Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 578602 (CVE-2016-3075) - <sys-libs/glibc-2.22-r4: nss_dns: Stack overflow in getnetbyname implementation (CVE-2016-3075)
Summary: <sys-libs/glibc-2.22-r4: nss_dns: Stack overflow in getnetbyname implementati...
Status: RESOLVED FIXED
Alias: CVE-2016-3075
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://sourceware.org/bugzilla/show_...
Whiteboard: A2 [glsa cve cleanup]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-30 12:52 UTC by Agostino Sarubbo
Modified: 2017-02-19 12:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-03-30 12:52:53 UTC
From ${URL} :

The getnetbyname implementation in nss_dns contains a potentially unbounded alloca call (in the form of a call to strdupa), leading to a stack overflow (stack exhaustion) and a crash if getnetbyname is invoked on a very long name.

This bug was present in the initial commit of this file in 1996.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-03-30 22:06:48 UTC
i've added the upstream fixes to 2.22-r3.  no plans to do a 2.21 backport.  should be fine to move forward w/stabilizing 2.22 in general.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3a77a809fe55f649025718d9c335ac07b87387e
Comment 2 Agostino Sarubbo gentoo-dev 2016-04-02 10:54:27 UTC
We will wait a bit and then stabilize 2.22-r3 if no problems come out.
Comment 3 SpanKY gentoo-dev 2016-04-04 19:59:13 UTC
hmm, let's go with -r4.  looks like the specific patch in question wasn't actually backported to the branches when i made the patchset earlier.
Comment 4 Agostino Sarubbo gentoo-dev 2016-04-07 19:23:23 UTC
Arches, please test and mark stable:
=sys-libs/glibc-2.22-r4
Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
Comment 5 Agostino Sarubbo gentoo-dev 2016-04-08 12:22:58 UTC
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-10 07:14:41 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2016-04-11 10:41:35 UTC
x86 stable
Comment 8 SpanKY gentoo-dev 2016-04-13 18:56:52 UTC
done most of the rest
Comment 9 Matt Turner gentoo-dev 2016-05-02 00:49:44 UTC
alpha stable. That's the last arch.
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-29 21:43:24 UTC
New GLSA created.


@ Maintainer(s): Please cleanup or apply masks if you want to keep old packages in repository for some reasons.
Comment 11 LABBE Corentin 2017-01-17 14:26:11 UTC
I cannot find the GLSA for this CVE.
Furthermore, the CVE said that glibc-2.23 is also impacted.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2017-01-17 18:33:12 UTC
(In reply to LABBE Corentin from comment #11)
> I cannot find the GLSA for this CVE.
> Furthermore, the CVE said that glibc-2.23 is also impacted.

No GLSA has been released.  As far as the patches, our Glibc maintainer backported the fixes to 2.22-r3 as mentioned in the comments.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2017-02-19 12:40:13 UTC
This issue was resolved and addressed in
 GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11
by GLSA coordinator Thomas Deutschmann (whissi).