In an extremely rare situation, the getaddrinfo function in glibc may access memory that has already been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r hook without implementing the _nss_*_gethostbyname3_r hook. There are no known modules that are implemented in this way. In addition to that condition, the resolved name should return a large number of IPv6 as well as IPv4 and the call to the getaddrinfo function should have AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=30843
Created glibc tracking bugs for this issue: Affects: fedora-all [bug 2238604]
(In reply to Guilherme de Almeida Suckevicz from comment #0) > In an extremely rare situation, the getaddrinfo function in glibc may access > memory that has already been freed, resulting in an application crash. > > This issue is only exploitable when a NSS module implements only the > _nss_*_gethostbyname2_r hook without implementing the > _nss_*_gethostbyname3_r hook. There are no known modules that are > implemented in this way. A clarification on this: the NSS module needs to do *all* of the following to expose the vulnerability: 1) Implement _nss_*_gethostbyname2_r hook 2) implement _nss_*_getcanonname_r hook 3) NOT implement _nss_*_gethostbyname3_r hook The samba wins module for example satisfies 1) and 3) but not 2) thus eliminating it as a possible vector for this vulnerability.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5453 https://access.redhat.com/errata/RHSA-2023:5453
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5455 https://access.redhat.com/errata/RHSA-2023:5455
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:7409 https://access.redhat.com/errata/RHSA-2023:7409