Bug 1215280 (CVE-2023-4527)

Summary: VUL-0: CVE-2023-4527: glibc: stack read overflow in getaddrinfo() in no-aaaa mode
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Andreas Schwab <schwab>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377993/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4527:7.5:(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-09-13 07:35:39 UTC 
CVE-2023-4527

If the system is configured in no-aaaa mode via /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address family, and a DNS response is received over TCP that is larger than 2048 bytes, getaddrinfo may potentially disclose stack contents via the returned address data, or crash. While name lookup normally just fails incorrectly, crashes are not difficult to trigger, with valid DNS responses that are propagated by DNS resolvers.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=30842

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527
https://bugzilla.redhat.com/show_bug.cgi?id=2234712
Comment 1 Carlos López 2023-09-13 07:37:56 UTC 
no-aaaa mode was introduced in v2.36:
https://sourceware.org/pipermail/libc-alpha/2022-August/141193.html

So this should only affect:
- SUSE:ALP:Source:Standard:1.0 (v2.37)
- openSUSE:Factory (v2.38)
Comment 2 OBSbugzilla Bot 2023-09-18 09:45:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1215280) was mentioned in
https://build.opensuse.org/request/show/1111922 Factory / glibc
Comment 6 Marcus Meissner 2024-05-13 14:38:22 UTC 
done