PublicDateAtUSN: 2017-02-16
Candidate: CVE-2016-5417
PublicDate: 2017-02-17 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5417
 http://www.openwall.com/lists/oss-security/2016/08/02/5
 https://sourceware.org/bugzilla/show_bug.cgi?id=19257
 https://ubuntu.com/security/notices/USN-3239-1
Description:
 Memory leak in the __res_vinit function in the IPv6 name server management
 code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows
 remote attackers to cause a denial of service (memory consumption) by
 leveraging partial initialization of internal resolver data structures.
Ubuntu-Description:
 Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU
 C Library did not properly track memory allocations. An attacker could
 use this to cause a denial of service.
Notes:
 sbeattie> introduced in 2.22 commit 2212c1420c92a33b0e0bd9a34938c9814a56c0f7
Bugs:
Priority: low
Discovered-by: Tim Ruehsen
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]

Patches_eglibc:
upstream_eglibc: not-affected (pre 2.22)
precise_eglibc: not-affected (pre 2.22)
trusty_eglibc: not-affected (pre 2.22)
trusty/esm_eglibc: not-affected (pre 2.22)
vivid/ubuntu-core_eglibc: DNE
vivid/stable-phone-overlay_eglibc: DNE
wily_eglibc: DNE
xenial_eglibc: DNE
yakkety_eglibc: DNE
devel_eglibc: DNE

Patches_glibc:
 upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 (trunk)
 upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=317da342ba4417c30d985f5593d78bb1364a62c3 (2.23)
upstream_glibc: needs-triage
precise_glibc: DNE
trusty_glibc: DNE
trusty/esm_glibc: DNE
vivid/ubuntu-core_glibc: not-affected (pre 2.22)
vivid/stable-phone-overlay_glibc: not-affected (pre 2.22)
wily_glibc: not-affected (pre 2.22)
xenial_glibc: released (2.23-0ubuntu6)
esm-infra/xenial_glibc: released (2.23-0ubuntu6)
yakkety_glibc: not-affected (2.24-0ubuntu1)
devel_glibc: not-affected (2.24-0ubuntu1)