glibc: patch 2.23 for CVE-2016-3075, CVE-2016-1234, CVE-2016-3706

[srp]

Things done

• Tested using sandboxing
  (nix.useSandbox on NixOS,
  or option build-use-sandbox in nix.conf
  on non-NixOS)
• Built on platform(s)
  • NixOS
  • OS X
  • Linux
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

---

This addresses the following security advisories:

• CVE-2016-3075: Stack overflow in _nss_dns_getnetbyname_r
• CVE-2016-1234: glob: buffer overflow with GLOB_ALTDIRFUNC due to incorrect
  NAME_MAX limit assumption
• CVE-2016-3706: getaddrinfo: stack overflow in hostent conversion

Patches cherry-picked from glibc's release/2.23/master branch.

The "glob-simplify-interface.patch" was a dependency for
"cve-2016-1234.patch".

[mention-bot]

By analyzing the blame information on this pull request, we identified @edolstra, @vcunat and @peti to be potential reviewers

[joachifm]

Would it be possible to fetch these patches instead of checking them into the repo?

[srp]

It looks like sourceware.org does have urls where the patches can be downloaded, but they don't apply cleanly without first removing the changes to the file ChangeLog. The other option would be to pull in every patch on the release/2.23/master branch. Looking back at the recent nixpkg history of glibc I didn't see a precedent for doing that, last time individual CVE patches were pulled in. That said, maybe pulling everything in is a better approach, I don't have a lot of experience with this.

[vcunat]

Thank you. In past I tried to find a better way to pull in patches for glibc but I couldn't.