Bug 30884 (CVE-2023-5156) - Memory leak in getaddrinfo after fix for bug 30843 (CVE-2023-5156)
Summary: Memory leak in getaddrinfo after fix for bug 30843 (CVE-2023-5156)
Status: RESOLVED FIXED
Alias: CVE-2023-5156
Product: glibc
Classification: Unclassified
Component: network (show other bugs)
Version: 2.39
: P2 normal
Target Milestone: 2.39
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-25 05:55 UTC by Florian Weimer
Modified: 2023-09-26 22:58 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2023-09-25 05:55:59 UTC
Romain Geissler reported that getaddrinfo can leak memory after the fix for bug 30843 (CVE-2023-4806) has been applied.

Already fixed for glibc 2.39 via:

commit ec6b95c3303c700eb89eebeda2d7264cc184a796
Author: Romain Geissler <romain.geissler@amadeus.com>
Date:   Mon Sep 25 01:21:51 2023 +0100

    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
    
    This patch fixes a very recently added leak in getaddrinfo.
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

Since distributions have already started to backport the earlier fix, this needs a new CVE assignment for clear communication of the issue.
Comment 1 Sourceware Commits 2023-09-26 11:40:52 UTC
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=fd134feba35fa839018965733b34d28a09a075dd

commit fd134feba35fa839018965733b34d28a09a075dd
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Sep 26 07:38:07 2023 -0400

    Document CVE-2023-4806 and CVE-2023-5156 in NEWS
    
    These are tracked in BZ #30884 and BZ #30843.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Comment 2 Sourceware Commits 2023-09-26 22:52:18 UTC
The release/2.38/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5ee59ca371b99984232d7584fe2b1a758b4421d3

commit 5ee59ca371b99984232d7584fe2b1a758b4421d3
Author: Romain Geissler <romain.geissler@amadeus.com>
Date:   Mon Sep 25 01:21:51 2023 +0100

    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
    
    This patch fixes a very recently added leak in getaddrinfo.
    
    This was assigned CVE-2023-5156.
    
    Resolves: BZ #30884
    Related: BZ #30842
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
Comment 3 Sourceware Commits 2023-09-26 22:52:23 UTC
The release/2.38/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f6445dc94da185b3d1ee283f0ca0a34c4e1986cc

commit f6445dc94da185b3d1ee283f0ca0a34c4e1986cc
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Sep 26 07:38:07 2023 -0400

    Document CVE-2023-4806 and CVE-2023-5156 in NEWS
    
    These are tracked in BZ #30884 and BZ #30843.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
Comment 4 Sourceware Commits 2023-09-26 22:53:30 UTC
The release/2.37/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4473d1b87d04b25cdd0e0354814eeaa421328268

commit 4473d1b87d04b25cdd0e0354814eeaa421328268
Author: Romain Geissler <romain.geissler@amadeus.com>
Date:   Mon Sep 25 01:21:51 2023 +0100

    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
    
    This patch fixes a very recently added leak in getaddrinfo.
    
    This was assigned CVE-2023-5156.
    
    Resolves: BZ #30884
    Related: BZ #30842
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
Comment 5 Sourceware Commits 2023-09-26 22:53:35 UTC
The release/2.37/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=94ef70136587c40a357f775677997c753b3de56c

commit 94ef70136587c40a357f775677997c753b3de56c
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Sep 26 07:38:07 2023 -0400

    Document CVE-2023-4806 and CVE-2023-5156 in NEWS
    
    These are tracked in BZ #30884 and BZ #30843.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
Comment 6 Sourceware Commits 2023-09-26 22:53:57 UTC
The release/2.36/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=856bac55f98dc840e7c27cfa82262b933385de90

commit 856bac55f98dc840e7c27cfa82262b933385de90
Author: Romain Geissler <romain.geissler@amadeus.com>
Date:   Mon Sep 25 01:21:51 2023 +0100

    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
    
    This patch fixes a very recently added leak in getaddrinfo.
    
    This was assigned CVE-2023-5156.
    
    Resolves: BZ #30884
    Related: BZ #30842
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
Comment 7 Sourceware Commits 2023-09-26 22:54:02 UTC
The release/2.36/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=32957eb6a86acdbeec9f38a60a7d5a0ff32db03d

commit 32957eb6a86acdbeec9f38a60a7d5a0ff32db03d
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Sep 26 07:38:07 2023 -0400

    Document CVE-2023-4806 and CVE-2023-5156 in NEWS
    
    These are tracked in BZ #30884 and BZ #30843.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
Comment 8 Sourceware Commits 2023-09-26 22:54:12 UTC
The release/2.35/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=17092c0311f954e6f3c010f73ce3a78c24ac279a

commit 17092c0311f954e6f3c010f73ce3a78c24ac279a
Author: Romain Geissler <romain.geissler@amadeus.com>
Date:   Mon Sep 25 01:21:51 2023 +0100

    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
    
    This patch fixes a very recently added leak in getaddrinfo.
    
    This was assigned CVE-2023-5156.
    
    Resolves: BZ #30884
    Related: BZ #30842
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
Comment 9 Sourceware Commits 2023-09-26 22:54:17 UTC
The release/2.35/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=73d4ce728a59deb2fd18969e559769b3f590fac9

commit 73d4ce728a59deb2fd18969e559769b3f590fac9
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Sep 26 07:38:07 2023 -0400

    Document CVE-2023-4806 and CVE-2023-5156 in NEWS
    
    These are tracked in BZ #30884 and BZ #30843.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
Comment 10 Sourceware Commits 2023-09-26 22:54:20 UTC
The release/2.34/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8006457ab7e1cd556b919f477348a96fe88f2e49

commit 8006457ab7e1cd556b919f477348a96fe88f2e49
Author: Romain Geissler <romain.geissler@amadeus.com>
Date:   Mon Sep 25 01:21:51 2023 +0100

    Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843]
    
    This patch fixes a very recently added leak in getaddrinfo.
    
    This was assigned CVE-2023-5156.
    
    Resolves: BZ #30884
    Related: BZ #30842
    
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
Comment 11 Sourceware Commits 2023-09-26 22:54:26 UTC
The release/2.34/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c3b99f8328939533a9b6ac93e8ae7285e90fbdab

commit c3b99f8328939533a9b6ac93e8ae7285e90fbdab
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date:   Tue Sep 26 07:38:07 2023 -0400

    Document CVE-2023-4806 and CVE-2023-5156 in NEWS
    
    These are tracked in BZ #30884 and BZ #30843.
    
    Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
    (cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
Comment 12 Siddhesh Poyarekar 2023-09-26 22:58:04 UTC
Fixed all the way back to 2.34.