CVE-2016-3706

Priority
Low
Description
Stack-based buffer overflow in the getaddrinfo function in
sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6)
allows remote attackers to cause a denial of service (crash) via vectors
involving hostent conversion. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2013-4458.
Ubuntu-Description
Michael Petlan discovered an unbounded stack allocation in the
getaddrinfo() function of the GNU C Library. An attacker could use
this to cause a denial of service.
References
Bugs
Notes
 sbeattie> other versions of fixes in glibc bug report
 sbeattie> reverted in Ubuntu 12.04 LTS due to breaking IPv6 name
  resolution
Package
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):released (2.19-0ubuntu6.10)
Ubuntu Touch 15.04:DNE
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 16.10 (Yakkety Yak):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Source: glibc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu Touch 15.04:needs-triage
Ubuntu Core 15.04:needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (2.23-0ubuntu6)
Ubuntu 16.10 (Yakkety Yak):not-affected (2.24-0ubuntu1)
Ubuntu 17.04 (Zesty Zapus):not-affected (2.24-0ubuntu1)
Patches:
Upstream:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ab2ab03d4351914ee53248dc5aef4a8c88ff8b9 (trunk)
Upstream:https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1a8a7c12950a0026a3c406a7cb1608f96aa1460e (2.23 fix)
More Information

Updated: 2017-03-24 06:14:18 UTC (commit 12294)