Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532874 (CVE-2014-9402) - <sys-libs/glibc-2.20-r2: denial of service in getnetbyname function (CVE-2014-9402)
Summary: <sys-libs/glibc-2.20-r2: denial of service in getnetbyname function (CVE-2014...
Alias: CVE-2014-9402
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [glsa]
Depends on: CVE-2014-0475 544034
  Show dependency tree
Reported: 2014-12-17 16:51 UTC by Agostino Sarubbo
Modified: 2016-02-17 15:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-17 16:51:07 UTC
From ${URL} :

It was reported [1] that getnetbyname function in glibc 2.21 in earlier will enter an infinite loop 
if the DNS backend is activated in the system Name Service Switch configuration, and the DNS 
resolver receives a positive answer while processing the network name.

Upstream commit that fixes this issue:;h=11e3417af6e354f1942c68a271ae51e892b2814d


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2015-02-17 08:09:09 UTC
fix is also in glibc-2.20-r2 now
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-06-17 17:24:27 UTC
CVE-2014-9402 (
  The nss_dns implementation of getnetbyname in GNU C Library (aka glibc)
  before 2.21, when the DNS backend in the Name Service Switch configuration
  is enabled, allows remote attackers to cause a denial of service (infinite
  loop) by sending a positive answer while a network name is being process.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2016-02-17 15:38:12 UTC
This issue was resolved and addressed in
 GLSA 201602-02 at
by GLSA coordinator Tobias Heinlein (keytoaster).