Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2231094/?format=api
{ "id": 2231094, "url": "http://patchwork.ozlabs.org/api/patches/2231094/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/patch/3d1a89cf9c5d17c89dec7fb753392d198ae12ac4.1777546194.git.fweimer@redhat.com/", "project": { "id": 41, "url": "http://patchwork.ozlabs.org/api/projects/41/?format=api", "name": "GNU C Library", "link_name": "glibc", "list_id": "libc-alpha.sourceware.org", "list_email": "libc-alpha@sourceware.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<3d1a89cf9c5d17c89dec7fb753392d198ae12ac4.1777546194.git.fweimer@redhat.com>", "list_archive_url": null, "date": "2026-04-30T10:52:13", "name": "[4/5] resolv: Fix buffer overreads in ns_sprintrrf (CVE-2026-6238)", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "7d18d43deef751a5bf3ddb39bf5da45d776ae2de", "submitter": { "id": 14312, "url": "http://patchwork.ozlabs.org/api/people/14312/?format=api", "name": "Florian Weimer", "email": "fweimer@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/glibc/patch/3d1a89cf9c5d17c89dec7fb753392d198ae12ac4.1777546194.git.fweimer@redhat.com/mbox/", "series": [ { "id": 502273, "url": "http://patchwork.ozlabs.org/api/series/502273/?format=api", "web_url": "http://patchwork.ozlabs.org/project/glibc/list/?series=502273", "date": "2026-04-30T10:51:34", "name": "Fixes for CVE-2026-5435, CVE-2026-6238", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/502273/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2231094/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2231094/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "libc-alpha@sourceware.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "libc-alpha@sourceware.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=ZYp0ZhiL;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org;\n receiver=patchwork.ozlabs.org)", "sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=ZYp0ZhiL", "sourceware.org; dmarc=pass (p=quarantine dis=none)\n header.from=redhat.com", "sourceware.org; spf=pass smtp.mailfrom=redhat.com", "server2.sourceware.org;\n arc=none smtp.remote-ip=170.10.129.124" ], "Received": [ "from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5rcQ0J0Fz1yGq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 20:53:10 +1000 (AEST)", "from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 0AAA5436F7E5\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 10:53:08 +0000 (GMT)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by sourceware.org (Postfix) with ESMTP id A70A7436A048\n for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:18 +0000 (GMT)", "from mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-35-165-154-97.us-west-2.compute.amazonaws.com [35.165.154.97]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-593-SRdrVIxfO6OwOfvKZUOlJg-1; Thu,\n 30 Apr 2026 06:52:17 -0400", "from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 4873D18005A8\n for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:16 +0000 (UTC)", "from fweimer-oldenburg.csb.redhat.com (unknown [10.44.48.4])\n by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with\n ESMTPS\n id 94F0B1800480\n for <libc-alpha@sourceware.org>; Thu, 30 Apr 2026 10:52:15 +0000 (UTC)" ], "DKIM-Filter": [ "OpenDKIM Filter v2.11.0 sourceware.org 0AAA5436F7E5", "OpenDKIM Filter v2.11.0 sourceware.org A70A7436A048" ], "DMARC-Filter": "OpenDMARC Filter v1.4.2 sourceware.org A70A7436A048", "ARC-Filter": "OpenARC Filter v1.0.0 sourceware.org A70A7436A048", "ARC-Seal": "i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1777546338; cv=none;\n b=oDA9ESR2zS1+eXuwfF5tKHCyaGrv1+O95EIV9f/3bEEKzQyQEKmaBEhTgGRtUkj8SXT3McABVmZBHHvclmr1GLpU6vOYs9g6E9u+FVHiKcjNzA6zkqy0PJCtss9R3bd8l9kFfG7b86+iUAFFvuwhP577bSD4bZwykIdzXUkgBvs=", "ARC-Message-Signature": "i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1777546338; c=relaxed/simple;\n bh=9NdODDF22sz+9cmlqPVuSR4Av6bh2QLNwtOmGMjoAe8=;\n h=DKIM-Signature:From:To:Subject:Message-ID:Date:MIME-Version;\n b=BBGEySXhYTXPkmtoq1HucLJ8MoHCTOxqKcI4R/UjJUybeLQcMy27xRvNJ93DWXN+ImnFSskHEqXh6Q9Rs0I0w3D4bmIY0GPoGExCtKA91fz9ZuddSSqyYjeKrF/MQ1pze8f0FTm3EaNHyOTxmvzgpTYsHCHkj71ApRUXkK5iNLA=", "ARC-Authentication-Results": "i=1; server2.sourceware.org", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1777546338;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:mime-version:mime-version:content-type:content-type:\n in-reply-to:in-reply-to:references:references;\n bh=/0YrkT9nb8dwLsOX6XkuWkYM1iU/sZgGAh/5w4ESNzM=;\n b=ZYp0ZhiLBLba68DBAnVBjOJTv0aqTyoAp1XZDkg2sYRhSaiGcRkpH2SAQ3JcC/ea8iZnSC\n /g5+QPuB5H0Do2HyzTwpNLGiLh4gMwlf8Hi6UQ7Cse877WfafBFxxOSjvCNtUORRnVIZCY\n DNPgp9nimiQk68BDJxQrmmpj8k5Ljp4=", "X-MC-Unique": "SRdrVIxfO6OwOfvKZUOlJg-1", "X-Mimecast-MFC-AGG-ID": "SRdrVIxfO6OwOfvKZUOlJg_1777546336", "From": "Florian Weimer <fweimer@redhat.com>", "To": "libc-alpha@sourceware.org", "Subject": "[PATCH 4/5] resolv: Fix buffer overreads in ns_sprintrrf\n (CVE-2026-6238)", "In-Reply-To": "<cover.1777546194.git.fweimer@redhat.com>", "Message-ID": "\n <3d1a89cf9c5d17c89dec7fb753392d198ae12ac4.1777546194.git.fweimer@redhat.com>", "References": "<cover.1777546194.git.fweimer@redhat.com>", "X-From-Line": "3d1a89cf9c5d17c89dec7fb753392d198ae12ac4 Mon Sep 17 00:00:00 2001", "Date": "Thu, 30 Apr 2026 12:52:13 +0200", "User-Agent": "Gnus/5.13 (Gnus v5.13)", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.93", "X-Mimecast-Spam-Score": "0", "X-Mimecast-MFC-PROC-ID": "ceAZlUGSE9GqQt-jAyMNWMiZwum-vsL0mAGD6iOjHzI_1777546336", "X-Mimecast-Originator": "redhat.com", "Content-Type": "text/plain", "X-BeenThere": "libc-alpha@sourceware.org", "X-Mailman-Version": "2.1.30", "Precedence": "list", "List-Id": "Libc-alpha mailing list <libc-alpha.sourceware.org>", "List-Unsubscribe": "<https://sourceware.org/mailman/options/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>", "List-Archive": "<https://sourceware.org/pipermail/libc-alpha/>", "List-Post": "<mailto:libc-alpha@sourceware.org>", "List-Help": "<mailto:libc-alpha-request@sourceware.org?subject=help>", "List-Subscribe": "<https://sourceware.org/mailman/listinfo/libc-alpha>,\n <mailto:libc-alpha-request@sourceware.org?subject=subscribe>", "Errors-To": "libc-alpha-bounces~incoming=patchwork.ozlabs.org@sourceware.org" }, "content": "Check that the RDATA payload does not require more than RDATALEN\nbytes while processing it. The fixes cover A6, CERT, LOC, TKEY,\nTSIG records.\n\nThe vulnerable LOC record handling was first introduced before\nglibc 2.0, in commit ee188d555b8c32ad9704a7440cab400af967292f.\n\nCERT, TSIG, TKEY handling came with commit\nb43b13ac2544b11f35be301d1589b51a8473e32b, released with glibc 2.2.\n\nA6 record handling was introduced in commit\n91633816430e7ec5a19fe3ff510a7c4822a9557e (\"* resolv/ns_print.c\n(ns_sprintrrf): Handle ns_t_a6 and ns_t_opt.\"), which went into glibc\n2.7.\n\nThis fixes bug 34069.\n---\n resolv/ns_print.c | 18 +++++++++++++++---\n 1 file changed, 15 insertions(+), 3 deletions(-)", "diff": "diff --git a/resolv/ns_print.c b/resolv/ns_print.c\nindex 9c9e810781..4953f47160 100644\n--- a/resolv/ns_print.c\n+++ b/resolv/ns_print.c\n@@ -318,7 +318,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,\n \tcase ns_t_loc: {\n \t\tchar t[255];\n \n-\t\t/* XXX protocol format checking? */\n+\t\tif (rdlen != 16)\n+\t\t goto formerr;\n \t\t(void) loc_ntoa(rdata, t);\n \t\tT(addstr(t, strlen(t), &buf, &buflen));\n \t\tbreak;\n@@ -444,6 +445,8 @@ ns_sprintrrf(const u_char *msg, size_t msglen,\n \t\tchar base64_cert[8192], tmp[40];\n \t\tconst char *leader;\n \n+\t\tif (rdlen < 2 * NS_INT16SZ + 1)\n+\t\t\tgoto formerr;\n \t\tc_type = ns_get16(rdata); rdata += NS_INT16SZ;\n \t\tkey_tag = ns_get16(rdata); rdata += NS_INT16SZ;\n \t\talg = (u_int) *rdata++;\n@@ -490,23 +493,31 @@ ns_sprintrrf(const u_char *msg, size_t msglen,\n \t\tT(addstr(\" \", 1, &buf, &buflen));\n \n \t\t/* Inception. */\n+\t\tif (edata - rdata < NS_INT32SZ)\n+\t\t\tgoto formerr;\n \t\tt = ns_get32(rdata); rdata += NS_INT32SZ;\n \t\tlen = SPRINTF((tmp, \"%lu \", t));\n \t\tT(addstr(tmp, len, &buf, &buflen));\n \n \t\t/* Expiration. */\n+\t\tif (edata - rdata < NS_INT32SZ)\n+\t\t\tgoto formerr;\n \t\tt = ns_get32(rdata); rdata += NS_INT32SZ;\n \t\tlen = SPRINTF((tmp, \"%lu \", t));\n \t\tT(addstr(tmp, len, &buf, &buflen));\n \n \t\t/* Mode , Error, Key Size. */\n \t\t/* Priority, Weight, Port. */\n+\t\tif (edata - rdata < 3 * NS_INT16SZ)\n+\t\t\tgoto formerr;\n \t\tmode = ns_get16(rdata); rdata += NS_INT16SZ;\n \t\terr = ns_get16(rdata); rdata += NS_INT16SZ;\n \t\tkeysize = ns_get16(rdata); rdata += NS_INT16SZ;\n \t\tlen = SPRINTF((tmp, \"%u %u %u \", mode, err, keysize));\n \t\tT(addstr(tmp, len, &buf, &buflen));\n \n+\t\tif (edata - rdata < keysize)\n+\t\t\tgoto formerr;\n \t\t/* XXX need to dump key, print otherdata length & other data */\n \t\tbreak;\n \t }\n@@ -532,9 +543,10 @@ ns_sprintrrf(const u_char *msg, size_t msglen,\n \n \t\t/* address suffix: provided only when prefix len != 128 */\n \t\tif (pbit < 128) {\n-\t\t\tif (rdata + pbyte >= edata) goto formerr;\n+\t\t\tunsigned int bytelen = sizeof(a) - pbyte;\n+\t\t\tif (edata - rdata < bytelen) goto formerr;\n \t\t\tmemset(&a, 0, sizeof(a));\n-\t\t\tmemcpy(&a.s6_addr[pbyte], rdata, sizeof(a) - pbyte);\n+\t\t\tmemcpy(&a.s6_addr[pbyte], rdata, bytelen);\n \t\t\tif (inet_ntop (AF_INET6, &a, buf, buflen) == NULL)\n \t\t\t return -1;\n \t\t\taddlen(strlen(buf), &buf, &buflen);\n", "prefixes": [ "4/5" ] }