Bugzilla – Bug 927080
VUL-1: CVE-2015-1781: glibc: buffer length after padding in resolv/nss_dns/dns-host.c:getanswer_r
Last modified: 2016-06-06 09:59:11 UTC
bugbot adjusting priority
is public via oss-sec: Date: Tue, 21 Apr 2015 14:54:10 +0200 Subject: [oss-security] CVE-2015-1781 in glibc From: Florian Weimer <fweimer@redhat.com> Arjun Shankar of Red Hat discovered that the nss_dns code does not adjust the buffer length when the buffer start pointer is aligned. As a result, a buffer overflow can occur in the implementation of functions such as gethostbyname_r, and crafted DNS responses might cause application crashes or result in arbitrary code execution. This can only happen if these functions are called with a misaligned buffer. I looked at quite a bit of source code, and tested applications with a patched glibc that logs misaligned buffers. I did not observe any such misaligned buffers. Upstream bug: https://sourceware.org/bugzilla/show_bug.cgi?id=18287 Upstream commit: https://sourceware.org/git/?p=glibc.git;a=commit;h=2959eda9272a03386 -- Florian Weimer / Red Hat Product Security
Would like to understand the priority of fixing the issue and the ETA for SLES 11 SP3.
openSUSE-SU-2015:0955-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 917539,918187,920338,927080 CVE References: CVE-2014-8121,CVE-2015-1781 Sources used: openSUSE 13.2 (src): glibc-2.19-16.12.1, glibc-testsuite-2.19-16.12.4, glibc-utils-2.19-16.12.1 openSUSE 13.1 (src): glibc-2.18-4.32.1, glibc-testsuite-2.18-4.32.3, glibc-utils-2.18-4.32.2
In an upstream release: http://lists.gnu.org/archive/html/info-gnu/2015-08/msg00004.html The GNU C Library version 2.22 is now available. [...] * A buffer overflow in gethostbyname_r and related functions performing DNS requests has been fixed. If the NSS functions were called with a misaligned buffer, the buffer length change due to pointer alignment was not taken into account. This could result in application crashes or, potentially arbitrary code execution, using crafted, but syntactically valid DNS responses. (CVE-2015-1781)
SUSE-SU-2015:1424-1: An update that solves three vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 830257,851280,918187,920338,927080,928723,932059,933770,933903,935286 CVE References: CVE-2013-2207,CVE-2014-8121,CVE-2015-1781 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Server 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Desktop 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Desktop 11-SP3 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Debuginfo 11-SP4 (src): glibc-2.11.3-17.87.3 SUSE Linux Enterprise Debuginfo 11-SP3 (src): glibc-2.11.3-17.87.3
SLES 11 SP1 and later were affected. SLES 10 SP4 and older are NOT affected.
Created attachment 653222 [details] xx.c started on something like this, which should show different behaviour before and after the update, but its not showing this. precondition: rcnscd stop in /etc/nsswitch.conf, the hosts: line, move dns in front for testing: hosts: dns files mdns_minimal [NOTFOUND=return] dns
Created attachment 653301 [details] xx.c 1. stop nscd to avoid caching 2. run: gcc -O2 -o xx xx.c BEFORE: ./xx might already crash with memory corruption or valgrind ./xx will show invalid read/writes AFTER: ./xx should not crash valgrind ./xx should not show errors
SUSE-SU-2015:1844-1: An update that solves two vulnerabilities and has 11 fixes is now available. Category: security (moderate) Bug References: 915955,918187,920338,927080,928723,931480,934084,937853,939211,940195,940332,944494,945779 CVE References: CVE-2014-8121,CVE-2015-1781 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): glibc-2.19-22.7.1 SUSE Linux Enterprise Server 12 (src): glibc-2.19-22.7.1 SUSE Linux Enterprise Desktop 12 (src): glibc-2.19-22.7.1
SUSE-SU-2016:0470-1: An update that solves 10 vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 830257,847227,863499,892065,918187,920338,927080,945779,950944,961721,962736,962737,962738,962739 CVE References: CVE-2013-2207,CVE-2013-4458,CVE-2014-8121,CVE-2014-9761,CVE-2015-1781,CVE-2015-7547,CVE-2015-8776,CVE-2015-8777,CVE-2015-8778,CVE-2015-8779 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): glibc-2.11.3-17.45.66.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): glibc-2.11.3-17.45.66.1
All updates released.