Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 25 Sep 2023 12:29:11 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-4527: glibc: Stack read overflow in getaddrinfo in no-aaaa mode

Hi,

A bug affecting glibc 2.36+ was reported and fixed earlier this month:

https://sourceware.org/bugzilla/show_bug.cgi?id=30842

> Florian Weimer 2023-09-12 15:16:27 UTC
> 
> If the system is configured in no-aaaa mode via /etc/resolv.conf,
> getaddrinfo is called for the AF_UNSPEC address family, and a DNS
> response is received over TCP that is larger than 2048 bytes,
> getaddrinfo may potentially disclose stack contents via the returned
> address data, or crash. While name lookup normally just fails
> incorrectly, crashes are not difficult to trigger, with valid DNS
> responses that are propagated by DNS resolvers.
> 
> Introduced by:
> 
> commit f282cdbe7f436c75864e5640a409a10485e9abb2
> Author: Florian Weimer <fweimer@...hat.com>
> Date:   Fri Jun 24 18:16:41 2022 +0200
> 
>     resolv: Implement no-aaaa stub resolver option
>     
>     Reviewed-by: Carlos O'Donell <carlos@...hat.com>

> Florian Weimer 2023-09-13 12:58:01 UTC
> 
> All impacted branches fixed.

Even though upstream 2.35 and older are not affected, the problematic
commit was backported into some distro packages of older glibc:

https://access.redhat.com/security/cve/CVE-2023-4527

> Statement
> This issue only affect systems configured with no-aaaa mode via
> /etc/resolv.conf.
> 
> The no-aaaa stub resolver option was backported only to Red Hat
> Enterprise Linux versions 8.7 and 9.1. Therefore, previous versions are
> not affected.
> 
> Mitigation
> Removing the no-aaaa diagnostic option from /etc/resolv.conf will
> mitigate this flaw.

Also tracked here:

https://bugzilla.redhat.com/show_bug.cgi?id=2234712

The feature is described in a glibc NEWS entry for 2.36 as follows:

https://lists.gnu.org/archive/html/info-gnu/2022-08/msg00000.html

> * The "no-aaaa" DNS stub resolver option has been added.  System
>   administrators can use it to suppress AAAA queries made by the stub
>   resolver, including AAAA lookups triggered by NSS-based interfaces
>   such as getaddrinfo.  Only DNS lookups are affected: IPv6 data in
>   /etc/hosts is still used, getaddrinfo with AI_PASSIVE will still
>   produce IPv6 addresses, and configured IPv6 name servers are still
>   used.  To produce correct Name Error (NXDOMAIN) results, AAAA queries
>   are translated to A queries.  The new resolver option is intended
>   primarily for diagnostic purposes, to rule out that AAAA DNS queries
>   have adverse impact.  It is incompatible with EDNS0 usage and DNSSEC
>   validation by applications.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.