oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2023-4527: glibc: Stack read overflow in getaddrinfo in no-aaaa mode

From: Solar Designer <solar () openwall com>
Date: Mon, 25 Sep 2023 12:29:11 +0200
Hi,

A bug affecting glibc 2.36+ was reported and fixed earlier this month:

https://sourceware.org/bugzilla/show_bug.cgi?id=30842


Florian Weimer 2023-09-12 15:16:27 UTC

If the system is configured in no-aaaa mode via /etc/resolv.conf,
getaddrinfo is called for the AF_UNSPEC address family, and a DNS
response is received over TCP that is larger than 2048 bytes,
getaddrinfo may potentially disclose stack contents via the returned
address data, or crash. While name lookup normally just fails
incorrectly, crashes are not difficult to trigger, with valid DNS
responses that are propagated by DNS resolvers.

Introduced by:

commit f282cdbe7f436c75864e5640a409a10485e9abb2
Author: Florian Weimer <fweimer () redhat com>
Date:   Fri Jun 24 18:16:41 2022 +0200

    resolv: Implement no-aaaa stub resolver option
    
    Reviewed-by: Carlos O'Donell <carlos () redhat com>



Florian Weimer 2023-09-13 12:58:01 UTC

All impacted branches fixed.


Even though upstream 2.35 and older are not affected, the problematic
commit was backported into some distro packages of older glibc:

https://access.redhat.com/security/cve/CVE-2023-4527


Statement
This issue only affect systems configured with no-aaaa mode via
/etc/resolv.conf.

The no-aaaa stub resolver option was backported only to Red Hat
Enterprise Linux versions 8.7 and 9.1. Therefore, previous versions are
not affected.

Mitigation
Removing the no-aaaa diagnostic option from /etc/resolv.conf will
mitigate this flaw.


Also tracked here:

https://bugzilla.redhat.com/show_bug.cgi?id=2234712

The feature is described in a glibc NEWS entry for 2.36 as follows:

https://lists.gnu.org/archive/html/info-gnu/2022-08/msg00000.html


* The "no-aaaa" DNS stub resolver option has been added.  System
  administrators can use it to suppress AAAA queries made by the stub
  resolver, including AAAA lookups triggered by NSS-based interfaces
  such as getaddrinfo.  Only DNS lookups are affected: IPv6 data in
  /etc/hosts is still used, getaddrinfo with AI_PASSIVE will still
  produce IPv6 addresses, and configured IPv6 name servers are still
  used.  To produce correct Name Error (NXDOMAIN) results, AAAA queries
  are translated to A queries.  The new resolver option is intended
  primarily for diagnostic purposes, to rule out that AAAA DNS queries
  have adverse impact.  It is incompatible with EDNS0 usage and DNSSEC
  validation by applications.


Alexander
Previous By Date Next
Previous By Thread Next

Current thread: