[CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()

Debian Bug report logs - #776391
[CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: [CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()

Date: Tue, 27 Jan 2015 16:09:38 +0100

Package: libc6
Version: 2.19-13
Severity: grave
Tags: security upstream
Justification: user security hole

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

as this has been made public, let's fix it quickly (it might even be a
critical as this is remote):

From: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

> A heap-based buffer overflow was found in
> __nss_hostname_digits_dots(), which is used by the gethostbyname()
> and gethostbyname2() glibc function call. A remote attacker could
> use this flaw to execute arbitary code with the permissions of the
> user running the application.

Upstream patch:

https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd

Public announcement:

http://www.frsag.org/pipermail/frsag/2015-January/005722.html

Cheers,
Ondrej

- -- System Information:
Debian Release: 8.0
  APT prefers testing
  APT policy: (990, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libc6 depends on:
ii  libgcc1  1:4.9.1-19

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.55
pn  glibc-doc              <none>
ii  locales                2.19-13
ii  locales-all [locales]  2.19-13

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJUx6oxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQzMEI5MzNEODBGQ0UzRDk4MUEyRDM4RkIw
Qzk5QjcwRUY0RkNCQjA3AAoJEAyZtw70/LsHTUsQAKiKMrTsD8TQApyJ84sUFUuy
Tx0SBQsLlFGGH5Z076/469hU3ydkUl/36Q41lvYs2R/GSVxxh+TzUuBln9LeYlZK
56HYuYIMQMstINLgJONinl0h6mPE7qQN6F+TFcsoNkaKAQW0xFuNon1qTyXKkTgl
XpZJf27HDsy9EMQckEybPGxA7TSpbSelVd7Z44NEklan+RSG17s6hPpj830Qa076
rg7DBG3qhh6RQQkUZx67iS5uTJ6JzTeKjJ1IMdr6sHnwc2MW1WTFU5UpEZq4yqDD
wQ7Ct3wME+3ZKPyXDF1ql3FS5N1/X5v6lAQ/PGHPcKb+5H8zAsaPFOxEg+VegXbI
QXt9jPVRI3VCtD2/1X+ctRXFgll+tEMimtFT99FAbJHv4YdqbJ0KHGSyV+PDs+wq
5BAlBzTNqSkbhqEWDY4tLgtntG9ryCheU9E4JIamo2QZxxDHJ44X+9nwq7c7H5I0
0c8iKCgMXAaIQmtgCcnpnDPpFXbNi978oiRmMJRk/CwXkmeq2UqfJIJnEqieAeru
ZcQpFFTyioxTfYOWj1iIyV9wpZIjKW9UkYpPH5IYZAhjSqAgKlnJsk+DVytQwhCw
IM2pDzr1WeotdnFUMkVQ1h/ZE6IXQyw4k9nf3ITJjqVvuOgygHBTo3rMr1/uKd8W
YB3rV1cN3Um3W6f+8SoB
=g7tZ
-----END PGP SIGNATURE-----

Message #10 received at 776391-done@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: Ondřej Surý <ondrej@debian.org>

Cc: 776391-done@bugs.debian.org

Subject: Re: Bug#776391: [CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()

Date: Tue, 27 Jan 2015 16:40:15 +0100

Version: 2.18-1

* Ondřej Surý:

> as this has been made public, let's fix it quickly (it might even be a
> critical as this is remote):

Already fixed in jessie/sid.  I've just sent out the DSA as well.

Message #33 received at 776391@bugs.debian.org (full text, mbox, reply):

From: Martin von Wittich <martin.von.wittich@iserv.eu>

To: 776391@bugs.debian.org

Cc: fw@deneb.enyo.de

Subject: Re: Bug#776391: [CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()

Date: Mon, 02 Feb 2015 14:15:14 +0100

The libc update unfortunately failed to restart the affected services
because the postinst only does that when updating from a version < 2.13:

/var/lib/dpkg/info/libc6:i386.postinst:
142:        if dpkg --compare-versions "$preversion" lt 2.13; then

Could this be changed so that this update restarts most of the affected
services?

-- 
Mit freundlichen Grüßen,
Martin v. Wittich

IServ GmbH
Bültenweg 73
38106 Braunschweig

Telefon:   0531-2243666-0
Fax:       0531-2243666-9
E-Mail:    info@iserv.eu
Internet:  iserv.eu

USt-IdNr. DE265149425 | Amtsgericht Braunschweig | HRB 201822
Geschäftsführer: Benjamin Heindl, Jörg Ludwig

Message #55 received at 776391-done@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: 776391-done@bugs.debian.org

Subject: Re: Processed: fixed 776391 in 2.18-1, fixed 776391 in 2.13-38+deb7u7, fixed 776391 in 2.11.3-4+deb6u4

Date: Wed, 28 Oct 2015 21:44:35 +0100

On 2015-10-28 14:45, Debian Bug Tracking System wrote:
> Processing commands for control@bugs.debian.org:
> 
> > fixed 776391 2.18-1
> Bug #776391 [eglibc] [CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()
> There is no source info for the package 'eglibc' at version '2.18-1' with architecture ''
> Unable to make a source version for version '2.18-1'
> Marked as fixed in versions 2.18-1.
> > fixed 776391 2.13-38+deb7u7
> Bug #776391 [eglibc] [CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()
> There is no source info for the package 'eglibc' at version '2.13-38+deb7u7' with architecture ''
> Unable to make a source version for version '2.13-38+deb7u7'
> Marked as fixed in versions 2.13-38+deb7u7.
> > fixed 776391 2.11.3-4+deb6u4
> Bug #776391 [eglibc] [CVE-2015-0235]: heap-based buffer overflow in __nss_hostname_digits_dots()
> There is no source info for the package 'eglibc' at version '2.11.3-4+deb6u4' with architecture ''
> Unable to make a source version for version '2.11.3-4+deb6u4'
> Marked as fixed in versions 2.11.3-4+deb6u4.
> > thanks
> Stopping processing here.

As the bug is fixed in all releases, let's close the bug so that it gets
archived.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Send a report that this bug log contains spam.