summaryrefslogtreecommitdiffstats
path: root/package/musl/0003-in-dns-parsing-callback-enforce-MAXADDRS-to-preclude.patch
Commit message (Collapse)AuthorAgeFilesLines
* musl: bump to 1.1.18Thomas Petazzoni2017-11-291-35/+0
| | | | | | | | | | Patch 0002-arm-atomics-asm-with-new-binutils.patch is upstream as of commit b261a24256792177a5f0531dbb25cc6267220ca5. Patch 0003-Makefile-include-per-arch-Makefile-before-Makefile is upstream as of commit 45ca5d3fcb6f874bf5ba55d0e9651cef68515395. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* musl: add upstream security fix for CVE-2017-15650Peter Korsgaard2017-10-211-0/+35
>From the upstream announcement: http://www.openwall.com/lists/oss-security/2017/10/19/5 Felix Wilhelm has discovered a flaw in the dns response parsing for musl libc 1.1.16 that leads to overflow of a stack-based buffer. Earlier versions are also affected. When an application makes a request via getaddrinfo for both IPv4 and IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the nameservers configured in resolv.conf can reply to both the A and AAAA queries with A results. Since A records are smaller than AAAA records, it's possible to fit more addresses than the precomputed bound, and a buffer overflow occurs. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
OpenPOWER on IntegriCloud