no-aaaa 模式下 getaddrinfo 中的堆栈读取溢出 (CVE-2023-4527)

admin

0
文章

0
评论

2023-11-29 21:01:19 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 no-aaaa 模式下 getaddrinfo 中的堆栈读取溢出 (CVE-2023-4527)

CVE编号

CVE-2023-4527

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-09-19

漏洞描述

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://www.openwall.com/lists/oss-security/2023/09/25/1
https://access.redhat.com/errata/RHSA-2023:5453
https://access.redhat.com/errata/RHSA-2023:5455
https://access.redhat.com/security/cve/CVE-2023-4527
https://bugzilla.redhat.com/show_bug.cgi?id=2234712
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://security.gentoo.org/glsa/202310-03
https://security.netapp.com/advisory/ntap-20231116-0012/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	gnu	glibc	*		Up to (excluding) 2.39
	运行在以下环境
	系统	amazon_2023	glibc	*		Up to (excluding) 2.34-52.amzn2023.0.6
	运行在以下环境
	系统	anolis_os_23	glibc-nss-devel	*		Up to (excluding) 2.36-10
	运行在以下环境
	系统	anolis_os_8	glibc-locale-source	*		Up to (excluding) 2.28-225.0.4
	运行在以下环境
	系统	debian_10	glibc	*		Up to (excluding) 2.28-10+deb10u1
	运行在以下环境
	系统	debian_11	glibc	*		Up to (excluding) 2.31-13+deb11u6
	运行在以下环境
	系统	debian_12	glibc	*		Up to (excluding) 2.36-9+deb12u3
	运行在以下环境
	系统	debian_sid	glibc	*		Up to (excluding) 2.37-9
	运行在以下环境
	系统	fedora_37	glibc-langpack-mn	*		Up to (excluding) 2.36-14.fc37
	运行在以下环境
	系统	fedora_38	glibc-langpack-mn	*		Up to (excluding) 2.37-10.fc38
	运行在以下环境
	系统	fedora_39	glibc-langpack-mn	*		Up to (excluding) 2.38-6.fc39
	运行在以下环境
	系统	oracle_8	glibc-langpack-da	*		Up to (excluding) 2.28-225.0.4.ksplice1.el8_8.6
	运行在以下环境
	系统	oracle_9	glibc-langpack-da	*		Up to (excluding) 2.34-60.0.3.el9_2.7
	运行在以下环境
	系统	redhat	enterprise_linux	8.0	-
	运行在以下环境
	系统	redhat	enterprise_linux	9.0	-
	运行在以下环境
	系统	redhat_8	glibc-all-langpacks	*		Up to (excluding) 2.28-225.el8_8.6
	运行在以下环境
	系统	redhat_9	glibc-all-langpacks	*		Up to (excluding) 2.34-60.el9_2.7
	运行在以下环境
	系统	unionos_a	glibc	*		Up to (excluding) glibc-2.28-225.0.4.uelc20.6.01