Re: the other glibc issue

[Solar Designer <solar () openwall com>]

Oh, can we use descriptive Subjects, please?  (I am leaving this one
intact not to introduce even further confusion.)

On Wed, Jan 28, 2015 at 01:17:40PM -0500, cve-assign () mitre org wrote:
> Use CVE-2013-7423 for ths initial bug report at 2013-09-12 09:50:17 UTC 
> stating: "Under high load, getaddrinfo() starts sending DNS queries to 
> random file descriptors, e.g. some unrelated socket connected to a remote 
> service."
>
> Which comment says that the issue is unfixed?  The 2015-01-08 14:21:11 UTC 
> comment by David Nilsson says "I'm unable to reproduce the correct 
> behaviour," but does not suggest that the vulnerability is still present.

That comment you mention seemed to imply that, but here are the news off
Twitter:

<solardiz> glibc "getaddrinfo() writes DNS queries to random file descriptors under high load" 
https://sourceware.org/bugzilla/show_bug.cgi?id=15946 "Fixed in 2.20", reopened, CVE?
<@RichFelker> @solardiz Yeah I've been following this and pushing for it to be taken seriously for a long time...
<@RichFelker> @solardiz Looks like a false positive, a bug in the testcase rather than in #glibc. See 
https://sourceware.org/ml/glibc-bugs/2015-01/msg00226.html
<@solardiz> @RichFelker To me, this message says that the bug still being reproducible on glibc 2.20 is a false 
positive, but the fix in 2.20 was needed
<@solardiz> @RichFelker Someone should run the corrected testcase on pre-2.20 to see if the issue was reproducible 
before the fix or not

So glibc 2.20 appears OK, and we need to re-test older glibc - but from
the patch it looks like there was indeed this bug before 2.20.

Alexander