Bug 1187109 (CVE-2013-7423) - CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descriptors under high load
Summary: CVE-2013-7423 glibc: getaddrinfo() writes DNS queries to random file descript...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-7423
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1144019 1194143 1207995 1207996 1266110 1339960
Blocks: 1187112 1199526 1210268 1262918
TreeView+ depends on / blocked
 
Reported: 2015-01-29 11:25 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 05:41 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-11-20 05:46:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0863 0 normal SHIPPED_LIVE Moderate: glibc security and bug fix update 2015-04-21 15:34:41 UTC
Red Hat Product Errata RHSA-2015:2199 0 normal SHIPPED_LIVE Moderate: glibc security, bug fix, and enhancement update 2015-11-19 08:04:22 UTC
Red Hat Product Errata RHSA-2015:2589 0 normal SHIPPED_LIVE Important: glibc security update 2015-12-09 13:57:25 UTC
Red Hat Product Errata RHSA-2016:1207 0 normal SHIPPED_LIVE Moderate: glibc security update 2016-06-07 09:37:49 UTC
Sourceware 15946 0 'P2' 'RESOLVED' 'getaddrinfo() writes DNS queries to random file descriptors under high load (CVE-2013-7423)' 2019-11-21 05:56:11 UTC

Description Vasyl Kaigorodov 2015-01-29 11:25:30 UTC 
It was reported [1] that under high load, getaddrinfo() starts sending DNS queries to random file descriptors, e.g. some unrelated socket connected to a remote service.

[1]: https://sourceware.org/bugzilla/show_bug.cgi?id=15946
Comment 1 Siddhesh Poyarekar 2015-01-29 13:45:30 UTC 
FYI, there's a rhel-6.7 bug for this already:

https://bugzilla.redhat.com/show_bug.cgi?id=1144019
Comment 8 errata-xmlrpc 2015-04-21 11:35:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:0863 https://rhn.redhat.com/errata/RHSA-2015-0863.html
Comment 10 Vasyl Kaigorodov 2015-06-30 09:46:51 UTC 
Statement:

This issue did not affect the versions of glibc as shipped with Red Hat Enterprise Linux 5 as they did not include the vulnerable code, which was introduced in later versions.
Comment 13 Akemi Yagi 2015-07-08 19:48:08 UTC 
Is there a plan to address the issue in RHEL-7?
Comment 14 Andrew Gunnerson 2015-07-16 20:11:38 UTC 
Any updates on whether this will be fixed in RHEL7? It's particularly easy to trigger on a docker host (we have 4 concurrent short-lived containers spinning up every few minutes). As soon as we have high load, DNS queries break until we restart the daemon.
Comment 19 errata-xmlrpc 2015-11-19 04:15:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2015:2199 https://rhn.redhat.com/errata/RHSA-2015-2199.html
Comment 20 errata-xmlrpc 2015-12-09 08:58:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only
  Red Hat Enterprise Linux 7.1 EUS  - Server and Compute Node Only

Via RHSA-2015:2589 https://rhn.redhat.com/errata/RHSA-2015-2589.html
Comment 21 errata-xmlrpc 2016-06-07 05:37:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2016:1207 https://access.redhat.com/errata/RHSA-2016:1207
Note You need to log in before you can comment on or make changes to this bug.