| Summary: | <sys-libs/glibc-2.22-r3: Per-thread memory leak in __res_vinit with IPv6 nameservers | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | toolchain |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://sourceware.org/bugzilla/show_bug.cgi?id=19257 | ||
| See Also: | https://sourceware.org/bugzilla/show_bug.cgi?id=19257 | ||
| Whiteboard: | A4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
the fix is in stable already in glibc-2.22-r4 GLSA Vote: No |
From ${URL} : We have assigned CVE-2016-5417 to a memory leak in glibc. It was introduced in glibc 2.22, with commit 2212c1420c92a33b0e0bd9a34938c9814a56c0f7 (which also caused other regressions, which is why we backed it out in Fedora). The leak is triggered if name resolution functions are called in such a way that internal resolver data structures are only initialized partially. The memory leak was independently reported as occurring during Apache httpd testing, so we found it prudent to treat it as a very minor security vulnerability. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.