Bug 980483 - (CVE-2016-3706) VUL-0: CVE-2016-3706: glibc: stack overflow in hostent translation
(CVE-2016-3706)
VUL-0: CVE-2016-3706: glibc: stack overflow in hostent translation
Status: RESOLVED FIXED
: 997423 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Andreas Schwab
Security Team bot
https://smash.suse.de/issue/169103/
CVSSv2:SUSE:CVE-2016-3706:5.1:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-18 08:00 UTC by Johannes Segitz
Modified: 2019-08-22 14:56 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-05-18 08:00:59 UTC
CVE-2016-3706

https://sourceware.org/bugzilla/show_bug.cgi?id=20010

When converting a struct hostent response to struct gaih_addrtuple, the gethosts macro (which is called from gaih_inet) uses alloca, without malloc fallback for large responses.  This code path is used with AF_INET and AF_INET6 queries, not AF_UNSPEC queries.

In essence, this is an incomplete fix for CVE-2013-4458 (bug 16072).  The buffer passed to the NSS module is relocated to the heap, but data from it is still copied to the stack.

Over DNS, at most 4095 addresses can arrive, and per address, a net 40 bytes of stack space are needed, so with usual stack sizes and system configurations, the bug cannot be triggered over the network.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3706
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-3706.html
Comment 2 Swamp Workflow Management 2016-05-18 22:00:15 UTC
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2016-05-30 09:00:55 UTC
This is an autogenerated message for OBS integration:
This bug (980483) was mentioned in
https://build.opensuse.org/request/show/398848 13.2 / glibc
Comment 6 Swamp Workflow Management 2016-06-08 14:08:40 UTC
openSUSE-SU-2016:1527-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 969727,973010,973164,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
openSUSE 13.2 (src):    glibc-2.19-16.25.1, glibc-2.19-16.25.2, glibc-testsuite-2.19-16.25.2, glibc-utils-2.19-16.25.1
Comment 7 Swamp Workflow Management 2016-06-30 23:09:29 UTC
SUSE-SU-2016:1721-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    glibc-2.19-22.16.2
SUSE Linux Enterprise Server 12 (src):    glibc-2.19-22.16.2
SUSE Linux Enterprise Desktop 12 (src):    glibc-2.19-22.16.2
Comment 8 Swamp Workflow Management 2016-07-04 19:09:18 UTC
SUSE-SU-2016:1733-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 967190,968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    glibc-2.19-38.2
SUSE Linux Enterprise Server 12-SP1 (src):    glibc-2.19-38.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    glibc-2.19-38.2
Comment 9 Swamp Workflow Management 2016-07-10 22:16:08 UTC
openSUSE-SU-2016:1779-1: An update that solves four vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 967190,968787,969727,973010,973164,975930,980483,980854
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
openSUSE Leap 42.1 (src):    glibc-2.19-22.1, glibc-testsuite-2.19-22.2, glibc-utils-2.19-22.1
Comment 12 Swamp Workflow Management 2016-08-25 16:11:06 UTC
SUSE-SU-2016:2156-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 931399,965699,969727,973010,973164,973179,980483,980854,986302
CVE References: CVE-2016-1234,CVE-2016-3075,CVE-2016-3706,CVE-2016-4429
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    glibc-2.11.3-17.102.1
SUSE Linux Enterprise Server 11-SP4 (src):    glibc-2.11.3-17.102.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    glibc-2.11.3-17.102.1
Comment 13 Leonardo Chiquitto 2016-09-23 13:11:08 UTC
*** Bug 997423 has been marked as a duplicate of this bug. ***
Comment 14 Andreas Schwab 2019-08-22 14:56:17 UTC
All updates released.