Bug 1330887 (CVE-2016-3706)

Summary: CVE-2016-3706 glibc: stack (frame) overflow in getaddrinfo() when called with AF_INET, AF_INET6 (incomplete fix for CVE-2013-4458)
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: arjun.is, ashankar, carnil, codonell, dj, fweimer, hannsj_uhl, jakub, law, mfabian, mnewsome, pfrankli, siddhesh, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-27 08:57:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1329674, 1330888    
Bug Blocks:    

Description Martin Prpič 2016-04-27 08:56:25 UTC 
It was found that the fix for CVE-2013-4458 is incomplete. 

A stack (frame) overflow flaw, which could led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET or AF_INET6.

This is less substantial than the CVE-2013-4458 issue because there is an other, unfixed bug in nss_files which causes it to use gigabytes of stack space with "multi on" (our default) in /etc/host.conf. Only about 4096 addresses fit into a DNS reply, so this is not really exploitable via nss_dns (only in fringe cases with extremely small stacks, as sometimes seen with Java VMs).
Comment 1 Martin Prpič 2016-04-27 08:56:37 UTC 
Acknowledgments:

Name: Michael Petlan (Red Hat)
Comment 2 Martin Prpič 2016-04-27 08:57:01 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 1330888]