Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 823806 (CVE-2021-43523) - sys-libs/uclibc-ng: Incorrect handling of special characters in DNS records (CVE-2021-43523)
Summary: sys-libs/uclibc-ng: Incorrect handling of special characters in DNS records (...
Status: RESOLVED WONTFIX
Alias: CVE-2021-43523
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/wbx-github/uclibc-...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 820905
Blocks:
  Show dependency tree
 
Reported: 2021-11-15 08:13 UTC by Sam James
Modified: 2022-01-02 17:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2021-11-15 08:13:00 UTC
Description:
"In uClibc and uClibc-ng before 1.0.39, incorrect handling of special characters in domain names returned by DNS servers via gethostbyname, getaddrinfo, gethostbyaddr, and getnameinfo can lead to output of wrong hostnames (leading to domain hijacking) or injection into applications (leading to remote code execution, XSS, applications crashes, etc.). In other words, a validation step, which is expected in any stub resolver, does not occur."
Comment 1 David Seifert gentoo-dev 2022-01-02 10:32:57 UTC
uclibc support in Gentoo has been removed.