A stack (frame) overflow flaw, which led to a denial of service (application crash), was found in the way glibc's getaddrinfo() function processed certain requests when called with AF_INET6. A similar flaw to CVE-2013-1914, this affects AF_INET6 rather than AF_UNSPEC. A proposed patch has been submitted for review [1]. No CVE has been assigned yet. [1] https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html
Upstream bug report: https://sourceware.org/bugzilla/show_bug.cgi?id=16072
Fix pulled into Fedora rawhide (2.18.90-13).
Statement: This issue affects the versions of glibc as shipped with Red Hat Enterprise Linux 5. This issue is not planned to be fixed in Red Hat Enterprise Linux 5 as it is now in Production 3 Phase of the support and maintenance life cycle, https://access.redhat.com/support/policy/updates/errata
Upstream fix: https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=7cbcdb3699584db8913ca90f705d6337633ee10f
IssueDescription: It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker-controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1391 https://rhn.redhat.com/errata/RHSA-2014-1391.html