Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 489234 (CVE-2013-4458)

Summary: <sys-libs/glibc-2.19-r1: Stack (frame) overflow in getaddrinfo() when called with AF_INET6 (CVE-2013-4458)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1022280
Whiteboard: A2 [glsa cleanup]
Package list:
Runtime testing required: ---
Bug Depends on: 518364    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2013-10-24 07:21:13 UTC 
A stack (frame) overflow flaw, which led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET6.  A similar flaw to CVE-2013-1914, this affects AF_INET6 rather than AF_UNSPEC.

A proposed patch has been submitted for review [1].  No CVE has been assigned yet.

[1] https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html
Comment 1 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 01:06:46 UTC 
Patch available in upstream master: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7cbcdb3699584db8913ca90f705d6337633ee10f
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-12-27 03:59:46 UTC 
CVE-2013-4458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4458):
  Stack-based buffer overflow in the getaddrinfo function in
  sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and
  earlier allows remote attackers to cause a denial of service (crash) via a
  (1) hostname or (2) IP address that triggers a large number of AF_INET6
  address results.  NOTE: this vulnerability exists because of an incomplete
  fix for CVE-2013-1914.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2014-01-07 04:48:53 UTC 
Ping!

What do you think about providing a stabilization for this since the patch was available for a month now (as provided in the posts). This is a an A2 (5 day) vulnerability.

Please advise if we have a version that can be tested / stabilized.
Comment 4 SpanKY gentoo-dev 2014-01-07 13:25:16 UTC 
there are no plans to add more patches to glibc-2.17
Comment 5 SpanKY gentoo-dev 2014-02-18 19:32:41 UTC 
i've cherry picked this to the glibc-2.18 patchset
Comment 6 Yury German Gentoo Infrastructure gentoo-dev 2015-03-03 02:47:07 UTC 
Maintainer(s), please drop the vulnerable version(s).

Added to an existing GLSA Request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:25 UTC 
This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).