Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update: glibc #1179

Closed
dongsupark opened this issue Sep 19, 2023 · 1 comment · Fixed by flatcar/scripts#1171
Closed

update: glibc #1179

dongsupark opened this issue Sep 19, 2023 · 1 comment · Fixed by flatcar/scripts#1171
Assignees
@t-lo
Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns

Comments

@dongsupark
Copy link
Member

dongsupark commented Sep 19, 2023
edited
Loading

Name: glibc
CVEs: CVE-2023-4527, CVE-2023-4806
CVSSs: 8.2, 7.5
Action Needed: update to >= 2.37-r5 or >= 2.38-r2

Summary:

  • CVE-2023-4527: A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.
  • CVE-2023-4806: A flaw was found in glibc. In an extremely rare situation, the getaddrinfo function may access memory that has been freed, resulting in an application crash. This issue is only exploitable when a NSS module implements only the nss_gethostbyname2_r and nss_getcanonname_r hooks without implementing the nss*_gethostbyname3_r hook. The resolved name should return a large number of IPv6 and IPv4, and the call to the getaddrinfo function should have the AF_INET6 address family with AI_CANONNAME, AI_ALL and AI_V4MAPPED as flags.

refmap.gentoo: https://bugs.gentoo.org/914281
@dongsupark dongsupark added security security concerns advisory security advisory labels Sep 19, 2023
@dongsupark dongsupark moved this from 📝 Needs Triage to 🪵Backlog in Flatcar tactical, release planning, and roadmap Sep 19, 2023
@dongsupark dongsupark added the cvss/HIGH > 7 && < 9 assessed CVSS label Sep 22, 2023
@t-lo t-lo self-assigned this Sep 22, 2023
@t-lo t-lo mentioned this issue Sep 22, 2023
Merged
@t-lo
Copy link
Member

t-lo commented Sep 22, 2023

2.37-rc5 looks like a low-hanging fruit. Poked at this with a PR so we can run a test build: flatcar/scripts#1171

@github-actions github-actions bot mentioned this issue Nov 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@t-lo t-lo

Labels
advisory security advisory cvss/HIGH > 7 && < 9 assessed CVSS security security concerns
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

sys-libs/glibc: update to patchlevel 2.37-rc5 flatcar/scripts
2 participants
@t-lo @dongsupark