diff --git a/backport-CVE-2023-5156.patch b/backport-CVE-2023-5156.patch new file mode 100644 index 0000000000000000000000000000000000000000..8702518d367abcc28f1c0a3ff654dce04eefb9d1 --- /dev/null +++ b/backport-CVE-2023-5156.patch @@ -0,0 +1,29 @@ +From ec6b95c3303c700eb89eebeda2d7264cc184a796 Mon Sep 17 00:00:00 2001 +From: Romain Geissler +Date: Mon, 25 Sep 2023 01:21:51 +0100 +Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for + CVE-2023-4806 [BZ #30843] + +This patch fixes a very recently added leak in getaddrinfo. + +Reviewed-by: Siddhesh Poyarekar + +--- + sysdeps/posix/getaddrinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 614ee39f..b3321913 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -1160,6 +1160,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + + if (res.malloc_h_name){ + free (res.h_name); ++ res.malloc_h_name = false; + } + + return result; +-- +2.23.0 + diff --git a/glibc.spec b/glibc.spec index 44b8a3a456d75a325807c5281a6ac75d85be8509..c4bc0ee9fb66d552351be6563201a8ce7faef51a 100644 --- a/glibc.spec +++ b/glibc.spec @@ -62,7 +62,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 96 +Release: 97 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -159,6 +159,7 @@ Patch72: gmon-Fix-allocated-buffer-overflow-bug-29444.patch Patch73: mips-Fix-argument-passing-for-inlined-syscalls-on-Linux-BZ-25523.patch Patch74: backport-CVE-2023-4813.patch Patch75: backport-CVE-2023-4806.patch +Patch76: backport-CVE-2023-5156.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1218,6 +1219,9 @@ fi %endif %changelog +* Tue Sep 26 2023 zhanghao - 2.28-97 +- nss:fix CVE-2023-5156 + * Mon Sep 25 2023 zhanghao - 2.28-96 - nss:fix CVE-2023-4806 CVE-2023-5156