diff -Nru glibc-2.23/debian/changelog glibc-2.23/debian/changelog --- glibc-2.23/debian/changelog 2017-03-01 21:16:55.000000000 +0000 +++ glibc-2.23/debian/changelog 2017-03-21 18:07:07.000000000 +0000 @@ -1,3 +1,12 @@ +glibc (2.23-0ubuntu7) xenial-security; urgency=medium + + * REGRESSION UPDATE: Previous update introduced ABI breakage in + internal glibc query ABI + - Revert patches/any/CVE-2015-5180-regression.diff + (LP: #1674532) + + -- Steve Beattie Tue, 21 Mar 2017 08:54:23 -0700 + glibc (2.23-0ubuntu6) xenial-security; urgency=medium * SECURITY UPDATE: DNS resolver NULL pointer dereference with @@ -6,37 +15,28 @@ internal queries - CVE-2015-5180 * Rebuild to get the following fixes into the xenial-security pocket: - - SECURITY UPDATE: multiple overflows in strxfrm() - + patches/any/CVE-2015-8982.diff: Fix memory handling in - strxfrm_l - + CVE-2015-8982 - - SECURITY UPDATE: _IO_wstr_overflow integer overflow - + patches/any/CVE-2015-8983.diff: Add checks for integer overflow - + CVE-2015-8983 - - SECURITY UPDATE: buffer overflow (read past end of buffer) - in internal_fnmatch - + patches/any/CVE-2015-8984.diff: Remove extra increment when - skipping over collating symbol inside a bracket expression. - + CVE-2015-8984 - SECURITY UPDATE: stack-based buffer overflow in the glob implementation - + patches/any/CVE-2016-1234.diff: Simplify the interface for - the GLOB_ALTDIRFUNC callback gl_readdir + + patches/git-updates.diff: Simplify the interface for the + GLOB_ALTDIRFUNC callback gl_readdir + CVE-2016-1234 - SECURITY UPDATE: getaddrinfo: stack overflow in hostent conversion - + patches/any/CVE-2016-3706.diff: Use a heap allocation instead + + patches/git-updates.diff: Use a heap allocation instead + CVE-2016-3706: - SECURITY UPDATE: stack exhaustion in clntudp_call - + patches/any/CVE-2016-4429.diff: Use malloc/free for the - error payload. + + patches/git-updates.diff: Use malloc/free for the error + payload. + CVE-2016-4429 + - SECURITY UPDATE: memory exhaustion DoS in libresolv + + patches/git-updates.diff: Simplify handling of nameserver + configuration in resolver + + CVE-2016-5417 - SECURITY UPDATE: ARM32 backtrace infinite loop (DoS) - + patches/any/CVE-2016-6323.diff: mark __startcontext as - .cantunwind + + patches/git-updates.diff: mark __startcontext as .cantunwind + CVE-2016-6323 - -- Steve Beattie Wed, 01 Mar 2017 06:02:20 -0800 + -- Steve Beattie Mon, 06 Mar 2017 16:47:32 -0800 glibc (2.23-0ubuntu5) xenial; urgency=medium diff -Nru glibc-2.23/debian/patches/any/CVE-2015-5180.diff glibc-2.23/debian/patches/any/CVE-2015-5180.diff --- glibc-2.23/debian/patches/any/CVE-2015-5180.diff 2017-03-01 13:38:50.000000000 +0000 +++ glibc-2.23/debian/patches/any/CVE-2015-5180.diff 1970-01-01 00:00:00.000000000 +0000 @@ -1,329 +0,0 @@ -commit b3b37f1a5559a7620e31c8053ed1b44f798f2b6d -Author: Florian Weimer -Date: Sat Dec 31 20:22:09 2016 +0100 - - CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ #18784] - - Also rename T_UNSPEC because an upcoming public header file - update will use that name. - - (cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5) - -2016-12-31 Florian Weimer - - [BZ #18784] - CVE-2015-5180 - * include/arpa/nameser_compat.h (T_QUERY_A_AND_AAAA): Rename from - T_UNSPEC. Adjust value. - * resolv/nss_dns/dns-host.c (_nss_dns_gethostbyname4_r): Use it. - * resolv/res_query.c (__libc_res_nquery): Likewise. - * resolv/res_mkquery.c (res_nmkquery): Check for out-of-range - QTYPEs. - * resolv/tst-resolv-qtypes.c: New file. - * resolv/Makefile (xtests): Add tst-resolv-qtypes. - (tst-resolv-qtypes): Link against libresolv and libpthread. - -[Note: pulled out changelog entry to avoid patch conflict. --sbeattie] - -Index: glibc-2.23/NEWS -=================================================================== ---- glibc-2.23.orig/NEWS -+++ glibc-2.23/NEWS -@@ -42,6 +42,12 @@ The following bugs are resolved with thi - (CVE-2016-3075) - [20177] $dp is not initialized correctly in sysdeps/hppa/start.S - -+* The DNS stub resolver functions would crash due to a NULL pointer -+ dereference when processing a query with a valid DNS question type which -+ was used internally in the implementation. The stub resolver now uses a -+ question type which is outside the range of valid question type values. -+ (CVE-2015-5180) -+ - - Version 2.23 - -Index: glibc-2.23/include/arpa/nameser_compat.h -=================================================================== ---- glibc-2.23.orig/include/arpa/nameser_compat.h -+++ glibc-2.23/include/arpa/nameser_compat.h -@@ -1,8 +1,8 @@ - #ifndef _ARPA_NAMESER_COMPAT_ - #include - --/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e., -- T_A and T_AAAA). */ --#define T_UNSPEC 62321 -+/* The number is outside the 16-bit RR type range and is used -+ internally by the implementation. */ -+#define T_QUERY_A_AND_AAAA 439963904 - - #endif -Index: glibc-2.23/resolv/Makefile -=================================================================== ---- glibc-2.23.orig/resolv/Makefile -+++ glibc-2.23/resolv/Makefile -@@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes) - extra-libs += libanl - routines += gai_sigqueue - tests += tst-res_hconf_reorder -+ -+# This test sends millions of packets and is rather slow. -+xtests += tst-resolv-qtypes - endif - extra-libs-others = $(extra-libs) - libresolv-routines := gethnamaddr res_comp res_debug \ -@@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)t - $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out - $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \ - $(evaluate-test) -+ -+$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) -Index: glibc-2.23/resolv/nss_dns/dns-host.c -=================================================================== ---- glibc-2.23.orig/resolv/nss_dns/dns-host.c -+++ glibc-2.23/resolv/nss_dns/dns-host.c -@@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *n - - int olderr = errno; - enum nss_status status; -- int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC, -+ int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA, - host_buffer.buf->buf, 2048, &host_buffer.ptr, - &ans2p, &nans2p, &resplen2, &ans2p_malloced); - if (n >= 0) -Index: glibc-2.23/resolv/res_mkquery.c -=================================================================== ---- glibc-2.23.orig/resolv/res_mkquery.c -+++ glibc-2.23/resolv/res_mkquery.c -@@ -110,6 +110,10 @@ res_nmkquery(res_state statp, - int n; - u_char *dnptrs[20], **dpp, **lastdnptr; - -+ if (class < 0 || class > 65535 -+ || type < 0 || type > 65535) -+ return -1; -+ - #ifdef DEBUG - if (statp->options & RES_DEBUG) - printf(";; res_nmkquery(%s, %s, %s, %s)\n", -Index: glibc-2.23/resolv/res_query.c -=================================================================== ---- glibc-2.23.orig/resolv/res_query.c -+++ glibc-2.23/resolv/res_query.c -@@ -127,7 +127,7 @@ __libc_res_nquery(res_state statp, - int n, use_malloc = 0; - u_int oflags = statp->_flags; - -- size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE; -+ size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE; - u_char *buf = alloca (bufsize); - u_char *query1 = buf; - int nquery1 = -1; -@@ -142,7 +142,7 @@ __libc_res_nquery(res_state statp, - printf(";; res_query(%s, %d, %d)\n", name, class, type); - #endif - -- if (type == T_UNSPEC) -+ if (type == T_QUERY_A_AND_AAAA) - { - n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL, - query1, bufsize); -@@ -195,7 +195,7 @@ __libc_res_nquery(res_state statp, - if (__builtin_expect (n <= 0, 0) && !use_malloc) { - /* Retry just in case res_nmkquery failed because of too - short buffer. Shouldn't happen. */ -- bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET; -+ bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET; - buf = malloc (bufsize); - if (buf != NULL) { - query1 = buf; -Index: glibc-2.23/resolv/tst-resolv-qtypes.c -=================================================================== ---- /dev/null -+++ glibc-2.23/resolv/tst-resolv-qtypes.c -@@ -0,0 +1,185 @@ -+/* Exercise low-level query functions with different QTYPEs. -+ Copyright (C) 2016 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* If ture, the response function will send the actual response packet -+ over TCP instead of UDP. */ -+static volatile bool force_tcp; -+ -+/* Send back a fake resource record matching the QTYPE. */ -+static void -+response (const struct resolv_response_context *ctx, -+ struct resolv_response_builder *b, -+ const char *qname, uint16_t qclass, uint16_t qtype) -+{ -+ if (force_tcp && ctx->tcp) -+ { -+ resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 }); -+ resolv_response_add_question (b, qname, qclass, qtype); -+ return; -+ } -+ -+ resolv_response_init (b, (struct resolv_response_flags) { }); -+ resolv_response_add_question (b, qname, qclass, qtype); -+ resolv_response_section (b, ns_s_an); -+ resolv_response_open_record (b, qname, qclass, qtype, 0); -+ resolv_response_add_data (b, &qtype, sizeof (qtype)); -+ resolv_response_close_record (b); -+} -+ -+static const const char *domain = "www.example.com"; -+ -+static int -+wrap_res_query (int type, unsigned char *answer, int answer_length) -+{ -+ return res_query (domain, C_IN, type, answer, answer_length); -+} -+ -+static int -+wrap_res_search (int type, unsigned char *answer, int answer_length) -+{ -+ return res_query (domain, C_IN, type, answer, answer_length); -+} -+ -+static int -+wrap_res_querydomain (int type, unsigned char *answer, int answer_length) -+{ -+ return res_querydomain ("www", "example.com", C_IN, type, -+ answer, answer_length); -+} -+ -+static int -+wrap_res_send (int type, unsigned char *answer, int answer_length) -+{ -+ unsigned char buf[512]; -+ int ret = res_mkquery (QUERY, domain, C_IN, type, -+ (const unsigned char *) "", 0, NULL, -+ buf, sizeof (buf)); -+ if (type < 0 || type >= 65536) -+ { -+ /* res_mkquery fails for out-of-range record types. */ -+ TEST_VERIFY_EXIT (ret == -1); -+ return -1; -+ } -+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */ -+ return res_send (buf, ret, answer, answer_length); -+} -+ -+static int -+wrap_res_nquery (int type, unsigned char *answer, int answer_length) -+{ -+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length); -+} -+ -+static int -+wrap_res_nsearch (int type, unsigned char *answer, int answer_length) -+{ -+ return res_nquery (&_res, domain, C_IN, type, answer, answer_length); -+} -+ -+static int -+wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length) -+{ -+ return res_nquerydomain (&_res, "www", "example.com", C_IN, type, -+ answer, answer_length); -+} -+ -+static int -+wrap_res_nsend (int type, unsigned char *answer, int answer_length) -+{ -+ unsigned char buf[512]; -+ int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type, -+ (const unsigned char *) "", 0, NULL, -+ buf, sizeof (buf)); -+ if (type < 0 || type >= 65536) -+ { -+ /* res_mkquery fails for out-of-range record types. */ -+ TEST_VERIFY_EXIT (ret == -1); -+ return -1; -+ } -+ TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */ -+ return res_nsend (&_res, buf, ret, answer, answer_length); -+} -+ -+static void -+test_function (const char *fname, -+ int (*func) (int type, -+ unsigned char *answer, int answer_length)) -+{ -+ unsigned char buf[512]; -+ for (int tcp = 0; tcp < 2; ++tcp) -+ { -+ force_tcp = tcp; -+ for (unsigned int type = 1; type <= 65535; ++type) -+ { -+ if (test_verbose) -+ printf ("info: sending QTYPE %d with %s (tcp=%d)\n", -+ type, fname, tcp); -+ int ret = func (type, buf, sizeof (buf)); -+ if (ret != 47) -+ FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d", -+ fname,tcp, type, ret); -+ /* One question, one answer record. */ -+ TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0); -+ /* Question section. */ -+ static const char qname[] = "\3www\7example\3com"; -+ size_t qname_length = sizeof (qname); -+ TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0); -+ /* RDATA part of answer. */ -+ uint16_t type16 = type; -+ TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0); -+ } -+ } -+ -+ TEST_VERIFY (func (-1, buf, sizeof (buf) == -1)); -+ TEST_VERIFY (func (65536, buf, sizeof (buf) == -1)); -+} -+ -+static int -+do_test (void) -+{ -+ struct resolv_redirect_config config = -+ { -+ .response_callback = response, -+ }; -+ struct resolv_test *obj = resolv_test_start (config); -+ -+ test_function ("res_query", &wrap_res_query); -+ test_function ("res_search", &wrap_res_search); -+ test_function ("res_querydomain", &wrap_res_querydomain); -+ test_function ("res_send", &wrap_res_send); -+ -+ test_function ("res_nquery", &wrap_res_nquery); -+ test_function ("res_nsearch", &wrap_res_nsearch); -+ test_function ("res_nquerydomain", &wrap_res_nquerydomain); -+ test_function ("res_nsend", &wrap_res_nsend); -+ -+ resolv_test_end (obj); -+ return 0; -+} -+ -+#define TIMEOUT 300 -+#include diff -Nru glibc-2.23/debian/patches/series glibc-2.23/debian/patches/series --- glibc-2.23/debian/patches/series 2017-03-01 14:06:35.000000000 +0000 +++ glibc-2.23/debian/patches/series 2017-03-21 15:58:18.000000000 +0000 @@ -240,4 +240,3 @@ ubuntu/localedata/pt_BR-d_fmt.diff ubuntu/localedata/sd_PK.diff ubuntu/localedata/ug_CN@latin.diff -any/CVE-2015-5180.diff