANSCP ++ is non-NULL (to indicate that modifying the answer buffer is allowed) ++ then malloc is used to allocate a new response buffer and ANSCP and ++ ANSP will both point to the new buffer. If more than *ANSSIZP bytes ++ are needed but ANSCP is NULL, then as much of the response as ++ possible is read into the buffer, but the results will be truncated. ++ When truncation happens because of a small answer buffer the DNS ++ packets header feild TC will bet set to 1, indicating a truncated ++ message, while the rest of the UDP packet is discarded. ++ ++ Answers to the query are stored secondly in *ANSP2 up to a max of ++ *ANSSIZP2 bytes, with the actual response length stored in ++ *RESPLEN2. If more than *ANSSIZP bytes are needed and ANSP2 ++ is non-NULL (required for a second query) then malloc is used to ++ allocate a new response buffer, *ANSSIZP2 is set to the new buffer ++ size and *ANSP2_MALLOCED is set to 1. ++ ++ The ANSP2_MALLOCED argument will eventually be removed as the ++ change in buffer pointer can be used to detect the buffer has ++ changed and that the caller should use free on the new buffer. ++ ++ Note that the answers may arrive in any order from the server and ++ therefore the first and second answer buffers may not correspond to ++ the first and second queries. ++ ++ It is not supported to call this function with a non-NULL ANSP2 ++ but a NULL ANSCP. Put another way, you can call send_vc with a ++ single unmodifiable buffer or two modifiable buffers, but no other ++ combination is supported. ++ ++ It is the caller's responsibility to free the malloc allocated ++ buffers by detecting that the pointers have changed from their ++ original values i.e. *ANSCP or *ANSP2 has changed. ++ ++ If an answer is truncated because of UDP datagram DNS limits then ++ *V_CIRCUIT is set to 1 and the return value non-zero to indicate to ++ the caller to retry with TCP. The value *GOTSOMEWHERE is set to 1 ++ if any progress was made reading a response from the nameserver and ++ is used by the caller to distinguish between ECONNREFUSED and ++ ETIMEDOUT (the latter if *GOTSOMEWHERE is 1). ++ ++ If errors are encountered then *TERRNO is set to an appropriate ++ errno value and a zero result is returned for a recoverable error, ++ and a less-than zero result is returned for a non-recoverable error. ++ ++ If no errors are encountered then *TERRNO is left unmodified and ++ a the length of the first response in bytes is returned. */ + static int + send_dg(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -1030,8 +1159,6 @@ send_dg(res_state statp, + { + const HEADER *hp = (HEADER *) buf; + const HEADER *hp2 = (HEADER *) buf2; +- u_char *ans = *ansp; +- int orig_anssizp = *anssizp; + struct timespec now, timeout, finish; + struct pollfd pfd[1]; + int ptimeout; +@@ -1064,6 +1191,8 @@ send_dg(res_state statp, + int need_recompute = 0; + int nwritten = 0; + int recvresp1 = 0; ++ /* Skip the second response if there is no second query. ++ To do that we mark the second response as received. */ + int recvresp2 = buf2 == NULL; + pfd[0].fd = EXT(statp).nssocks[ns]; + pfd[0].events = POLLOUT; +@@ -1227,55 +1356,56 @@ send_dg(res_state statp, + int *thisresplenp; + + if ((recvresp1 | recvresp2) == 0 || buf2 == NULL) { ++ /* We have not received any responses ++ yet or we only have one response to ++ receive. */ + thisanssizp = anssizp; + thisansp = anscp ?: ansp; + assert (anscp != NULL || ansp2 == NULL); + thisresplenp = &resplen; + } else { +- if (*anssizp != MAXPACKET) { +- /* No buffer allocated for the first +- reply. We can try to use the rest +- of the user-provided buffer. */ +-#if _STRING_ARCH_unaligned +- *anssizp2 = orig_anssizp - resplen; +- *ansp2 = *ansp + resplen; +-#else +- int aligned_resplen +- = ((resplen + __alignof__ (HEADER) - 1) +- & ~(__alignof__ (HEADER) - 1)); +- *anssizp2 = orig_anssizp - aligned_resplen; +- *ansp2 = *ansp + aligned_resplen; +-#endif +- } else { +- /* The first reply did not fit into the +- user-provided buffer. Maybe the second +- answer will. */ +- *anssizp2 = orig_anssizp; +- *ansp2 = *ansp; +- } +- + thisanssizp = anssizp2; + thisansp = ansp2; + thisresplenp = resplen2; + } + + if (*thisanssizp < MAXPACKET +- /* Yes, we test ANSCP here. If we have two buffers +- both will be allocatable. */ +- && anscp ++ /* If the current buffer is non-NULL and it's not ++ pointing at the static user-supplied buffer then ++ we can reallocate it. */ ++ && (thisansp != NULL && thisansp != ansp) + #ifdef FIONREAD ++ /* Is the size too small? */ + && (ioctl (pfd[0].fd, FIONREAD, thisresplenp) < 0 + || *thisanssizp < *thisresplenp) + #endif + ) { ++ /* Always allocate MAXPACKET, callers expect ++ this specific size. */ + u_char *newp = malloc (MAXPACKET); + if (newp != NULL) { +- *anssizp = MAXPACKET; +- *thisansp = ans = newp; ++ *thisanssizp = MAXPACKET; ++ *thisansp = newp; + if (thisansp == ansp2) + *ansp2_malloced = 1; + } + } ++ /* We could end up with truncation if anscp was NULL ++ (not allowed to change caller's buffer) and the ++ response buffer size is too small. This isn't a ++ reliable way to detect truncation because the ioctl ++ may be an inaccurate report of the UDP message size. ++ Therefore we use this only to issue debug output. ++ To do truncation accurately with UDP we need ++ MSG_TRUNC which is only available on Linux. We ++ can abstract out the Linux-specific feature in the ++ future to detect truncation. */ ++ if (__glibc_unlikely (*thisanssizp < *thisresplenp)) { ++ Dprint(statp->options & RES_DEBUG, ++ (stdout, ";; response may be truncated (UDP)\n") ++ ); ++ } ++ + HEADER *anhp = (HEADER *) *thisansp; + socklen_t fromlen = sizeof(struct sockaddr_in6); + assert (sizeof(from) <= fromlen); + diff --git a/glibc/Pkgfile b/glibc/Pkgfile index 0a0ef97..1010b1d 100644 --- a/glibc/Pkgfile +++ b/glibc/Pkgfile @@ -6,10 +6,11 @@ name=glibc version=2.22 -release=2 +release=3 source=(http://ftp.gnu.org/gnu/glibc/glibc-$version.tar.xz \ http://ftp.kernel.org/pub/linux/kernel/v4.x/linux-4.1.13.tar.xz \ - CVE-2015-8779.patch CVE-2015-8778.patch CVE-2015-8777.patch CVE-2015-8776.patch \ + CVE-2015-8779.patch CVE-2015-8778.patch CVE-2015-8777.patch \ + CVE-2015-8776.patch CVE-2015-7547.patch glibc-rh1252570.patch hosts resolv.conf nsswitch.conf host.conf ld.so.conf) build() { @@ -19,10 +20,11 @@ build() { make ARCH=arm headers_check make ARCH=arm INSTALL_HDR_PATH=$PKG/usr headers_install - patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8779.patch patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8778.patch patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8777.patch patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-8776.patch + patch -p1 -d $SRC/$name-$version -i $SRC/glibc-rh1252570.patch + patch -p1 -d $SRC/$name-$version -i $SRC/CVE-2015-7547.patch mkdir $SRC/build cd $SRC/build diff --git a/glibc/glibc-rh1252570.patch b/glibc/glibc-rh1252570.patch new file mode 100644 index 0000000..5e69e9a --- /dev/null +++ b/glibc/glibc-rh1252570.patch @@ -0,0 +1,408 @@ +Revert this upstream commit: + +commit 2212c1420c92a33b0e0bd9a34938c9814a56c0f7 +Author: Andreas Schwab +Date: Thu Feb 19 15:52:08 2015 +0100 + + Simplify handling of nameserver configuration in resolver + + Remove use of ext.nsmap member of struct __res_state and always use + an identity mapping betwen the nsaddr_list array and the ext.nsaddrs + array. The fact that a nameserver has an IPv6 address is signalled by + setting nsaddr_list[].sin_family to zero. + +reverted: +Index: b/resolv/res_init.c +=================================================================== +--- a/resolv/res_init.c ++++ b/resolv/res_init.c +@@ -153,8 +153,10 @@ __res_vinit(res_state statp, int preinit + char *cp, **pp; + int n; + char buf[BUFSIZ]; +- int nserv = 0; /* number of nameservers read from file */ +- int have_serv6 = 0; ++ int nserv = 0; /* number of IPv4 nameservers read from file */ ++#ifdef _LIBC ++ int nservall = 0; /* number of (IPv4 + IPV6) nameservers read from file */ ++#endif + int haveenv = 0; + int havesearch = 0; + #ifdef RESOLVSORT +@@ -183,9 +185,15 @@ __res_vinit(res_state statp, int preinit + statp->_flags = 0; + statp->qhook = NULL; + statp->rhook = NULL; ++ statp->_u._ext.nsinit = 0; + statp->_u._ext.nscount = 0; +- for (n = 0; n < MAXNS; n++) +- statp->_u._ext.nsaddrs[n] = NULL; ++#ifdef _LIBC ++ statp->_u._ext.nscount6 = 0; ++ for (n = 0; n < MAXNS; n++) { ++ statp->_u._ext.nsaddrs[n] = NULL; ++ statp->_u._ext.nsmap[n] = MAXNS; ++ } ++#endif + + /* Allow user to override the local domain definition */ + if ((cp = getenv("LOCALDOMAIN")) != NULL) { +@@ -289,7 +297,11 @@ __res_vinit(res_state statp, int preinit + continue; + } + /* read nameservers to query */ ++#ifdef _LIBC ++ if (MATCH(buf, "nameserver") && nservall < MAXNS) { ++#else + if (MATCH(buf, "nameserver") && nserv < MAXNS) { ++#endif + struct in_addr a; + + cp = buf + sizeof("nameserver") - 1; +@@ -297,12 +309,13 @@ __res_vinit(res_state statp, int preinit + cp++; + if ((*cp != '\0') && (*cp != '\n') + && __inet_aton(cp, &a)) { +- statp->nsaddr_list[nserv].sin_addr = a; +- statp->nsaddr_list[nserv].sin_family = AF_INET; +- statp->nsaddr_list[nserv].sin_port = ++ statp->nsaddr_list[nservall].sin_addr = a; ++ statp->nsaddr_list[nservall].sin_family = AF_INET; ++ statp->nsaddr_list[nservall].sin_port = + htons(NAMESERVER_PORT); + nserv++; + #ifdef _LIBC ++ nservall++; + } else { + struct in6_addr a6; + char *el; +@@ -344,11 +357,10 @@ __res_vinit(res_state statp, int preinit + } + } + +- statp->nsaddr_list[nserv].sin_family = 0; +- statp->_u._ext.nsaddrs[nserv] = sa6; +- statp->_u._ext.nssocks[nserv] = -1; +- have_serv6 = 1; +- nserv++; ++ statp->_u._ext.nsaddrs[nservall] = sa6; ++ statp->_u._ext.nssocks[nservall] = -1; ++ statp->_u._ext.nsmap[nservall] = MAXNS + 1; ++ nservall++; + } + } + #endif +@@ -403,9 +415,10 @@ __res_vinit(res_state statp, int preinit + continue; + } + } +- statp->nscount = nserv; ++ statp->nscount = nservall; + #ifdef _LIBC +- if (have_serv6) { ++ if (nservall - nserv > 0) { ++ statp->_u._ext.nscount6 = nservall - nserv; + /* We try IPv6 servers again. */ + statp->ipv6_unavail = false; + } +@@ -594,7 +607,11 @@ __res_iclose(res_state statp, bool free_ + statp->_vcsock = -1; + statp->_flags &= ~(RES_F_VC | RES_F_CONN); + } ++#ifdef _LIBC ++ for (ns = 0; ns < MAXNS; ns++) ++#else + for (ns = 0; ns < statp->_u._ext.nscount; ns++) ++#endif + if (statp->_u._ext.nsaddrs[ns]) { + if (statp->_u._ext.nssocks[ns] != -1) { + close_not_cancel_no_status(statp->_u._ext.nssocks[ns]); +@@ -605,6 +622,8 @@ __res_iclose(res_state statp, bool free_ + statp->_u._ext.nsaddrs[ns] = NULL; + } + } ++ if (free_addr) ++ statp->_u._ext.nsinit = 0; + } + libc_hidden_def (__res_iclose) + +Index: b/resolv/res_send.c +=================================================================== +--- a/resolv/res_send.c ++++ b/resolv/res_send.c +@@ -176,7 +176,6 @@ evNowTime(struct timespec *res) { + + /* Forward. */ + +-static struct sockaddr *get_nsaddr (res_state, int); + static int send_vc(res_state, const u_char *, int, + const u_char *, int, + u_char **, int *, int *, int, u_char **, +@@ -214,21 +213,20 @@ res_ourserver_p(const res_state statp, c + in_port_t port = in4p->sin_port; + in_addr_t addr = in4p->sin_addr.s_addr; + +- for (ns = 0; ns < statp->nscount; ns++) { ++ for (ns = 0; ns < MAXNS; ns++) { + const struct sockaddr_in *srv = +- (struct sockaddr_in *) get_nsaddr (statp, ns); ++ (struct sockaddr_in *)EXT(statp).nsaddrs[ns]; + +- if ((srv->sin_family == AF_INET) && ++ if ((srv != NULL) && (srv->sin_family == AF_INET) && + (srv->sin_port == port) && + (srv->sin_addr.s_addr == INADDR_ANY || + srv->sin_addr.s_addr == addr)) + return (1); + } + } else if (inp->sin6_family == AF_INET6) { +- for (ns = 0; ns < statp->nscount; ns++) { +- const struct sockaddr_in6 *srv +- = (struct sockaddr_in6 *) get_nsaddr (statp, ns); +- if ((srv->sin6_family == AF_INET6) && ++ for (ns = 0; ns < MAXNS; ns++) { ++ const struct sockaddr_in6 *srv = EXT(statp).nsaddrs[ns]; ++ if ((srv != NULL) && (srv->sin6_family == AF_INET6) && + (srv->sin6_port == inp->sin6_port) && + !(memcmp(&srv->sin6_addr, &in6addr_any, + sizeof (struct in6_addr)) && +@@ -378,48 +376,80 @@ __libc_res_nsend(res_state statp, const + * If the ns_addr_list in the resolver context has changed, then + * invalidate our cached copy and the associated timing data. + */ +- if (EXT(statp).nscount != 0) { ++ if (EXT(statp).nsinit) { + int needclose = 0; + + if (EXT(statp).nscount != statp->nscount) + needclose++; + else +- for (ns = 0; ns < statp->nscount; ns++) { +- if (statp->nsaddr_list[ns].sin_family != 0 ++ for (ns = 0; ns < MAXNS; ns++) { ++ unsigned int map = EXT(statp).nsmap[ns]; ++ if (map < MAXNS + && !sock_eq((struct sockaddr_in6 *) +- &statp->nsaddr_list[ns], ++ &statp->nsaddr_list[map], + EXT(statp).nsaddrs[ns])) + { + needclose++; + break; + } + } +- if (needclose) { ++ if (needclose) + __res_iclose(statp, false); +- EXT(statp).nscount = 0; +- } + } + + /* + * Maybe initialize our private copy of the ns_addr_list. + */ +- if (EXT(statp).nscount == 0) { +- for (ns = 0; ns < statp->nscount; ns++) { +- EXT(statp).nssocks[ns] = -1; +- if (statp->nsaddr_list[ns].sin_family == 0) +- continue; +- if (EXT(statp).nsaddrs[ns] == NULL) +- EXT(statp).nsaddrs[ns] = ++ if (EXT(statp).nsinit == 0) { ++ unsigned char map[MAXNS]; ++ ++ memset (map, MAXNS, sizeof (map)); ++ for (n = 0; n < MAXNS; n++) { ++ ns = EXT(statp).nsmap[n]; ++ if (ns < statp->nscount) ++ map[ns] = n; ++ else if (ns < MAXNS) { ++ free(EXT(statp).nsaddrs[n]); ++ EXT(statp).nsaddrs[n] = NULL; ++ EXT(statp).nsmap[n] = MAXNS; ++ } ++ } ++ n = statp->nscount; ++ if (statp->nscount > EXT(statp).nscount) ++ for (n = EXT(statp).nscount, ns = 0; ++ n < statp->nscount; n++) { ++ while (ns < MAXNS ++ && EXT(statp).nsmap[ns] != MAXNS) ++ ns++; ++ if (ns == MAXNS) ++ break; ++ /* NS never exceeds MAXNS, but gcc 4.9 somehow ++ does not see this. */ ++ DIAG_PUSH_NEEDS_COMMENT; ++ DIAG_IGNORE_NEEDS_COMMENT (4.9, ++ "-Warray-bounds"); ++ EXT(statp).nsmap[ns] = n; ++ DIAG_POP_NEEDS_COMMENT; ++ map[n] = ns++; ++ } ++ EXT(statp).nscount = n; ++ for (ns = 0; ns < EXT(statp).nscount; ns++) { ++ n = map[ns]; ++ if (EXT(statp).nsaddrs[n] == NULL) ++ EXT(statp).nsaddrs[n] = + malloc(sizeof (struct sockaddr_in6)); +- if (EXT(statp).nsaddrs[ns] != NULL) +- memset (mempcpy(EXT(statp).nsaddrs[ns], ++ if (EXT(statp).nsaddrs[n] != NULL) { ++ memset (mempcpy(EXT(statp).nsaddrs[n], + &statp->nsaddr_list[ns], + sizeof (struct sockaddr_in)), + '\0', + sizeof (struct sockaddr_in6) + - sizeof (struct sockaddr_in)); ++ EXT(statp).nssocks[n] = -1; ++ n++; ++ } + } +- EXT(statp).nscount = statp->nscount; ++ EXT(statp).nsinit = 1; + } + + /* +@@ -428,37 +458,44 @@ __libc_res_nsend(res_state statp, const + */ + if (__builtin_expect ((statp->options & RES_ROTATE) != 0, 0) && + (statp->options & RES_BLAST) == 0) { +- struct sockaddr_in ina; +- struct sockaddr_in6 *inp; +- int lastns = statp->nscount - 1; +- int fd; +- +- inp = EXT(statp).nsaddrs[0]; +- ina = statp->nsaddr_list[0]; +- fd = EXT(statp).nssocks[0]; +- for (ns = 0; ns < lastns; ns++) { +- EXT(statp).nsaddrs[ns] = EXT(statp).nsaddrs[ns + 1]; +- statp->nsaddr_list[ns] = statp->nsaddr_list[ns + 1]; +- EXT(statp).nssocks[ns] = EXT(statp).nssocks[ns + 1]; +- } +- EXT(statp).nsaddrs[lastns] = inp; +- statp->nsaddr_list[lastns] = ina; +- EXT(statp).nssocks[lastns] = fd; ++ struct sockaddr_in6 *ina; ++ unsigned int map; ++ ++ n = 0; ++ while (n < MAXNS && EXT(statp).nsmap[n] == MAXNS) ++ n++; ++ if (n < MAXNS) { ++ ina = EXT(statp).nsaddrs[n]; ++ map = EXT(statp).nsmap[n]; ++ for (;;) { ++ ns = n + 1; ++ while (ns < MAXNS ++ && EXT(statp).nsmap[ns] == MAXNS) ++ ns++; ++ if (ns == MAXNS) ++ break; ++ EXT(statp).nsaddrs[n] = EXT(statp).nsaddrs[ns]; ++ EXT(statp).nsmap[n] = EXT(statp).nsmap[ns]; ++ n = ns; ++ } ++ EXT(statp).nsaddrs[n] = ina; ++ EXT(statp).nsmap[n] = map; ++ } + } + + /* + * Send request, RETRY times, or until successful. + */ + for (try = 0; try < statp->retry; try++) { +- for (ns = 0; ns < statp->nscount; ns++) ++ for (ns = 0; ns < MAXNS; ns++) + { + #ifdef DEBUG + char tmpbuf[40]; + #endif +-#if defined USE_HOOKS || defined DEBUG +- struct sockaddr *nsap = get_nsaddr (statp, ns); +-#endif ++ struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns]; + ++ if (nsap == NULL) ++ goto next_ns; + same_ns: + #ifdef USE_HOOKS + if (__glibc_unlikely (statp->qhook != NULL)) { +@@ -615,21 +652,6 @@ libresolv_hidden_def (res_nsend) + + /* Private */ + +-static struct sockaddr * +-get_nsaddr (res_state statp, int n) +-{ +- +- if (statp->nsaddr_list[n].sin_family == 0 && EXT(statp).nsaddrs[n] != NULL) +- /* EXT(statp).nsaddrs[n] holds an address that is larger than +- struct sockaddr, and user code did not update +- statp->nsaddr_list[n]. */ +- return (struct sockaddr *) EXT(statp).nsaddrs[n]; +- else +- /* User code updated statp->nsaddr_list[n], or statp->nsaddr_list[n] +- has the same content as EXT(statp).nsaddrs[n]. */ +- return (struct sockaddr *) (void *) &statp->nsaddr_list[n]; +-} +- + static int + send_vc(res_state statp, + const u_char *buf, int buflen, const u_char *buf2, int buflen2, +@@ -644,7 +666,7 @@ send_vc(res_state statp, + // XXX REMOVE + // int anssiz = *anssizp; + HEADER *anhp = (HEADER *) ans; +- struct sockaddr *nsap = get_nsaddr (statp, ns); ++ struct sockaddr_in6 *nsap = EXT(statp).nsaddrs[ns]; + int truncating, connreset, n; + /* On some architectures compiler might emit a warning indicating + 'resplen' may be used uninitialized. However if buf2 == NULL +@@ -677,8 +699,8 @@ send_vc(res_state statp, + + if (getpeername(statp->_vcsock, + (struct sockaddr *)&peer, &size) < 0 || +- !sock_eq(&peer, (struct sockaddr_in6 *) nsap)) { +- __res_iclose(statp, false); ++ !sock_eq(&peer, nsap)) { ++ __res_iclose(statp, false); + statp->_flags &= ~RES_F_VC; + } + } +@@ -687,19 +709,20 @@ send_vc(res_state statp, + if (statp->_vcsock >= 0) + __res_iclose(statp, false); + +- statp->_vcsock = socket(nsap->sa_family, SOCK_STREAM, 0); ++ statp->_vcsock = socket(nsap->sin6_family, SOCK_STREAM, 0); + if (statp->_vcsock < 0) { + *terrno = errno; + Perror(statp, stderr, "socket(vc)", errno); + return (-1); + } + __set_errno (0); +- if (connect(statp->_vcsock, nsap, +- nsap->sa_family == AF_INET ++ if (connect(statp->_vcsock, (struct sockaddr *)nsap, ++ nsap->sin6_family == AF_INET + ? sizeof (struct sockaddr_in) + : sizeof (struct sockaddr_in6)) < 0) { + *terrno = errno; +- Aerror(statp, stderr, "connect/vc", errno, nsap); ++ Aerror(statp, stderr, "connect/vc", errno, ++ (struct sockaddr *) nsap); + __res_iclose(statp, false); + return (0); + } +@@ -906,7 +929,8 @@ static int + reopen (res_state statp, int *terrno, int ns) + { + if (EXT(statp).nssocks[ns] == -1) { +- struct sockaddr *nsap = get_nsaddr (statp, ns); ++ struct sockaddr *nsap ++ = (struct sockaddr *) EXT(statp).nsaddrs[ns]; + socklen_t slen; + + /* only try IPv6 if IPv6 NS and if not failed before */ -- 2.26.2