Red Hat Bugzilla – Bug 1009643
CVE-2012-6686 CVE-2013-4357 glibc: stack overflow in getaddrinfo()'s use of alloca()
Last modified: 2016-02-04 01:46:54 EST
It was reported , that there are potential security problems with allocating memory in glibc's getaddrinfo() function. As noted in the posting to the oss-security mailing list:
"I believe the analysis in this bug report is incorrect. The security
implications are unclear. A straight copy of a long name to a stack
buffer should trigger a crash because it hits the guard page, but even
that could be a problem for daemons.
On the other hand, it's impossible to know for sure that no GCC version
ever lays out the stack in such a way that we end up with a problem.
Multi-threaded programs linking in script interpreters are more exposed
to these problems, too."
This issue has been addressed in the previous versions of Red Hat Enterprise Linux 5 and 6 by the following advisories:
Red Hat Enterprise Linux 5:
Red Hat Enterprise Linux 6:
This issue has already been addressed in Red Hat Enterprise Linux 5 via http://rhn.redhat.com/errata/RHBA-2013-0022.html and in Red Hat Enterprise Linux 6 via http://rhn.redhat.com/errata/RHBA-2012-0763.html
This issue does not affect the version of glibc as shipped with Fedora 18 and 19.
This issue was incorrectly assigned a duplicate CVE ID, CVE-2012-6686, and should be referred to by the original ID: CVE-2013-4357.