libc6: getaddrinfo() sends DNS queries to random file descriptors (CVE-2013-7423)

Debian Bug report logs - #722075
libc6: getaddrinfo() sends DNS queries to random file descriptors (CVE-2013-7423)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Arnaud Le Blanc <arnaud.lb@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libc6: getaddrinfo() sends DNS queries to random file descriptors

Date: Sat, 07 Sep 2013 15:55:48 +0200

[Message part 1 (text/plain, inline)]

Package: libc6
Version: 2.13-38
Severity: normal

Under high load, getaddrinfo() seems to start sending DNS queries to random
file descriptors.

If a process has opened connections to remote servers or clients, getaddrinfo()
may write DNS queries to these connections.

This has been noticed on a real world application written in golang, and the
bug was successfuly reproduced using pure C code.

The attached code reproduces the bug on libc6 packages 2.13-38 (stable),
2.17-92 (testing).

What the code does:

 - a thread listens to a local unix socket
 - a thread connects to the unix socket, never writes to it, dups the
connection as much as possible (fills the fd space), close the dups, and starts
dup()ing again
 - lots of threads call getaddrinfo()

Under less than a minute, the listener starts reading garbage (presumably DNS
queries).



-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.10-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[bug.c (text/x-c, attachment)]

Message #10 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Arnaud Le Blanc <arnaud.lb@gmail.com>

To: 722075@bugs.debian.org

Subject: RE: libc6: getaddrinfo() sends DNS queries to random file descriptors

Date: Tue, 10 Sep 2013 13:25:03 +0200

More informations on the bug:

I previously reported it here:
http://code.google.com/p/go/issues/detail?id=6336#c9 . At least 3
others have successfully reproduced the bug using the provided C code
on Debian, Archlinux (and maybe other unspecified distros).

I've failed reproducing it on some fedora VMs (Fedora 16 and 19),
although it may be due to other factors.

I've looked more closely at the garbage received on the socket, and
it's always a full, well-formed, DNS query. It seems to always be an
AAAA query, even when hints.ai_family is AF_INET. All requests are
similar, only the id changes.

Message #15 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Julien Palard <julien@palard.fr>

To: Debian Bug Tracking System <722075@bugs.debian.org>

Subject: Re: libc6: getaddrinfo() sends DNS queries to random file descriptors

Date: Mon, 14 Apr 2014 19:16:02 +0200

Package: libc6
Version: 2.13-38
Followup-For: Bug #722075

Hi there,

I was able to reproduce this bug with only calls to getaddrinfo, as my getaddrinfo opens a NETLINK socket.

Here is a "small" c file leading you easily to the problem : http://pastebin.com/cWZphPK7

It also mean that getaddrinfo is not threadsafe, I think it may.

-- System Information:
Debian Release: 7.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libc-bin  2.13-38
ii  libgcc1   1:4.7.2-5

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.49
pn  glibc-doc              <none>
ii  locales                2.13-38

-- debconf information:
  glibc/upgrade: true
  glibc/restart-services:
  libraries/restart-without-asking: false
  glibc/disable-screensaver:
  glibc/restart-failed:

Message #22 received at 722075-close@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurel32@debian.org>

To: 722075-close@bugs.debian.org

Subject: Bug#722075: fixed in eglibc 2.19-1

Date: Wed, 04 Jun 2014 21:36:00 +0000

Source: eglibc
Source-Version: 2.19-1

We believe that the bug you reported is fixed in the latest version of
eglibc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 722075@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Aurelien Jarno <aurel32@debian.org> (supplier of updated eglibc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 04 Jun 2014 20:32:06 +0200
Source: eglibc
Binary: libc-bin libc-dev-bin glibc-doc eglibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-prof libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-prof libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-prof libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-prof libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc6-armhf libc6-dev-armhf libc6-armel libc6-dev-armel libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-i686 libc6-xen libc0.1-i686 libc0.3-i686 libc0.3-xen libc6.1-alphaev67 libc6-loongson2f libnss-dns-udeb libnss-files-udeb
Architecture: source all amd64
Version: 2.19-1
Distribution: unstable
Urgency: medium
Maintainer: Aurelien Jarno <aurel32@debian.org>
Changed-By: Aurelien Jarno <aurel32@debian.org>
Description: 
 eglibc-source - Embedded GNU C Library: sources
 glibc-doc  - Embedded GNU C Library: Documentation
 libc-bin   - Embedded GNU C Library: Binaries
 libc-dev-bin - Embedded GNU C Library: Development binaries
 libc0.1    - Embedded GNU C Library: Shared libraries
 libc0.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.1-dev-i386 - Embedded GNU C Library: 32bit development libraries for AMD64
 libc0.1-i386 - Embedded GNU C Library: 32bit shared libraries for AMD64
 libc0.1-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.1-pic - Embedded GNU C Library: PIC archive library
 libc0.1-prof - Embedded GNU C Library: Profiling Libraries
 libc0.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3    - Embedded GNU C Library: Shared libraries
 libc0.3-dbg - Embedded GNU C Library: detached debugging symbols
 libc0.3-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc0.3-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc0.3-pic - Embedded GNU C Library: PIC archive library
 libc0.3-prof - Embedded GNU C Library: Profiling Libraries
 libc0.3-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc0.3-xen - Embedded GNU C Library: Shared libraries [Xen version]
 libc6      - Embedded GNU C Library: Shared libraries
 libc6-amd64 - Embedded GNU C Library: 64bit Shared libraries for AMD64
 libc6-armel - Embedded GNU C Library: ARM softfp shared libraries for armhf
 libc6-armhf - Embedded GNU C Library: ARM hard float shared libraries for armel
 libc6-dbg  - Embedded GNU C Library: detached debugging symbols
 libc6-dev  - Embedded GNU C Library: Development Libraries and Header Files
 libc6-dev-amd64 - Embedded GNU C Library: 64bit Development Libraries for AMD64
 libc6-dev-armel - Embedded GNU C Library: ARM softfp development libraries for armh
 libc6-dev-armhf - Embedded GNU C Library: ARM hard float development libraries for
 libc6-dev-i386 - Embedded GNU C Library: 32-bit development libraries for AMD64
 libc6-dev-mips64 - Embedded GNU C Library: 64bit Development Libraries for MIPS64
 libc6-dev-mipsn32 - Embedded GNU C Library: n32 Development Libraries for MIPS64
 libc6-dev-powerpc - Embedded GNU C Library: 32bit powerpc development libraries for p
 libc6-dev-ppc64 - Embedded GNU C Library: 64bit Development Libraries for PowerPC64
 libc6-dev-s390 - Embedded GNU C Library: 32bit Development Libraries for IBM zSeri
 libc6-dev-sparc - Embedded GNU C Library: 32bit Development Libraries for SPARC
 libc6-dev-sparc64 - Embedded GNU C Library: 64bit Development Libraries for UltraSPAR
 libc6-dev-x32 - Embedded GNU C Library: X32 ABI Development Libraries for AMD64
 libc6-i386 - Embedded GNU C Library: 32-bit shared libraries for AMD64
 libc6-i686 - Embedded GNU C Library: Shared libraries [i686 optimized]
 libc6-loongson2f - Embedded GNU C Library: Shared libraries (Loongson 2F optimized)
 libc6-mips64 - Embedded GNU C Library: 64bit Shared libraries for MIPS64
 libc6-mipsn32 - Embedded GNU C Library: n32 Shared libraries for MIPS64
 libc6-pic  - Embedded GNU C Library: PIC archive library
 libc6-powerpc - Embedded GNU C Library: 32bit powerpc shared libraries for ppc64
 libc6-ppc64 - Embedded GNU C Library: 64bit Shared libraries for PowerPC64
 libc6-prof - Embedded GNU C Library: Profiling Libraries
 libc6-s390 - Embedded GNU C Library: 32bit Shared libraries for IBM zSeries
 libc6-sparc - Embedded GNU C Library: 32bit Shared libraries for SPARC
 libc6-sparc64 - Embedded GNU C Library: 64bit Shared libraries for UltraSPARC
 libc6-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libc6-x32  - Embedded GNU C Library: X32 ABI Shared libraries for AMD64
 libc6-xen  - Embedded GNU C Library: Shared libraries [Xen version]
 libc6.1    - Embedded GNU C Library: Shared libraries
 libc6.1-alphaev67 - Embedded GNU C Library: Shared libraries (EV67 optimized)
 libc6.1-dbg - Embedded GNU C Library: detached debugging symbols
 libc6.1-dev - Embedded GNU C Library: Development Libraries and Header Files
 libc6.1-pic - Embedded GNU C Library: PIC archive library
 libc6.1-prof - Embedded GNU C Library: Profiling Libraries
 libc6.1-udeb - Embedded GNU C Library: Shared libraries - udeb (udeb)
 libnss-dns-udeb - Embedded GNU C Library: NSS helper for DNS - udeb (udeb)
 libnss-files-udeb - Embedded GNU C Library: NSS helper for files - udeb (udeb)
 locales    - Embedded GNU C Library: National Language (locale) data [support]
 locales-all - Embedded GNU C Library: Precompiled locale data
 multiarch-support - Transitional package to ensure multiarch compatibility
 nscd       - Embedded GNU C Library: Name Service Cache Daemon
Closes: 647084 722075 749087 750124
Changes: 
 eglibc (2.19-1) unstable; urgency=medium
 .
   [ Aurelien Jarno ]
   * debian/control.in/main: remove outdated Build-Depends on bzip2.
   * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream
     to fix invalid file descriptor reuse while sending DNS query.  Closes:
     #722075.
   * Finish debconf translation update from Esko Arajärvi.  Closes: #750124.
   * debian/patches/git-updates.diff: update from the 2.19 branch:
     - fixes pthread_spin_lock on sparc/sparc64.  Closes: #749087.
   * debian/patches/any/submitted-argp-attribute.diff: new patch from Ondřej
     Bílka to fix string functions with FORTIFY_SOURCE=2 when <argp.h> is
     included before <string.h>.  Closes: #647084.
   * debian/sysdeps/{sparc,sparc64}.mk: temporarily pass --disable-multiarch
     to configure to try to fix random segmentation faults on Niagara 1
     machines.
 .
   [ Samuel Thibault ]
   * hurd-i386/unsubmitted-pthread_posix-option.diff: Split patches into...
   * ... hurd-i386/tg-{posix_thread,gai_misc}.diff.
   * patches/hurd-i386/cvs-libpthread_guardsize.diff: Fix guard size
     computation and enable again.
Checksums-Sha1: 
 eceab01b30a742c4b9611cc4081916343108f747 7361 eglibc_2.19-1.dsc
 7abefb6203e89a05ff44c852c5f05e09ad235f32 980948 eglibc_2.19-1.debian.tar.xz
 04467c132eb8176c3c05fe66a000109ab35c3ea5 2284982 glibc-doc_2.19-1_all.deb
 1fa733e0fb4fb7824f0b1c391c9305e915bc93be 14226076 eglibc-source_2.19-1_all.deb
 8264ff8753fd97d8de6bb69b1c2ed6df1276be42 3925742 locales_2.19-1_all.deb
 c9f68dc38d0ba935a50b111f64b22aa8574a7d6f 4815630 libc6_2.19-1_amd64.deb
 7fed38e27f3a5b1b34318c427324df2b3271469d 2000672 libc6-dev_2.19-1_amd64.deb
 2ba6243fe470f6250c776efd446a59fe1b96a342 1469242 libc6-pic_2.19-1_amd64.deb
 86f9f48f7f3b984c52962437285b5014306b1c54 1287282 libc-bin_2.19-1_amd64.deb
 179a9fcb77edd90cb52843993ffa038d955d268c 233910 libc-dev-bin_2.19-1_amd64.deb
 2bfef4df3941e46f2e3746f244ef802b5b256cbc 170072 multiarch-support_2.19-1_amd64.deb
 00b3446ee0bd23729a3b0992232e2db9a54b9b7e 1609656 libc6-prof_2.19-1_amd64.deb
 74e8e4d9a7e1ea289c4263daad2f5594630f3a47 3517866 locales-all_2.19-1_amd64.deb
 1e87d18694a570420cc395b33c0b37b14c84e212 2369410 libc6-i386_2.19-1_amd64.deb
 3287104889fa3b395d85c78e92e17fbd6e1d00d7 1309868 libc6-dev-i386_2.19-1_amd64.deb
 e302b13beed838ba2a54bae056de39942efcbcb5 2591248 libc6-x32_2.19-1_amd64.deb
 6de8e7b727320f02608a2be51dadcb2329648556 1576678 libc6-dev-x32_2.19-1_amd64.deb
 d357114f7cdd95a41af40f9c8165dafb4c39d968 234236 nscd_2.19-1_amd64.deb
 d713c608d13b8b10d3f95aa1d036b784d9d7e24a 3429314 libc6-dbg_2.19-1_amd64.deb
 f4beb04a6149c121c6752f3ecf8fd2c44f136ecf 1060256 libc6-udeb_2.19-1_amd64.udeb
 633452ebb6ca26b7ad8495f66c9950f54499ec42 10036 libnss-dns-udeb_2.19-1_amd64.udeb
 32b79141ce7f62af3cede18d42eb806dfc881150 16512 libnss-files-udeb_2.19-1_amd64.udeb
Checksums-Sha256: 
 8c7c07208eb609ec03a453a0b5cb349c9b381fb45c0de5eb022f24bd6b18baef 7361 eglibc_2.19-1.dsc
 4b66d0f5bee72b57182d2e7900cc66935219cc02d7f9a59cc50815e004e8abee 980948 eglibc_2.19-1.debian.tar.xz
 7cf5ec0c327a66e0332c95b9ae185bbdf5ad42e1799ecf7d61b24e1f46f0d4d1 2284982 glibc-doc_2.19-1_all.deb
 6b7abfe3d37b6e6bb5392fde46224414ab5370d5441b17aa1ecee0581913884f 14226076 eglibc-source_2.19-1_all.deb
 9dff52952637c4cbc28efecc00129901d8b3c37242945502bb34bd1763bbecf8 3925742 locales_2.19-1_all.deb
 2d291313a5dd88079fb14d0324c2ea6d22bdd2463b1b9647ef66f149f418f5f9 4815630 libc6_2.19-1_amd64.deb
 603b49770bfb5925e35b886cb8e36b538dd845a4f7e6e3a5f9b0e631efe8bbc1 2000672 libc6-dev_2.19-1_amd64.deb
 08d64be3180bc1aa964d046548062c54411ccfb85c7a8c55fbb59d6d21aee1ab 1469242 libc6-pic_2.19-1_amd64.deb
 2cb04b7a03925ed0294bf0c37715c1f150bc06223cc758354e2d2c5a19727f66 1287282 libc-bin_2.19-1_amd64.deb
 cbd8d6817a934c543f410183b9ebfb1ce54098ce52908db428017eeeebdf485c 233910 libc-dev-bin_2.19-1_amd64.deb
 f0fa0fec56c503387053b841c999f81dff8466f4ff3492bacb0a8bfae7fe0335 170072 multiarch-support_2.19-1_amd64.deb
 49adbcecbb3e545f74a4cb75e42a3e914c440afa81d6fc15e9ff5f0f5e4944a0 1609656 libc6-prof_2.19-1_amd64.deb
 9199592a49d5b42bbf5c666cdb4c37a1ced9ac97c11dbdaf6043e0398f96fa88 3517866 locales-all_2.19-1_amd64.deb
 6d8b6a02d963fec58b39c9548cbbed8f7f4d9c7282a6a13ff1546d9c25d25060 2369410 libc6-i386_2.19-1_amd64.deb
 3f9b21daa7f5abf1ec0b60feb3182d9b9bf672899b8c37c0d0062ab5546b3b3a 1309868 libc6-dev-i386_2.19-1_amd64.deb
 d89245ec66064c5c1385e89a201179b773bb2023d6b874d6ee03bc7ded1b5578 2591248 libc6-x32_2.19-1_amd64.deb
 45c19117bf3f63c95c1d0b8fe49a99a81a3e59e578ec30c34051204a0a8c4021 1576678 libc6-dev-x32_2.19-1_amd64.deb
 dc38d5b2fcaf56e0a261ba23dac551f00958edc4cc39ab09af3b953669acf0e4 234236 nscd_2.19-1_amd64.deb
 6191f7bce39b5fda20547efe490209f785100873aa3917a3768ee3b45786458e 3429314 libc6-dbg_2.19-1_amd64.deb
 1bb6310ce14093616b99f0072ab582cbd8617424b3490a84151e918c0e51723b 1060256 libc6-udeb_2.19-1_amd64.udeb
 22a1ce0b6749dcc775d8e028ffe6123a8de98a468f9c4a05ab42c293b48dcfae 10036 libnss-dns-udeb_2.19-1_amd64.udeb
 f90ba4e3657fa03d4cb6da4f9ac1212de408cb5eb8f2d2d1a8b0e57a766fc9b4 16512 libnss-files-udeb_2.19-1_amd64.udeb
Files: 
 1c4c2a2c52c9eed0d9722d88f642f021 2284982 doc optional glibc-doc_2.19-1_all.deb
 629e73331376d376559d5cb4d3594219 14226076 devel optional eglibc-source_2.19-1_all.deb
 78d894aa7e87e8b0d37cc46d834201f8 3925742 localization standard locales_2.19-1_all.deb
 443ad299c6375f4861e7afd71cf27383 4815630 libs required libc6_2.19-1_amd64.deb
 232ae350fe47b95eadfef47247827b95 2000672 libdevel optional libc6-dev_2.19-1_amd64.deb
 cbde102bec41fe5204210cec69c3ef77 1469242 libdevel optional libc6-pic_2.19-1_amd64.deb
 2e7a103b2495cd1dc5d7bed164bf3d57 1287282 libs required libc-bin_2.19-1_amd64.deb
 59831e2854c9edb6d941162ce61de489 233910 libdevel optional libc-dev-bin_2.19-1_amd64.deb
 af756e55ba4c48249af8810b09c7dc26 170072 libs required multiarch-support_2.19-1_amd64.deb
 84a6bd12cfcbdcb649fc94f062e8cd7a 1609656 libdevel extra libc6-prof_2.19-1_amd64.deb
 fb17eb20d9eee93b1384197113b2424d 3517866 localization extra locales-all_2.19-1_amd64.deb
 e024e8554644358a8614467cebdb479f 2369410 libs optional libc6-i386_2.19-1_amd64.deb
 608ab214b2a4538aa33270e71d1358f5 1309868 libdevel optional libc6-dev-i386_2.19-1_amd64.deb
 79d99ab94b2d1e1a771ab3ba6c50da05 2591248 libs optional libc6-x32_2.19-1_amd64.deb
 ed1761c3e6c24cca6355e38a5b845bc9 1576678 libdevel optional libc6-dev-x32_2.19-1_amd64.deb
 107a3b58571c69587d86328de88724ae 234236 admin optional nscd_2.19-1_amd64.deb
 72c02195a20dff1c989614f75b20ad32 3429314 debug extra libc6-dbg_2.19-1_amd64.deb
 0c62bda5c8de864a89b8cdcbeeb3931f 1060256 debian-installer extra libc6-udeb_2.19-1_amd64.udeb
 ba2e84b8a15071a5d1571effebe52ab6 10036 debian-installer extra libnss-dns-udeb_2.19-1_amd64.udeb
 6ca03a320cb33b021f295dfd830c592d 16512 debian-installer extra libnss-files-udeb_2.19-1_amd64.udeb
 f96d82571fe89dce1ee6a35a27e4e4d1 7361 libs required eglibc_2.19-1.dsc
 e90692f2ecc770e3bb48fec13535c54b 980948 libs required eglibc_2.19-1.debian.tar.xz
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBU4+DyLqceAYd3YybAQj0aQ/8DzRMBHhwUO71PIO9ykLrFBFN4WgRfkZG
dlzTIWDEn70FZB57Rtw/eEM9wxFJiN7IwyP2uSHUHj4eD6HPCSJvdKCTdHirZK1q
1sKIL5Ary++TIbMRZCcv4+Jxuvmjb+AbWQvWHPPgPYY05v/egWaa88QMWVJVJ3La
cRyKBimMOj2q4wJSEK0Ns3+6s8T1JfrD755vVxlXyJTKKaR+0X3EbPuyra5OKLVA
s0gB/c5x8FWW+h5PClZa7lduelnSI5onCGQgOAjLsBK/ZqcZZUCXGCrEUGntwhQ+
YF81OqMMazfWqu89D1p3Q9AyNE5hBLjdRTubk9lpCY85/3YFkXfrkx6qo5pj3382
pgDxhLjOXzXDwdMmUpDMQVogf6t91nm9lXL9QycyDsi9lf04fCmL4d+MIdPG873h
sKAZBQGJ8jqk3dG+I3wYNh+8aAYOuQ6DP3EugUZmBanmKv9vP+CyC+4mzVbcsE7J
8TyJDlxnkBE7WzQQoWrKDJRZceUzn/MTlefDs88/IaztW9dWU1RGMwSOCsmazIYp
zeKETCluRiegNoUJSuq2JjQmWV8+ya5icroOKUvydPlYhMhPksd8wztcAnSTZY8R
WLrkUbCFoeWcJzxaPCtm3IZzNFZP2rEwJbdUENaqJlStEQiKfm4SNV5tvYbCDFug
D+77NxzDosE=
=BJ84
-----END PGP SIGNATURE-----

Message #27 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Ian Ward <ianshward@gmail.com>

To: 722075@bugs.debian.org

Subject: Still seems broken

Date: Thu, 19 Jun 2014 09:05:31 -0400

Hello, I grabbed the eglibc from the sid repository and pointed the
bug.c program at it, verified with ldd that the bug program would use
the new eglibc version, and observed the socket still receives DNS
requests.

Message #32 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Ian Ward <ianshward@gmail.com>, 722075@bugs.debian.org

Subject: Re: Bug#722075: Still seems broken

Date: Thu, 19 Jun 2014 16:54:29 +0200

On Thu, Jun 19, 2014 at 09:05:31AM -0400, Ian Ward wrote:
> Hello, I grabbed the eglibc from the sid repository and pointed the
> bug.c program at it, verified with ldd that the bug program would use
> the new eglibc version, and observed the socket still receives DNS
> requests.

What is the output of ldd in that case? Does it really use the new
libresolv.so.2 file? The best would actually to install this version.

I did run the bug.c file from the first mail with and without the fix,
and I was able to confirm the problem is correctly fixed.

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Message #37 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Ian Ward <ianshward@gmail.com>

To: Aurelien Jarno <aurelien@aurel32.net>

Cc: 722075@bugs.debian.org

Subject: Re: Bug#722075: Still seems broken

Date: Thu, 19 Jun 2014 11:17:59 -0400

I apologize.  I tested incorrectly.  It looks fixed now in my new
test.  The new libresolv.so.2 could not have been used in my initial
test of the fix.  I tested again now with the entire contents of
https://packages.debian.org/jessie/amd64/libc6/download placed in
/usr/local/lib and I do not see the socket receiving any DNS requests.
Sorry for the confusion, and thanks.

On Thu, Jun 19, 2014 at 10:54 AM, Aurelien Jarno <aurelien@aurel32.net> wrote:
> On Thu, Jun 19, 2014 at 09:05:31AM -0400, Ian Ward wrote:
>> Hello, I grabbed the eglibc from the sid repository and pointed the
>> bug.c program at it, verified with ldd that the bug program would use
>> the new eglibc version, and observed the socket still receives DNS
>> requests.
>
> What is the output of ldd in that case? Does it really use the new
> libresolv.so.2 file? The best would actually to install this version.
>
> I did run the bug.c file from the first mail with and without the fix,
> and I was able to confirm the problem is correctly fixed.
>
> --
> Aurelien Jarno                          GPG: 4096R/1DDD8C9B
> aurelien@aurel32.net                 http://www.aurel32.net

Message #46 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: 722075@bugs.debian.org

Subject: Re: libc6: getaddrinfo() sends DNS queries to random file descriptors

Date: Thu, 29 Jan 2015 23:53:54 +0000

[Message part 1 (text/plain, inline)]

Control: retitle -1 libc6: getaddrinfo() sends DNS queries to random file descriptors (CVE-2013-7423)
Control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=15946
Control: severity -1 serious
Control: found -1 eglibc 2.11.3-4+deb6u4
Control: found -1 eglibc 2.13-38+deb7u7

This bug came up again at
<http://www.openwall.com/lists/oss-security/2015/01/28/16>.  It still
needs fixing in wheezy and squeeze-lts.

Ben.

-- 
Ben Hutchings
The world is coming to an end.	Please log off.

[signature.asc (application/pgp-signature, inline)]

Message #61 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Aurelien Jarno <aurelien@aurel32.net>

To: Ben Hutchings <ben@decadent.org.uk>

Cc: 722075@bugs.debian.org

Subject: Re: libc6: getaddrinfo() sends DNS queries to random file descriptors

Date: Wed, 11 Feb 2015 22:11:53 +0100

[Message part 1 (text/plain, inline)]

Control: notfound -1 eglibc 2.13-38+deb7u7
Control: fixed -1 eglibc/2.13-38+deb7u5

On 2015-01-29 23:53, Ben Hutchings wrote:
> Control: retitle -1 libc6: getaddrinfo() sends DNS queries to random file descriptors (CVE-2013-7423)
> Control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=15946
> Control: severity -1 serious
> Control: found -1 eglibc 2.11.3-4+deb6u4
> Control: found -1 eglibc 2.13-38+deb7u7
> 
> This bug came up again at
> <http://www.openwall.com/lists/oss-security/2015/01/28/16>.  It still
> needs fixing in wheezy and squeeze-lts.

It does NOT need to be fixed on wheezy, as it was already done a few
months ago as part of the 2.13-38+deb7u5 upload:

| eglibc (2.13-38+deb7u5) wheezy; urgency=medium
| 
|   * debian/patches/any/cvs-resolv-reuse-fd.diff: new patch from upstream
|     to fix invalid file descriptor reuse while sending DNS query.  Closes:
|     #722075, #756343.
|   * debian/patches/any/cvs-CVE-2013-4357.diff: new patch from upstream to
|     fix stack overflow issues. Closes: #742925.
|   * debian/patches/any/submitted-CVE-2014-0475.diff: update from upstream
|     to fix a localplt regression introduced in version 2.13-38+deb7u3.
|   * patches/any/cvs-dlopen-tls-memleak.patch: new patch from upstream to
|     fix a memory leak with dlopen() and thread-local storage variables.
|     Closes: #763559.
|   * debian/TODO, debian/debhelper.in/glibc-doc.{install,links,manpage}:
|     re-add files lost in the deb7u3 and deb7u4 security upgrades, causing
|     the glibc-doc package to be almost empty.
| 
|  -- Aurelien Jarno <aurel32@debian.org>  Wed, 08 Oct 2014 22:50:01 +0200

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

[signature.asc (application/pgp-signature, inline)]

Message #70 received at 722075@bugs.debian.org (full text, mbox, reply):

From: Ben Hutchings <ben@decadent.org.uk>

To: Aurelien Jarno <aurelien@aurel32.net>

Cc: 722075@bugs.debian.org

Subject: Re: libc6: getaddrinfo() sends DNS queries to random file descriptors

Date: Mon, 16 Feb 2015 00:09:41 +0000

[Message part 1 (text/plain, inline)]

On Wed, 2015-02-11 at 22:11 +0100, Aurelien Jarno wrote:
> Control: notfound -1 eglibc 2.13-38+deb7u7
> Control: fixed -1 eglibc/2.13-38+deb7u5
> 
> On 2015-01-29 23:53, Ben Hutchings wrote:
> > Control: retitle -1 libc6: getaddrinfo() sends DNS queries to random file descriptors (CVE-2013-7423)
> > Control: forwarded -1 https://sourceware.org/bugzilla/show_bug.cgi?id=15946
> > Control: severity -1 serious
> > Control: found -1 eglibc 2.11.3-4+deb6u4
> > Control: found -1 eglibc 2.13-38+deb7u7
> > 
> > This bug came up again at
> > <http://www.openwall.com/lists/oss-security/2015/01/28/16>.  It still
> > needs fixing in wheezy and squeeze-lts.
> 
> It does NOT need to be fixed on wheezy, as it was already done a few
> months ago as part of the 2.13-38+deb7u5 upload:
[...]

Sorry Aurelien, I assumed this was a 3.0 (quilt) package so I mistakenly
looked at the unpatched source.

Ben.

-- 
Ben Hutchings
Never attribute to conspiracy what can adequately be explained by stupidity.

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.