A stack (frame) overflow flaw, which led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET6. A similar flaw to CVE-2013-1914, this affects AF_INET6 rather than AF_UNSPEC. A proposed patch has been submitted for review [1]. No CVE has been assigned yet. [1] https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html
Patch available in upstream master: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7cbcdb3699584db8913ca90f705d6337633ee10f
CVE-2013-4458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4458): Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914.
Ping! What do you think about providing a stabilization for this since the patch was available for a month now (as provided in the posts). This is a an A2 (5 day) vulnerability. Please advise if we have a version that can be tested / stabilized.
there are no plans to add more patches to glibc-2.17
i've cherry picked this to the glibc-2.18 patchset
Maintainer(s), please drop the vulnerable version(s). Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
