Bug 2237798 (CVE-2023-4813) - CVE-2023-4813 glibc: potential use-after-free in gaih_inet()
Summary: CVE-2023-4813 glibc: potential use-after-free in gaih_inet()
Keywords:
Status: NEW
Alias: CVE-2023-4813
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2238609
Blocks: 2234719
TreeView+ depends on / blocked
 
Reported: 2023-09-07 01:14 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-03-18 15:14 UTC (History)
41 users (show)

Fixed In Version: glibc 2.36
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in glibc. In an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5495 0 None None None 2023-10-09 01:01:25 UTC
Red Hat Product Errata RHBA-2023:5496 0 None None None 2023-10-09 01:03:11 UTC
Red Hat Product Errata RHBA-2023:5497 0 None None None 2023-10-09 01:11:15 UTC
Red Hat Product Errata RHBA-2023:5498 0 None None None 2023-10-09 01:05:34 UTC
Red Hat Product Errata RHBA-2023:5499 0 None None None 2023-10-09 01:07:26 UTC
Red Hat Product Errata RHBA-2023:5500 0 None None None 2023-10-09 01:09:37 UTC
Red Hat Product Errata RHBA-2023:5501 0 None None None 2023-10-09 01:14:54 UTC
Red Hat Product Errata RHBA-2023:5502 0 None None None 2023-10-09 01:20:38 UTC
Red Hat Product Errata RHBA-2023:5503 0 None None None 2023-10-09 01:11:25 UTC
Red Hat Product Errata RHBA-2023:5504 0 None None None 2023-10-09 01:12:09 UTC
Red Hat Product Errata RHBA-2023:5505 0 None None None 2023-10-09 01:12:28 UTC
Red Hat Product Errata RHBA-2023:5513 0 None None None 2023-10-09 01:27:59 UTC
Red Hat Product Errata RHBA-2023:5514 0 None None None 2023-10-09 01:25:57 UTC
Red Hat Product Errata RHBA-2023:5515 0 None None None 2023-10-09 01:29:34 UTC
Red Hat Product Errata RHBA-2023:5516 0 None None None 2023-10-09 01:32:01 UTC
Red Hat Product Errata RHBA-2023:5518 0 None None None 2023-10-09 09:43:25 UTC
Red Hat Product Errata RHBA-2023:5519 0 None None None 2023-10-09 09:43:23 UTC
Red Hat Product Errata RHBA-2023:5521 0 None None None 2023-10-09 10:03:47 UTC
Red Hat Product Errata RHBA-2023:5522 0 None None None 2023-10-09 09:53:54 UTC
Red Hat Product Errata RHBA-2023:5523 0 None None None 2023-10-09 09:44:53 UTC
Red Hat Product Errata RHBA-2023:5543 0 None None None 2023-10-09 15:55:14 UTC
Red Hat Product Errata RHBA-2023:5550 0 None None None 2023-10-10 09:47:58 UTC
Red Hat Product Errata RHBA-2023:5551 0 None None None 2023-10-10 09:53:42 UTC
Red Hat Product Errata RHBA-2023:5552 0 None None None 2023-10-10 09:54:05 UTC
Red Hat Product Errata RHBA-2023:5553 0 None None None 2023-10-10 10:08:35 UTC
Red Hat Product Errata RHBA-2023:5554 0 None None None 2023-10-10 09:54:02 UTC
Red Hat Product Errata RHBA-2023:5555 0 None None None 2023-10-10 09:54:08 UTC
Red Hat Product Errata RHBA-2023:5556 0 None None None 2023-10-10 09:53:58 UTC
Red Hat Product Errata RHBA-2023:5557 0 None None None 2023-10-10 09:49:12 UTC
Red Hat Product Errata RHBA-2023:5558 0 None None None 2023-10-10 10:15:09 UTC
Red Hat Product Errata RHBA-2023:5559 0 None None None 2023-10-10 09:57:01 UTC
Red Hat Product Errata RHBA-2023:5560 0 None None None 2023-10-10 09:59:06 UTC
Red Hat Product Errata RHBA-2023:5561 0 None None None 2023-10-10 10:00:32 UTC
Red Hat Product Errata RHBA-2023:5567 0 None None None 2023-10-10 10:08:04 UTC
Red Hat Product Errata RHBA-2023:5569 0 None None None 2023-10-10 10:08:12 UTC
Red Hat Product Errata RHBA-2023:5573 0 None None None 2023-10-10 10:04:55 UTC
Red Hat Product Errata RHBA-2023:5577 0 None None None 2023-10-10 10:08:51 UTC
Red Hat Product Errata RHBA-2023:5581 0 None None None 2023-10-10 10:29:21 UTC
Red Hat Product Errata RHBA-2023:5582 0 None None None 2023-10-10 13:42:27 UTC
Red Hat Product Errata RHBA-2023:5584 0 None None None 2023-10-10 13:42:50 UTC
Red Hat Product Errata RHBA-2023:5585 0 None None None 2023-10-10 13:49:57 UTC
Red Hat Product Errata RHBA-2023:5649 0 None None None 2023-10-10 20:16:59 UTC
Red Hat Product Errata RHBA-2023:5650 0 None None None 2023-10-10 20:20:36 UTC
Red Hat Product Errata RHBA-2023:5651 0 None None None 2023-10-10 20:20:55 UTC
Red Hat Product Errata RHBA-2023:5658 0 None None None 2023-10-11 07:43:01 UTC
Red Hat Product Errata RHBA-2023:5659 0 None None None 2023-10-11 08:24:46 UTC
Red Hat Product Errata RHBA-2023:5663 0 None None None 2023-10-11 13:30:57 UTC
Red Hat Product Errata RHBA-2023:5664 0 None None None 2023-10-11 13:44:07 UTC
Red Hat Product Errata RHBA-2023:5665 0 None None None 2023-10-11 13:42:57 UTC
Red Hat Product Errata RHBA-2023:5670 0 None None None 2023-10-12 01:30:35 UTC
Red Hat Product Errata RHBA-2023:5685 0 None None None 2023-10-12 13:21:10 UTC
Red Hat Product Errata RHBA-2023:5702 0 None None None 2023-10-16 01:21:37 UTC
Red Hat Product Errata RHBA-2023:5703 0 None None None 2023-10-16 07:18:23 UTC
Red Hat Product Errata RHBA-2023:5722 0 None None None 2023-10-16 12:20:09 UTC
Red Hat Product Errata RHBA-2023:5723 0 None None None 2023-10-16 12:31:06 UTC
Red Hat Product Errata RHBA-2023:5748 0 None None None 2023-10-16 15:13:42 UTC
Red Hat Product Errata RHBA-2023:5755 0 None None None 2023-10-16 15:10:37 UTC
Red Hat Product Errata RHBA-2023:5757 0 None None None 2023-10-16 15:34:32 UTC
Red Hat Product Errata RHBA-2023:5760 0 None None None 2023-10-17 07:42:51 UTC
Red Hat Product Errata RHBA-2023:5798 0 None None None 2023-10-17 16:08:54 UTC
Red Hat Product Errata RHBA-2023:5910 0 None None None 2023-10-19 09:04:27 UTC
Red Hat Product Errata RHBA-2023:6043 0 None None None 2023-10-23 18:48:07 UTC
Red Hat Product Errata RHBA-2023:6184 0 None None None 2023-10-30 14:09:35 UTC
Red Hat Product Errata RHSA-2023:5453 0 None None None 2023-10-05 13:54:33 UTC
Red Hat Product Errata RHSA-2023:5455 0 None None None 2023-10-05 14:01:22 UTC
Red Hat Product Errata RHSA-2023:7409 0 None None None 2023-11-21 11:42:45 UTC

Description Guilherme de Almeida Suckevicz 2023-09-07 01:14:24 UTC 
In an uncommon situation, the gaih_inet function in glibc may use memory that has already been freed, resulting in an application crash.

This issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge.

This flaw affects glibc versions prior to 2.36.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=28931

Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215
Comment 5 Guilherme de Almeida Suckevicz 2023-09-12 18:23:50 UTC 
Created glibc tracking bugs for this issue:

Affects: fedora-all [bug 2238609]
Comment 7 Siddhesh Poyarekar 2023-09-14 10:36:52 UTC 
The immediate workaround for this is to drop the "SUCCESS=continue" or "SUCCESS=merge" in the hosts line in nsswitch.conf because those options are not supported on the hosts database. If they were working before, it was an accident because of this bug, it's not a feature.  The fix for the bug results in this "feature" being dropped.
Comment 14 errata-xmlrpc 2023-10-05 13:54:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5453 https://access.redhat.com/errata/RHSA-2023:5453
Comment 15 errata-xmlrpc 2023-10-05 14:01:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5455 https://access.redhat.com/errata/RHSA-2023:5455
Comment 17 errata-xmlrpc 2023-11-21 11:42:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7409 https://access.redhat.com/errata/RHSA-2023:7409
Note You need to log in before you can comment on or make changes to this bug.