#5347 closed enhancement (fixed)

CVE-2023-4806: potential use-after-free in Glibc getcanonname

Reported by: Xi Ruoyao Owned by: lfs-book
Priority: high Milestone: 12.1
Component: Errata Version: git
Severity: normal Keywords:
Cc:

Description

In an extremely rare situation, the getaddrinfo function in glibc may access memory that has already been freed, resulting in an application crash.

This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r hook without implementing the _nss_*_gethostbyname3_r hook. There are no known modules that are implemented in this way.

In addition to that condition, the resolved name should return a large number of IPv6 as well as IPv4 and the call to the getaddrinfo function should have AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

Change History (5)

comment:1 by Xi Ruoyao, 15 months ago

I'd make it a low-severity one because it's not exploitable with LFS /etc/nsswitch.conf.

comment:2 by Xi Ruoyao, 14 months ago

The upstream patch (https://sourceware.org/pipermail/libc-alpha/2023-September/151548.html) can be used for Glibc >= 2.35 2.36. It seems all Glibc releases are affected but a patch for earlier releases is not available yet.

Last edited 14 months ago by Xi Ruoyao (previous) (diff)

comment:3 by Xi Ruoyao, 14 months ago

Fixed for trunk at r12.0-37-gefd11134b. I'll post a security advisory for Glibc >= 2.35 soon.

Version 0, edited 14 months ago by Xi Ruoyao (next)

comment:4 by Xi Ruoyao, 14 months ago

Component: BookErrata

Waiting upstream for Glibc <= 2.35 fixes.

comment:5 by Xi Ruoyao, 14 months ago

Resolution: fixed
Status: newclosed

Errata updated for 2.34 and 2.35. The upstream has no plan to make a fix for 2.33 or earlier.

Note: See TracTickets for help on using tickets.