Bugzilla – Bug 915526
VUL-0: CVE-2013-7423: glibc,glibc.i686: getaddrinfo() writes DNS queries to random file descriptors under high load
Last modified: 2016-05-24 14:21:25 UTC
Created attachment 621447 [details] Reproducer Under high load, getaddrinfo() starts sending DNS queries to random file descriptors, e.g. some unrelated socket connected to a remote service. The Debian bug report mentions that the issue was resolved in glibc 2.19. References: https://bugzilla.redhat.com/show_bug.cgi?id=1187109 \https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=722075 ttps://sourceware.org/bugzilla/show_bug.cgi?id=15946 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7423
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-02-24. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/60630
openSUSE-SU-2015:0351-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 906371,910599,915526,916222 CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472 Sources used: openSUSE 13.2 (src): glibc-2.19-16.5.1, glibc-testsuite-2.19-16.5.2, glibc-utils-2.19-16.5.1 openSUSE 13.1 (src): glibc-2.18-4.25.1, glibc-testsuite-2.18-4.25.2, glibc-utils-2.18-4.25.1
On SLES 11 SP3 QA still see the reproducer failing after the patch.
That's because it's broken. https://sourceware.org/bugzilla/show_bug.cgi?id=15946#c14
Created attachment 625187 [details] Corrected reproducer
Created attachment 625346 [details] bug6336.c even more bugfixed testcase accept addrlen is an IN/OUT parameter, feed in the sizeof(paddr)
SUSE-SU-2015:0439-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 904461,906371,915526,916222,917072 CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): glibc-2.11.3-17.82.11 SUSE Linux Enterprise Server 11 SP3 for VMware (src): glibc-2.11.3-17.82.11 SUSE Linux Enterprise Server 11 SP3 (src): glibc-2.11.3-17.82.11 SUSE Linux Enterprise Desktop 11 SP3 (src): glibc-2.11.3-17.82.11
SUSE-SU-2015:0526-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (moderate) Bug References: 864081,905313,906371,909053,910599,915526,915985,916222 CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): glibc-2.19-20.3 SUSE Linux Enterprise Server 12 (src): glibc-2.19-20.3 SUSE Linux Enterprise Desktop 12 (src): glibc-2.19-20.3
released all of them now I think.
resolve
SUSE-SU-2015:0551-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 887022,906371,910599,915526,916222,918233 CVE References: CVE-2013-7423,CVE-2014-7817,CVE-2014-9402,CVE-2015-1472 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): glibc-2.11.3-17.45.59.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): glibc-2.11.1-0.64.1
This is an autogenerated message for OBS integration: This bug (915526) was mentioned in https://build.opensuse.org/request/show/315336 42 / glibc