CVE-2023-4527

2023-09-1817:15:55

Debian Security Bug Tracker

security-tracker.debian.org

glibc

getaddrinfo

dns

disclosure

stack

crash

af_unspec

tcp

/etc/resolv.conf

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

0.001 Low

EPSS

Percentile

39.0%

JSON

A flaw was found in glibc. When the getaddrinfo function is called with the AF_UNSPEC address family and the system is configured with no-aaaa mode via /etc/resolv.conf, a DNS response via TCP larger than 2048 bytes can potentially disclose stack contents through the function returned address data, and may cause a crash.

OSVersionArchitecturePackageVersionFilename
Debian12allglibc< 2.36-9+deb12u3glibc_2.36-9+deb12u3_all.deb
Debian11allglibc< 2.31-13+deb11u10glibc_2.31-13+deb11u10_all.deb
Debian999allglibc< 2.37-9glibc_2.37-9_all.deb
Debian13allglibc< 2.37-9glibc_2.37-9_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	glibc	< 2.36-9+deb12u3	glibc_2.36-9+deb12u3_all.deb
Debian	11	all	glibc	< 2.31-13+deb11u10	glibc_2.31-13+deb11u10_all.deb
Debian	999	all	glibc	< 2.37-9	glibc_2.37-9_all.deb
Debian	13	all	glibc	< 2.37-9	glibc_2.37-9_all.deb