From 2d0047f66b878118bf88a0af202cb92ddeefad5e Mon Sep 17 00:00:00 2001 From: zhanghao Date: Tue, 26 Sep 2023 19:53:17 +0800 Subject: [PATCH] fix:CVE-2023-5156 --- backport-CVE-2023-5156.patch | 29 +++++++++++++++++++++++++++++ glibc.spec | 6 +++++- 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2023-5156.patch diff --git a/backport-CVE-2023-5156.patch b/backport-CVE-2023-5156.patch new file mode 100644 index 0000000..8702518 --- /dev/null +++ b/backport-CVE-2023-5156.patch @@ -0,0 +1,29 @@ +From ec6b95c3303c700eb89eebeda2d7264cc184a796 Mon Sep 17 00:00:00 2001 +From: Romain Geissler +Date: Mon, 25 Sep 2023 01:21:51 +0100 +Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for + CVE-2023-4806 [BZ #30843] + +This patch fixes a very recently added leak in getaddrinfo. + +Reviewed-by: Siddhesh Poyarekar + +--- + sysdeps/posix/getaddrinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 614ee39f..b3321913 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -1160,6 +1160,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + + if (res.malloc_h_name){ + free (res.h_name); ++ res.malloc_h_name = false; + } + + return result; +-- +2.23.0 + diff --git a/glibc.spec b/glibc.spec index 44b8a3a..c4bc0ee 100644 --- a/glibc.spec +++ b/glibc.spec @@ -62,7 +62,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 96 +Release: 97 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -159,6 +159,7 @@ Patch72: gmon-Fix-allocated-buffer-overflow-bug-29444.patch Patch73: mips-Fix-argument-passing-for-inlined-syscalls-on-Linux-BZ-25523.patch Patch74: backport-CVE-2023-4813.patch Patch75: backport-CVE-2023-4806.patch +Patch76: backport-CVE-2023-5156.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1218,6 +1219,9 @@ fi %endif %changelog +* Tue Sep 26 2023 zhanghao - 2.28-97 +- nss:fix CVE-2023-5156 + * Mon Sep 25 2023 zhanghao - 2.28-96 - nss:fix CVE-2023-4806 CVE-2023-5156 -- Gitee