If the system is configured in no-aaaa mode via /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address family, and a DNS response is received over TCP that is larger than 2048 bytes, getaddrinfo may potentially disclose stack contents via the returned address data, or crash. While name lookup normally just fails incorrectly, crashes are not difficult to trigger, with valid DNS responses that are propagated by DNS resolvers. Introduced by: commit f282cdbe7f436c75864e5640a409a10485e9abb2 Author: Florian Weimer <fweimer@redhat.com> Date: Fri Jun 24 18:16:41 2022 +0200 resolv: Implement no-aaaa stub resolver option Reviewed-by: Carlos O'Donell <carlos@redhat.com>
The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bd77dd7e73e3530203be1c52c8a29d08270cb25d commit bd77dd7e73e3530203be1c52c8a29d08270cb25d Author: Florian Weimer <fweimer@redhat.com> Date: Wed Sep 13 14:10:56 2023 +0200 CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842.
The release/2.37/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7529346025a130fee483d42178b5c118da971bb commit b7529346025a130fee483d42178b5c118da971bb Author: Florian Weimer <fweimer@redhat.com> Date: Wed Sep 13 14:10:56 2023 +0200 CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842. (cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
The release/2.38/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 commit b25508dd774b617f99419bdc3cf2ace4560cd2d6 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Sep 13 14:10:56 2023 +0200 CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842. (cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f commit 4ea972b7edd7e36610e8cde18bf7a8149d7bac4f Author: Florian Weimer <fweimer@redhat.com> Date: Wed Sep 13 14:10:56 2023 +0200 CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842. (cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
All impacted branches fixed.
The release/2.38/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ee59ca371b99984232d7584fe2b1a758b4421d3 commit 5ee59ca371b99984232d7584fe2b1a758b4421d3 Author: Romain Geissler <romain.geissler@amadeus.com> Date: Mon Sep 25 01:21:51 2023 +0100 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] This patch fixes a very recently added leak in getaddrinfo. This was assigned CVE-2023-5156. Resolves: BZ #30884 Related: BZ #30842 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
The release/2.37/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4473d1b87d04b25cdd0e0354814eeaa421328268 commit 4473d1b87d04b25cdd0e0354814eeaa421328268 Author: Romain Geissler <romain.geissler@amadeus.com> Date: Mon Sep 25 01:21:51 2023 +0100 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] This patch fixes a very recently added leak in getaddrinfo. This was assigned CVE-2023-5156. Resolves: BZ #30884 Related: BZ #30842 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
The release/2.36/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=856bac55f98dc840e7c27cfa82262b933385de90 commit 856bac55f98dc840e7c27cfa82262b933385de90 Author: Romain Geissler <romain.geissler@amadeus.com> Date: Mon Sep 25 01:21:51 2023 +0100 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] This patch fixes a very recently added leak in getaddrinfo. This was assigned CVE-2023-5156. Resolves: BZ #30884 Related: BZ #30842 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
The release/2.35/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17092c0311f954e6f3c010f73ce3a78c24ac279a commit 17092c0311f954e6f3c010f73ce3a78c24ac279a Author: Romain Geissler <romain.geissler@amadeus.com> Date: Mon Sep 25 01:21:51 2023 +0100 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] This patch fixes a very recently added leak in getaddrinfo. This was assigned CVE-2023-5156. Resolves: BZ #30884 Related: BZ #30842 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
The release/2.34/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8006457ab7e1cd556b919f477348a96fe88f2e49 commit 8006457ab7e1cd556b919f477348a96fe88f2e49 Author: Romain Geissler <romain.geissler@amadeus.com> Date: Mon Sep 25 01:21:51 2023 +0100 Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] This patch fixes a very recently added leak in getaddrinfo. This was assigned CVE-2023-5156. Resolves: BZ #30884 Related: BZ #30842 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)