Bug 947882 (CVE-2013-1914)

Summary: CVE-2013-1914 glibc: Stack (frame) overflow in getaddrinfo() when processing entry mapping to long list of address structures
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: codonell, dmalcolm, fweimer, jakub, law, mfranc, mnewsome, pfrankli, schwab, spoyarek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130403,reported=20130403,source=oss-security,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:N/A:P,rhel-5/glibc=affected,rhel-6/glibc=affected,rhel-7/glibc=notaffected,fedora-all/glibc=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-22 00:35:52 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 947892, 951130, 951132, 951213, 980323    
Bug Blocks: 947890, 974906    
Attachments:
Description Flags
Local copy of proposed patch by Novell none

Description Jan Lieskovsky 2013-04-03 09:33:33 EDT
A stack (frame) overflow flaw, leading to denial of service (application crash), was found in the way getaddrinfo() routine (returning a list of address structures for particular request) of glibc, the collection of GNU libc libraries, processed certain requests. If an application linked against glibc accepted untrusted getaddrinfo() input remotely, a remote attacker could issue a specially-crafted request, which once processed would lead to that application crash.

References:
[1] https://bugzilla.novell.com/show_bug.cgi?id=813121
[2] http://www.openwall.com/lists/oss-security/2013/04/03/2

Proposed Novell patch:
[3] http://bugzillafiles.novell.org/attachment.cgi?id=533210
Comment 1 Jan Lieskovsky 2013-04-03 09:35:58 EDT
Created attachment 731167 [details]
Local copy of proposed patch by Novell
Comment 2 Jan Lieskovsky 2013-04-03 09:37:18 EDT
This issue affects the versions of the glibc package, as shipped with Red Hat Enterprise Linux 5 and 6.

--

This issue affects the versions of the glibc package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-04-03 09:43:06 EDT
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 947892]
Comment 9 Carlos O'Donell 2013-04-03 10:52:20 EDT
We are aware of this issue and we are looking at it in upstream [1].

The application stack overflow results in a crash but requires poisoning DNS. We will wait for a more thorough upstream review and test before fixing this in all of Fedora.

Given the low priority we will fix this as required in RHEL.

If anyone has an objection to this plan of action please speak up with comments about why this should be higher than low priority and low severity.

[1] http://sourceware.org/ml/libc-alpha/2013-04/msg00060.html
Comment 10 Jan Lieskovsky 2013-04-03 11:20:28 EDT
The CVE identifier of CVE-2013-1914 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/03/6
Comment 21 errata-xmlrpc 2013-04-24 13:37:44 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0769 https://rhn.redhat.com/errata/RHSA-2013-0769.html
Comment 24 Fedora Update System 2013-08-21 20:49:57 EDT
glibc-2.17-13.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 errata-xmlrpc 2013-11-21 05:44:36 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1605 https://rhn.redhat.com/errata/RHSA-2013-1605.html
Comment 26 Martin Prpic 2014-10-06 09:37:06 EDT
IssueDescription:

It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.