From ${URL} : The getnetbyname implementation in nss_dns contains a potentially unbounded alloca call (in the form of a call to strdupa), leading to a stack overflow (stack exhaustion) and a crash if getnetbyname is invoked on a very long name. This bug was present in the initial commit of this file in 1996. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
i've added the upstream fixes to 2.22-r3. no plans to do a 2.21 backport. should be fine to move forward w/stabilizing 2.22 in general. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f3a77a809fe55f649025718d9c335ac07b87387e
We will wait a bit and then stabilize 2.22-r3 if no problems come out.
hmm, let's go with -r4. looks like the specific patch in question wasn't actually backported to the branches when i made the patchset earlier.
Arches, please test and mark stable: =sys-libs/glibc-2.22-r4 Target keywords : "alpha amd64 arm arm64 hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 stable
Stable for HPPA.
x86 stable
done most of the rest
alpha stable. That's the last arch.
New GLSA created. @ Maintainer(s): Please cleanup or apply masks if you want to keep old packages in repository for some reasons.
I cannot find the GLSA for this CVE. Furthermore, the CVE said that glibc-2.23 is also impacted.
(In reply to LABBE Corentin from comment #11) > I cannot find the GLSA for this CVE. > Furthermore, the CVE said that glibc-2.23 is also impacted. No GLSA has been released. As far as the patches, our Glibc maintainer backported the fixes to 2.22-r3 as mentioned in the comments.
This issue was resolved and addressed in GLSA 201702-11 at https://security.gentoo.org/glsa/201702-11 by GLSA coordinator Thomas Deutschmann (whissi).