A flaw was found in glibc. In an extremely rare situation, the getaddrinfo
function may access memory that has been freed, resulting in an application
crash. This issue is only exploitable when a NSS module implements only the
nss_gethostbyname2_r and nss_getcanonname_r hooks without
implementing the nss*_gethostbyname3_r hook. The resolved name should
return a large number of IPv6 and IPv4, and the call to the getaddrinfo
function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL
and AI_V4MAPPED as flags.
Bugs
Notes
Author |
Note |
|
Priority reason: No known NSS modules expose the vulnerability |
mdeslaur |
This is only an issue when using an NSS module with a very specific behaviour. There are no known NSS modules which are implemented this way. The fix for this issue introduced a leak, identified as CVE-2023-5156 which was later fixed with a subsequent commit. Older releases require backporting a dozen refactoring commits. |
ccdm94 |
One of the refactoring commits needed to fix this issue is also the fix for CVE-2023-4813. |