Bug 941234 - (CVE-2015-5180) VUL-1: CVE-2015-5180: glibc: DNS resolver NULL pointer dereference with crafted record type
(CVE-2015-5180)
VUL-1: CVE-2015-5180: glibc: DNS resolver NULL pointer dereference with craft...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Andreas Schwab
Security Team bot
https://smash.suse.de/issue/120979/
CVSSv2:SUSE:CVE-2015-5180:1.2:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-11 08:01 UTC by Alexander Bergmann
Modified: 2022-08-24 16:17 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2015-08-11 08:01:14 UTC
https://sourceware.org/bugzilla/show_bug.cgi?id=18784

Florian Weimer 2015-08-07 08:55:14 UTC 
----------------
If T_UNSPEC (62321) is passed to functions such as res_query as a record type , libresolv will dereference a NULL pointer, crashing the process.  This is a very minor security vulnerability because it is conceivable that the RR type is supplied by an untrusted party.

The expected behavior is that libresolv sends a TYPE62321 query to the configured forwarders because it is a valid record type as far as DNS is concerned.

I am not sure how to fix this.  The inband signaling should probably removed.  For that, the external functions could check for a valid RR type (in the range from 0 to 65535), and T_UNSPEC (which is fortunately not part of the API/ABI) could be switched to a value not within that range.
----------------

Reproducer: (gcc -lresolv -o reproducer reproducer.c)

#include <resolv.h>
int main(void)
{
  unsigned char buf[4096];
  res_search("invalid", 1, 62321, buf, sizeof(buf));
}

CVE-2015-5180 was assigned to this issue.

References:
https://sourceware.org/bugzilla/show_bug.cgi?id=18784
https://bugzilla.redhat.com/show_bug.cgi?id=1249603
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5180
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5180.html
Comment 1 Swamp Workflow Management 2015-08-11 22:00:16 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-10-02 13:28:45 UTC
very minor issue. Not patched upstream, closed by RH except for FC22. Setting as VUL-2 in case a patch appears or something changes.
Comment 4 Mikhail Kasimov 2017-02-05 23:57:01 UTC
https://sourceware.org/ml/libc-alpha/2017-02/msg00079.html ("The GNU C Library version 2.25 is now available")

===========================================================
Security related changes:

<skipped>

* The DNS stub resolver functions would crash due to a NULL pointer
  dereference when processing a query with a valid DNS question type
  which was used internally in the implementation.  The stub resolver
  now uses a question type which is outside the range of valid question
  type values. (CVE-2015-5180)
===========================================================
Comment 6 Karol Babioch 2018-02-02 13:10:14 UTC
Since there is an upstream fix, I've changed it back to VUL-1, so this can be merged into our codestreams with one of the upcoming updates.
Comment 9 Swamp Workflow Management 2018-09-26 16:27:00 UTC
SUSE-SU-2018:2883-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1058774,1064580,1064583,941234
CVE References: CVE-2015-5180,CVE-2017-15670,CVE-2017-15804
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.110.19.2
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.110.19.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    glibc-2.11.3-17.110.19.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    glibc-2.11.3-17.110.19.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.110.19.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    glibc-2.11.3-17.110.19.2
Comment 14 Swamp Workflow Management 2019-06-27 16:13:32 UTC
SUSE-SU-2019:1716-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1117993,1132678,941234
CVE References: CVE-2015-5180
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    glibc-2.22-100.15.4
SUSE Linux Enterprise Server 12-SP4 (src):    glibc-2.22-100.15.4
SUSE Linux Enterprise Desktop 12-SP4 (src):    glibc-2.22-100.15.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Andreas Schwab 2019-08-27 14:48:31 UTC
All updates released.
Comment 16 Swamp Workflow Management 2022-08-24 16:17:18 UTC
SUSE-SU-2022:2886-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1027496,1178386,1179694,1179721,1181505,1182117,941234
CVE References: CVE-2015-5180,CVE-2016-10228,CVE-2019-25013,CVE-2020-27618,CVE-2020-29562,CVE-2020-29573,CVE-2021-3326
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP3-BCL (src):    glibc-2.22-126.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    glibc-2.22-126.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.