CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode

Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer).  However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.

Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.

(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)

1 files changed, 7 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 3cd793443a..08dd3c98a4 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,12 @@ Security related changes:
   buffer size.  The resulting larger than expected output could result
   in a buffer overflow in the printf family of functions.
 
+  CVE-2023-4527: If the system is configured in no-aaaa mode via
+  /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address
+  family, and a DNS response is received over TCP that is larger than
+  2048 bytes, getaddrinfo may potentially disclose stack contents via
+  the returned address data, or crash.
+
 The following bugs are resolved with this release:
 
   [20975] Deferred cancellation triggers in __check_pf and looses lock leading to deadlock
@@ -31,6 +37,7 @@ The following bugs are resolved with this release:
   [30477] libc: [RISCV]: time64 does not work on riscv32
   [30515] _dl_find_object incorrectly returns 1 during early startup
   [30785] Always call destructors in reverse constructor order
+  [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527)
 
 Version 2.37