Bug 2237782 (CVE-2023-4806)
Summary: | CVE-2023-4806 glibc: potential use-after-free in getaddrinfo() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acrosby, adudiak, agarcial, aoconnor, asegurap, bdettelb, caswilli, codonell, dfreiber, dhalasz, dkuc, fjansen, fweimer, ganandan, ggastald, hkataria, jburrell, jmitchel, jsamir, jsherril, jtanner, kaycoth, kshier, luizcosta, mcermak, mcoufal, nweather, psegedy, rogbas, sbiarozk, security-response-team, sipoyare, skolosov, stcannon, sthirugn, tcarlin, tkasparek, vkrizan, vkumar, vmugicag, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r and _nss_*_getcanonname_r hooks without implementing the _nss_*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2238604 | ||
Bug Blocks: | 2234719 |
Description
Guilherme de Almeida Suckevicz
2023-09-06 20:48:11 UTC
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 2238604] (In reply to Guilherme de Almeida Suckevicz from comment #0) > In an extremely rare situation, the getaddrinfo function in glibc may access > memory that has already been freed, resulting in an application crash. > > This issue is only exploitable when a NSS module implements only the > _nss_*_gethostbyname2_r hook without implementing the > _nss_*_gethostbyname3_r hook. There are no known modules that are > implemented in this way. A clarification on this: the NSS module needs to do *all* of the following to expose the vulnerability: 1) Implement _nss_*_gethostbyname2_r hook 2) implement _nss_*_getcanonname_r hook 3) NOT implement _nss_*_gethostbyname3_r hook The samba wins module for example satisfies 1) and 3) but not 2) thus eliminating it as a possible vector for this vulnerability. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5453 https://access.redhat.com/errata/RHSA-2023:5453 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5455 https://access.redhat.com/errata/RHSA-2023:5455 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:7409 https://access.redhat.com/errata/RHSA-2023:7409 |