aboutsummaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2015-04-29 14:41:25 +0200
committerFlorian Weimer <fweimer@redhat.com>2015-04-29 14:41:26 +0200
commit03d2730b44cc2236318fd978afa2651753666c55 (patch)
tree8846df11bd7a2d2b8bd0be49dbf9d69654240e05 /NEWS
parent7d0b2575416aec2717e8665287d0ab77826a0ade (diff)
downloadglibc-03d2730b44cc2236318fd978afa2651753666c55.zip
glibc-03d2730b44cc2236318fd978afa2651753666c55.tar.gz
glibc-03d2730b44cc2236318fd978afa2651753666c55.tar.bz2
CVE-2014-8121: Do not close NSS files database during iteration [BZ #18007]
Robin Hack discovered Samba would enter an infinite loop processing certain quota-related requests. We eventually tracked this down to a glibc issue. Running a (simplified) test case under strace shows that /etc/passwd is continuously opened and closed: … open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 lseek(3, 2717, SEEK_SET) = 2717 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 lseek(3, 0, SEEK_SET) = 0 read(3, "root:x:0:0:root:/root:/bin/bash\n"..., 4096) = 2717 lseek(3, 2717, SEEK_SET) = 2717 close(3) = 0 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 lseek(3, 0, SEEK_CUR) = 0 … The lookup function implementation in nss/nss_files/files-XXX.c:DB_LOOKUP has code to prevent that. It is supposed skip closing the input file if it was already open. /* Reset file pointer to beginning or open file. */ \ status = internal_setent (keep_stream); \ \ if (status == NSS_STATUS_SUCCESS) \ { \ /* Tell getent function that we have repositioned the file pointer. */ \ last_use = getby; \ \ while ((status = internal_getent (result, buffer, buflen, errnop \ H_ERRNO_ARG EXTRA_ARGS_VALUE)) \ == NSS_STATUS_SUCCESS) \ { break_if_match } \ \ if (! keep_stream) \ internal_endent (); \ } \ keep_stream is initialized from the stayopen flag in internal_setent. internal_setent is called from the set*ent implementation as: status = internal_setent (stayopen); However, for non-host database, this flag is always 0, per the STAYOPEN magic in nss/getXXent_r.c. Thus, the fix is this: - status = internal_setent (stayopen); + status = internal_setent (1); This is not a behavioral change even for the hosts database (where the application can specify the stayopen flag) because with a call to sethostent(0), the file handle is still not closed in the implementation of gethostent.
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS12
1 files changed, 8 insertions, 4 deletions
diff --git a/NEWS b/NEWS
index fc3911d..58cf559 100644
--- a/NEWS
+++ b/NEWS
@@ -13,10 +13,10 @@ Version 2.22
16512, 16560, 16783, 16850, 17090, 17195, 17269, 17523, 17542, 17569,
17588, 17596, 17620, 17621, 17628, 17631, 17711, 17715, 17776, 17779,
17792, 17836, 17912, 17916, 17930, 17932, 17944, 17949, 17964, 17965,
- 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18019, 18020,
- 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046, 18047,
- 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138, 18185,
- 18197, 18206, 18210, 18211, 18247, 18287, 18333, 18346.
+ 17967, 17969, 17978, 17987, 17991, 17996, 17998, 17999, 18007, 18019,
+ 18020, 18029, 18030, 18032, 18036, 18038, 18039, 18042, 18043, 18046,
+ 18047, 18068, 18080, 18093, 18100, 18104, 18110, 18111, 18128, 18138,
+ 18185, 18197, 18206, 18210, 18211, 18247, 18287, 18333, 18346.
* Cache information can be queried via sysconf() function on s390 e.g. with
_SC_LEVEL1_ICACHE_SIZE as argument.
@@ -43,6 +43,10 @@ Version 2.22
Hat). These updates cause user visible changes, such as the fix for bug
17998.
+* CVE-2014-8121 The NSS files backend would reset the file pointer used by
+ the get*ent functions if any of the query functions for the same database
+ are used during the iteration, causing a denial-of-service condition in
+ some applications.
Version 2.21