[Bug nscd/29605] Regression in NSCD backend of getaddrinfo

["camila.camargodematos at canonical dot com" <sourceware-bugzilla@sourceware.org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=29605

Camila Camargo de Matos <camila.camargodematos at canonical dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |camila.camargodematos@canon
                   |                            |ical.com

--- Comment #13 from Camila Camargo de Matos <camila.camargodematos at canonical dot com> ---
Hello,

When recently trying to patch CVE-2023-4806 in glibc for Ubuntu 22.04 LTS, the
Ubuntu Security Team came across a possible regression in version 2.35 that
seems to be related to this bug.

This is the link to the bug report containing more information on the issue
that users came across in Ubuntu 22.04 LTS:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2047155


When patching Ubuntu 22.04's version of glibc (2.35) for CVE-2023-4806 (and
CVEs CVE-2023-4813 and CVE-2023-5156), several of the refactoring commits in
branch release/2.35/master were added as well in order to avoid any possible
issues and simplify the application of the CVE patch (these refactoring commits
are the ones added to sysdeps/posix/getaddrinfo.c in 2023-09). In this group of
commits was commit ce64e72b, which is cherry-picked from e7e5315b, mentioned
here as the cause of the issue in nscd, consequence of a typo in the
refactoring.

Analysis of the release/2.35/master branch seems to indicate that the fix to
this typo was not applied to glibc 2.35, and the report in the Ubuntu Launchpad
bug shows version 2.35 of glibc (more specifically, nscd) being affected by a
regression when previously mentioned refactoring commits are added.

A new version of the Ubuntu 22.04 glibc package will be released and this new
version contains the fix provided in this sourceware bug (commit 227c9035) as
well as three other refactoring commits (backported from the
release/2.36/master branch as well. These are: bc0d18d8, 06890c7b and
d3f2c2c8). Adding these additional changes to the 22.04 glibc 2.35 package seem
to have resolved the issue being reported in the Ubuntu Launchpad bug.

I mention this here in case 2.35 is still being supported, so that the fix to
this issue can be included in that branch as well.

Regards,
Camila Camargo de Matos.

-- 
You are receiving this mail because:
You are on the CC list for the bug.