diff options
author | Florian Weimer <fweimer@redhat.com> | 2023-09-13 14:10:56 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2023-09-13 14:15:22 +0200 |
commit | b7529346025a130fee483d42178b5c118da971bb (patch) | |
tree | 23865d7e5bf3dcaa8fc8c4412151f18fc8c3b697 /NEWS | |
parent | 1a7cbe52c8955beae477cf9c6d88f4bc04f626c1 (diff) | |
download | glibc-b7529346025a130fee483d42178b5c118da971bb.tar.gz glibc-b7529346025a130fee483d42178b5c118da971bb.tar.xz glibc-b7529346025a130fee483d42178b5c118da971bb.zip |
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842. (cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/NEWS b/NEWS index 3cd793443a..08dd3c98a4 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,12 @@ Security related changes: buffer size. The resulting larger than expected output could result in a buffer overflow in the printf family of functions. + CVE-2023-4527: If the system is configured in no-aaaa mode via + /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address + family, and a DNS response is received over TCP that is larger than + 2048 bytes, getaddrinfo may potentially disclose stack contents via + the returned address data, or crash. + The following bugs are resolved with this release: [20975] Deferred cancellation triggers in __check_pf and looses lock leading to deadlock @@ -31,6 +37,7 @@ The following bugs are resolved with this release: [30477] libc: [RISCV]: time64 does not work on riscv32 [30515] _dl_find_object incorrectly returns 1 during early startup [30785] Always call destructors in reverse constructor order + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) Version 2.37 |