CVE-2016-10739 in Ubuntu

CVE-2016-10739

Priority

Description

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo
function would successfully parse a string that contained an IPv4 address
followed by whitespace and arbitrary characters, which could lead
applications to incorrectly assume that it had parsed a valid string,
without the possibility of embedded HTTP headers or other potentially
dangerous substrings.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10739

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920047
https://bugzilla.redhat.com/show_bug.cgi?id=1347549
https://sourceware.org/bugzilla/show_bug.cgi?id=20018

Notes

mdeslaur	glibc uses this internally to parse config files, fixing this may introduce unwanted regressions and changes in behaviour
leosilva	See CVE-2019-18348 for Python that is affected by this issue.

Package

Source: eglibc (LP Ubuntu Debian)

Upstream:	needs-triage
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	needs-triage

Patches:

Package

Source: glibc (LP Ubuntu Debian)

Upstream:	released (2.29)
Ubuntu 18.04 LTS:	needed
Ubuntu 20.04 LTS:	not-affected (2.29-0ubuntu2)
Ubuntu 21.10:	not-affected (2.29-0ubuntu2)
Ubuntu 16.04 ESM:	needed
Ubuntu 22.04 LTS:	not-affected (2.29-0ubuntu2)
Ubuntu 14.04 ESM:	DNE

Patches:

Upstream:	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd (master)
Upstream:	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa (2.28)
Upstream:	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37edf1d3f8ab9adefb61cc466ac52b53114fbd5b (2.28)
Upstream:	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2373941bd73cb288c8a42a33e23e7f7bb81151e7 (2.28)
Upstream:	https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c533244b8e00ae701583ec50aeb43377d292452d (2.28)

More Information

Updated: 2022-04-25 00:16:52 UTC (commit ecc1009cb19540b950de59270950018900f37f15)