Bug 2237798 (CVE-2023-4813)

Summary: CVE-2023-4813 glibc: potential use-after-free in gaih_inet()
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abuckta, acrosby, adudiak, agarcial, aoconnor, aprice, asegurap, ashankar, bdettelb, caswilli, codonell, crizzo, dfreiber, dj, dkuc, dnakabaa, doconnor, drow, fjansen, fweimer, ganandan, ggastald, gtanzill, hkataria, jburrell, jbuscemi, jdobes, jmartisk, jmitchel, joehler, jsamir, jsherril, jtanner, jvasik, kaycoth, kshier, lcouzens, luizcosta, mcermak, mcoufal, mskarbek, nweather, oezr, orabin, pfrankli, rblanco, rogbas, sbiarozk, security-response-team, sipoyare, skolosov, stcannon, sthirugn, tcarlin, teagle, tkasparek, vkrizan, vkumar, vmugicag, xiaoxwan, yguenane, zzhou
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: glibc 2.36 Doc Type: If docs needed, set a value
Doc Text:
A flaw has been identified in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238609    
Bug Blocks: 2234719    

Description Guilherme de Almeida Suckevicz 2023-09-07 01:14:24 UTC 
In an uncommon situation, the gaih_inet function in glibc may use memory that has already been freed, resulting in an application crash.

This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

This flaw affects glibc versions prior to 2.36.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=28931

Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215
Comment 5 Guilherme de Almeida Suckevicz 2023-09-12 18:23:50 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2238609]
Comment 7 Siddhesh Poyarekar 2023-09-14 10:36:52 UTC 
The immediate workaround for this is to drop the "SUCCESS=continue" or "SUCCESS=merge" in the hosts line in nsswitch.conf because those options are not supported on the hosts database. If they were working before, it was an accident because of this bug, it's not a feature.  The fix for the bug results in this "feature" being dropped.
Comment 14 errata-xmlrpc 2023-10-05 13:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5453 https://access.redhat.com/errata/RHSA-2023:5453
Comment 15 errata-xmlrpc 2023-10-05 14:01:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5455 https://access.redhat.com/errata/RHSA-2023:5455
Comment 17 errata-xmlrpc 2023-11-21 11:42:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7409 https://access.redhat.com/errata/RHSA-2023:7409