RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1144019 - CVE-2013-7423 glibc: getaddrinfo() sends DNS queries to random file descriptors [rhel-6.7]
Summary: CVE-2013-7423 glibc: getaddrinfo() sends DNS queries to random file descripto...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: glibc
Version: 6.5
Hardware: All
OS: Linux
urgent
high
Target Milestone: rc
: 6.7
Assignee: Carlos O'Donell
QA Contact: Arjun Shankar
URL:
Whiteboard: GSSApproved
: 1148326 1207996 (view as bug list)
Depends On:
Blocks: 1113597 CVE-2013-7423 1339960 1339962
TreeView+ depends on / blocked
 
Reported: 2014-09-18 13:09 UTC by Russ Zaleski
Modified: 2019-11-14 06:31 UTC (History)
16 users (show)

Fixed In Version: glibc-2.12-1.158.el6
Doc Type: Bug Fix
Doc Text:
NO PUBLIC DOC TEXT.
Clone Of:
: 1339960 1339962 (view as bug list)
Environment:
Last Closed: 2015-07-22 06:14:36 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Provided bug verification (31.78 KB, application/octet-stream)
2014-09-18 13:09 UTC, Russ Zaleski 		no flags Details
Provided bug verification (31.78 KB, application/octet-stream)
2014-10-02 15:01 UTC, IBM Bug Proxy 		no flags Details
Reproduces the bug described. Build and run by using: gcc -o bug bug.c -lpthread && ./bug (3.88 KB, application/octet-stream)
2015-02-03 15:24 UTC, IBM Bug Proxy 		no flags Details
bug-fixed reproducer. (3.93 KB, text/x-csrc)
2015-05-21 11:54 UTC, Martin Poole 		no flags Details
Show Obsolete (2) View All


Links
System ID Private Priority Status Summary Last Updated
Debian BTS 722075 0 None None None Never
Red Hat Product Errata RHBA-2015:1286 0 normal SHIPPED_LIVE glibc bug fix and enhancement update 2015-07-20 17:50:22 UTC
Sourceware 15946 0 None None None Never

Description Russ Zaleski 2014-09-18 13:09:29 UTC 
Created attachment 938900 [details]
Provided bug verification

Description of problem:

On Red Hat Enterprise Linux 6.5 64 bit with glibc-2.12-1.107.el6_4.2.i686 installed, compiled and ran the program bug.c to verify this issue.

What the bug.c code does: 
- a thread listens to a local unix socket
- a thread connects to the unix socket, never writes to it, dups the connection as much as possible (fills the fd space), close the dups, and starts dup()ing again
- lots of threads call getaddrinfo() Under less than a minute, the listener starts reading garbage (presumably DNS queries).

If there are no issues, there should be nothing printed out. If the bug occurs, you will get a print out of the garbage read in by the listener.

The bug.c file was from the 1st post of: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722075

The Debian bug report mentions that the issue was resolved in glibc 2.19.

Version-Release number of selected component (if applicable):
glibc-2.12-1.107.el6_4.2

How reproducible:
The issue occurs more frequently when the number of threads are large, such as the default value of 1000 threads in the bug.c. If reduced to 50-100 threads, the issue still occurs, but is less frequently.

Steps to Reproduce:
Please see customer provided steps for bug verification.

Actual results:
If the bug occurs, you will get a print out of the garbage read in by the listener.

Expected results:
If there are no issues, there should be nothing printed out.

Additional info:
Comment 5 Carlos O'Donell 2014-10-02 14:45:11 UTC 
*** Bug 1148326 has been marked as a duplicate of this bug. ***
Comment 6 IBM Bug Proxy 2014-10-02 15:01:08 UTC 
Created attachment 943410 [details]
Provided bug verification

default comment by bridge
Comment 7 Carlos O'Donell 2014-10-02 19:14:06 UTC 
The present plan is to consider this for RHEL 6.7, and consider its inclusion into an asynchronous update to help RHEL 6.6 customers. We will keep you updated as our planning and development continues.
Comment 8 IBM Bug Proxy 2014-10-07 08:50:42 UTC 
------- Comment From timkoh.com 2014-10-07 08:43 EDT-------
Hello,
Thank you for your reply.

I have done some further investigation regarding the glibc issue and have been spending time trying to reproduce the issue on different versions of RHEL.
I noticed that this bug is not reproducible in RHEL 6.6 Beta snapshot 5 and RHEL 7 GA.

Below are some of the reproduction results I have compiled:
- Reproduced bug on RHEL 6.3 with glibc-2.12-1.132
- Could not reproduce on RHEL 6.6 Beta snapshot 5 with glibc-2.12-1.149
- Could not reproduce on RHEL 7 GA with glibc-2.17-55

We have 2 customers that are on RHEL 6.3 and 6.5 which are blocked by this issue.

I would like to verify with Red Hat if there has been any updates to glibc that occurred some time between glibc-2.12-1.132 and glibc-2.12-1.149 to resolve this issue and if it's possible to narrow down which update addressed this issue. Is there a particular version of glibc that the customers can upgrade to that can resolve this issue from their current RHEL 6.3 or 6.5 distribution? I believe glibc-2.12-1.132 is the current highest available version for RHEL 6.3.

Below is the link to the glibc fix for this glibc bug for this issue and also the diff for the 1 line fix to resolve the issue.
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=f9d2d03254a58d92635a311a42253eeed5a40a47

It may be useful for identifying the fix in the RHEL source code or applying the fix if it does not exist.
Comment 24 Hanns-Joachim Uhl 2014-12-13 14:12:54 UTC 
(In reply to IBM Bug Proxy from comment #8)
> ------- Comment From timkoh.com 2014-10-07 08:43 EDT-------
> Hello,
> Thank you for your reply.
> 
> I have done some further investigation regarding the glibc issue and have
> been spending time trying to reproduce the issue on different versions of
> RHEL.
> I noticed that this bug is not reproducible in RHEL 6.6 Beta snapshot 5 and
> RHEL 7 GA.
> 
> Below are some of the reproduction results I have compiled:
> - Reproduced bug on RHEL 6.3 with glibc-2.12-1.132
> - Could not reproduce on RHEL 6.6 Beta snapshot 5 with glibc-2.12-1.149
> - Could not reproduce on RHEL 7 GA with glibc-2.17-55
> 
> We have 2 customers that are on RHEL 6.3 and 6.5 which are blocked by this
> issue.
> 
> I would like to verify with Red Hat if there has been any updates to glibc
> that occurred some time between glibc-2.12-1.132 and glibc-2.12-1.149 to
> resolve this issue and if it's possible to narrow down which update
> addressed this issue. Is there a particular version of glibc that the
> customers can upgrade to that can resolve this issue from their current RHEL
> 6.3 or 6.5 distribution? I believe glibc-2.12-1.132 is the current highest
> available version for RHEL 6.3.
> 
> Below is the link to the glibc fix for this glibc bug for this issue and
> also the diff for the 1 line fix to resolve the issue.
> https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;
> h=f9d2d03254a58d92635a311a42253eeed5a40a47
> 
> It may be useful for identifying the fix in the RHEL source code or applying
> the fix if it does not exist.
.
for the records ... the mentioned reproducer is attached in RHBZ 1148326
in comment #2 ...
Comment 26 IBM Bug Proxy 2015-02-03 15:24:30 UTC 
Created attachment 987651 [details]
Reproduces the bug described. Build and run by using: gcc -o bug bug.c -lpthread && ./bug
Comment 27 Carlos O'Donell 2015-02-19 03:00:01 UTC 
This is now fixed in rhel-6.7.

Please keep in mind that we have fixed the *known* issue, but there may be other *unknown* failures still present that are not related.

There have been reports of users still being able to reproduce the failure mode after the patch, but we will handle that as a distinct bug, tracking these failures down one-by-one until we have none left. Therefore please bear with me if you find the issue still reproducible on your particular configuration. As with all race cases it is difficult to trigger reliably and track down.
Comment 29 IBM Bug Proxy 2015-02-20 06:10:30 UTC 
------- Comment From timkoh.com 2015-02-20 06:01 EDT-------
Thank you for the update.
This ticket may be closed.
Comment 32 Martin Prpič 2015-04-01 07:37:07 UTC 
*** Bug 1207996 has been marked as a duplicate of this bug. ***
Comment 39 Martin Poole 2015-05-21 11:54:17 UTC 
Created attachment 1028107 [details]
bug-fixed reproducer.

The original bug.c code had a couple of bugs which could cause false-positives.
Comment 42 errata-xmlrpc 2015-07-22 06:14:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1286.html
Note You need to log in before you can comment on or make changes to this bug.