823806 – (CVE-2021-43523) sys-libs/uclibc-ng: Incorrect handling of special characters in DNS records (CVE-2021-43523)

Bug 823806 (CVE-2021-43523) - sys-libs/uclibc-ng: Incorrect handling of special characters in DNS records (CVE-2021-43523)

Summary: sys-libs/uclibc-ng: Incorrect handling of special characters in DNS records (...

Status:	RESOLVED WONTFIX

Alias:	CVE-2021-43523

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://github.com/wbx-github/uclibc-...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	820905
Blocks:
	Show dependency tree

Reported:	2021-11-15 08:13 UTC by Sam James
Modified:	2022-01-02 17:45 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2021-11-15 08:13:00 UTC

Description:
"In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur."

Comment 1 David Seifert gentoo-dev

2022-01-02 10:32:57 UTC

uclibc support in Gentoo has been removed.