Bugzilla – Bug 1215280
VUL-0: CVE-2023-4527: glibc: stack read overflow in getaddrinfo() in no-aaaa mode
Last modified: 2024-05-13 14:38:22 UTC
CVE-2023-4527 If the system is configured in no-aaaa mode via /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address family, and a DNS response is received over TCP that is larger than 2048 bytes, getaddrinfo may potentially disclose stack contents via the returned address data, or crash. While name lookup normally just fails incorrectly, crashes are not difficult to trigger, with valid DNS responses that are propagated by DNS resolvers. Reference: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-4527 https://bugzilla.redhat.com/show_bug.cgi?id=2234712
no-aaaa mode was introduced in v2.36: https://sourceware.org/pipermail/libc-alpha/2022-August/141193.html So this should only affect: - SUSE:ALP:Source:Standard:1.0 (v2.37) - openSUSE:Factory (v2.38)
This is an autogenerated message for OBS integration: This bug (1215280) was mentioned in https://build.opensuse.org/request/show/1111922 Factory / glibc
done