diff options
| author | Florian Weimer <fweimer@redhat.com> | 2023-09-13 14:10:56 +0200 |
|---|---|---|
| committer | Florian Weimer <fweimer@redhat.com> | 2023-09-13 14:13:36 +0200 |
| commit | b25508dd774b617f99419bdc3cf2ace4560cd2d6 (patch) | |
| tree | df9a79c323bf2738ce7369106a694295cdcba066 /NEWS | |
| parent | 89da8bc588c2296252543b049bf6d9272321f90d (diff) | |
| download | glibc-b25508dd774b617f99419bdc3cf2ace4560cd2d6.tar.gz glibc-b25508dd774b617f99419bdc3cf2ace4560cd2d6.tar.xz glibc-b25508dd774b617f99419bdc3cf2ace4560cd2d6.zip | |
CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode
Without passing alt_dns_packet_buffer, __res_context_search can only
store 2048 bytes (what fits into dns_packet_buffer). However,
the function returns the total packet size, and the subsequent
DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end
of the stack-allocated buffer.
Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa
stub resolver option") and bug 30842.
(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d)
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/NEWS b/NEWS index 64596d5d09..dfee278a9c 100644 --- a/NEWS +++ b/NEWS @@ -7,12 +7,21 @@ using `glibc' in the "product" field. Version 2.38.1 +Security related changes: + + CVE-2023-4527: If the system is configured in no-aaaa mode via + /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address + family, and a DNS response is received over TCP that is larger than + 2048 bytes, getaddrinfo may potentially disclose stack contents via + the returned address data, or crash. + The following bugs are resolved with this release: [30723] posix_memalign repeatedly scans long bin lists [30785] Always call destructors in reverse constructor order [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with -D_FILE_OFFSET_BITS=64 + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) Version 2.38 |