public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
@ 2023-09-12 15:16 fweimer at redhat dot com
2023-09-12 15:25 ` [Bug network/30842] " fweimer at redhat dot com
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2023-09-12 15:16 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
Bug ID: 30842
Summary: Stack read overflow in getaddrinfo in no-aaaa mode
(CVE-2023-4527)
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: network
Assignee: fweimer at redhat dot com
Reporter: fweimer at redhat dot com
Target Milestone: ---
Flags: security+
If the system is configured in no-aaaa mode via /etc/resolv.conf, getaddrinfo
is called for the AF_UNSPEC address family, and a DNS response is received over
TCP that is larger than 2048 bytes, getaddrinfo may potentially disclose stack
contents via the returned address data, or crash. While name lookup normally
just fails incorrectly, crashes are not difficult to trigger, with valid DNS
responses that are propagated by DNS resolvers.
Introduced by:
commit f282cdbe7f436c75864e5640a409a10485e9abb2
Author: Florian Weimer <fweimer@redhat.com>
Date: Fri Jun 24 18:16:41 2022 +0200
resolv: Implement no-aaaa stub resolver option
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
@ 2023-09-12 15:25 ` fweimer at redhat dot com
2023-09-13 3:18 ` sam at gentoo dot org
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2023-09-12 15:25 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Status|NEW |ASSIGNED
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
2023-09-12 15:25 ` [Bug network/30842] " fweimer at redhat dot com
@ 2023-09-13 3:18 ` sam at gentoo dot org
2023-09-13 12:11 ` cvs-commit at gcc dot gnu.org
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: sam at gentoo dot org @ 2023-09-13 3:18 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
Sam James <sam at gentoo dot org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |sam at gentoo dot org
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
2023-09-12 15:25 ` [Bug network/30842] " fweimer at redhat dot com
2023-09-13 3:18 ` sam at gentoo dot org
@ 2023-09-13 12:11 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-13 12:11 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Florian Weimer <fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bd77dd7e73e3530203be1c52c8a29d08270cb25d
commit bd77dd7e73e3530203be1c52c8a29d08270cb25d
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 13 14:10:56 2023 +0200
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (2 preceding siblings ...)
2023-09-13 12:11 ` cvs-commit at gcc dot gnu.org
@ 2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-13 12:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.37/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7529346025a130fee483d42178b5c118da971bb
commit b7529346025a130fee483d42178b5c118da971bb
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 13 14:10:56 2023 +0200
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (3 preceding siblings ...)
2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
@ 2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:57 ` cvs-commit at gcc dot gnu.org
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-13 12:36 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.38/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6
commit b25508dd774b617f99419bdc3cf2ace4560cd2d6
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 13 14:10:56 2023 +0200
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (4 preceding siblings ...)
2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
@ 2023-09-13 12:57 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:58 ` fweimer at redhat dot com
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-13 12:57 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.36/master branch has been updated by Florian Weimer
<fw@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f
commit 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Sep 13 14:10:56 2023 +0200
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (5 preceding siblings ...)
2023-09-13 12:57 ` cvs-commit at gcc dot gnu.org
@ 2023-09-13 12:58 ` fweimer at redhat dot com
2023-09-26 22:52 ` cvs-commit at gcc dot gnu.org
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2023-09-13 12:58 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.39
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Florian Weimer <fweimer at redhat dot com> ---
All impacted branches fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (6 preceding siblings ...)
2023-09-13 12:58 ` fweimer at redhat dot com
@ 2023-09-26 22:52 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-26 22:52 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.38/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ee59ca371b99984232d7584fe2b1a758b4421d3
commit 5ee59ca371b99984232d7584fe2b1a758b4421d3
Author: Romain Geissler <romain.geissler@amadeus.com>
Date: Mon Sep 25 01:21:51 2023 +0100
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (7 preceding siblings ...)
2023-09-26 22:52 ` cvs-commit at gcc dot gnu.org
@ 2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-26 22:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.37/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4473d1b87d04b25cdd0e0354814eeaa421328268
commit 4473d1b87d04b25cdd0e0354814eeaa421328268
Author: Romain Geissler <romain.geissler@amadeus.com>
Date: Mon Sep 25 01:21:51 2023 +0100
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (8 preceding siblings ...)
2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
@ 2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-26 22:53 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.36/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=856bac55f98dc840e7c27cfa82262b933385de90
commit 856bac55f98dc840e7c27cfa82262b933385de90
Author: Romain Geissler <romain.geissler@amadeus.com>
Date: Mon Sep 25 01:21:51 2023 +0100
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (9 preceding siblings ...)
2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
@ 2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-26 22:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.35/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17092c0311f954e6f3c010f73ce3a78c24ac279a
commit 17092c0311f954e6f3c010f73ce3a78c24ac279a
Author: Romain Geissler <romain.geissler@amadeus.com>
Date: Mon Sep 25 01:21:51 2023 +0100
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug network/30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
` (10 preceding siblings ...)
2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
@ 2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
11 siblings, 0 replies; 13+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-09-26 22:54 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=30842
--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.34/master branch has been updated by Siddhesh Poyarekar
<siddhesh@sourceware.org>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8006457ab7e1cd556b919f477348a96fe88f2e49
commit 8006457ab7e1cd556b919f477348a96fe88f2e49
Author: Romain Geissler <romain.geissler@amadeus.com>
Date: Mon Sep 25 01:21:51 2023 +0100
Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
This patch fixes a very recently added leak in getaddrinfo.
This was assigned CVE-2023-5156.
Resolves: BZ #30884
Related: BZ #30842
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2023-09-26 22:54 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-09-12 15:16 [Bug network/30842] New: Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) fweimer at redhat dot com
2023-09-12 15:25 ` [Bug network/30842] " fweimer at redhat dot com
2023-09-13 3:18 ` sam at gentoo dot org
2023-09-13 12:11 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:36 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:57 ` cvs-commit at gcc dot gnu.org
2023-09-13 12:58 ` fweimer at redhat dot com
2023-09-26 22:52 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:53 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
2023-09-26 22:54 ` cvs-commit at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).