Opened 8 months ago
Closed 7 months ago
#5347 closed enhancement (fixed)
CVE-2023-4806: potential use-after-free in Glibc getcanonname
| Reported by: | Xi Ruoyao | Owned by: | lfs-book |
|---|---|---|---|
| Priority: | high | Milestone: | 12.1 |
| Component: | Errata | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
In an extremely rare situation, the getaddrinfo function in glibc may access memory that has already been freed, resulting in an application crash.
This issue is only exploitable when a NSS module implements only the _nss_*_gethostbyname2_r hook without implementing the _nss_*_gethostbyname3_r hook. There are no known modules that are implemented in this way.
In addition to that condition, the resolved name should return a large number of IPv6 as well as IPv4 and the call to the getaddrinfo function should have AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.
Change History (5)
comment:1 by , 8 months ago
comment:2 by , 8 months ago
The upstream patch (https://sourceware.org/pipermail/libc-alpha/2023-September/151548.html) can be used for Glibc >= 2.35 2.36. It seems all Glibc releases are affected but a patch for earlier releases is not available yet.
comment:3 by , 8 months ago
Fixed for trunk at r12.0-37-gefd11134b. I'll post a security advisory for Glibc >= 2.35 2.36 soon.
comment:5 by , 7 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Errata updated for 2.34 and 2.35. The upstream has no plan to make a fix for 2.33 or earlier.
I'd make it a low-severity one because it's not exploitable with LFS /etc/nsswitch.conf.