Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow

To: 704623@bugs.debian.org
Subject: Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
From: Raphael Geissert <geissert@debian.org>
Date: Wed, 3 Jul 2013 17:21:25 +0200
Message-id: <[🔎] CAA7hUgHKvq-7c2Jieve0oAbUxszo3CTzECAYBwFxCwAUFnWA0A@mail.gmail.com>
Reply-to: Raphael Geissert <geissert@debian.org>, 704623@bugs.debian.org

Control: found -1 2.11.3-1

Hi,

The upstream commit referenced above isn't enough for, at least,
squeeze's 2.11.3.
There's another stack overflow in gaih_inet when calling gethostbyname4_r.

2.17 uses malloc if needed, and git blames the following commit for
those changes:
http://sourceware.org/git/?p=glibc.git;a=commit;f=sysdeps/posix/getaddrinfo.c;h=34a9094f49241ebb72084c536cf468fd51ebe3ec

Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
  - From: Raphael Geissert <geissert@debian.org>

Prev by Date: Re: Bug#714219: [Debian #714219] libc6: crypt(3) returns NULL with EINVAL instead of falling back to DES, breaking GNU software
Next by Date: Processed: Re: Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
Previous by thread: Bug#714744: locales: Update gives sigmentation fault
Next by thread: Processed: Re: Bug#704623: eglibc: CVE-2013-1914: getaddrinfo() stack overflow
Index(es):
- Date
- Thread