CVE-2015-5180

Priority
Low
Description
res_query in libresolv in glibc before 2.25 allows remote attackers to
cause a denial of service (NULL pointer dereference and process crash).
Ubuntu-Description
Florian Weimer discovered a NULL pointer dereference in the DNS
resolver of the GNU C Library. An attacker could use this to cause
a denial of service.
References
Bugs
Notes
 tyhicks> See test case in the bug
 tyhicks> no fix upstream as of 2016-09-09
 sbeattie> patch committed upstream on 2016-12-31; renames symbol so
  backporting may not be easy.
 sbeattie> commit included in glibc 2.25 release
 sbeattie> debian fixed this in unstable in 2.24-9
 sbeattie> fixing this does indeed break the internal ABI between
  libnss_dns and libresolv. We're backing out this change.
 sbeattie> reverted from zesty in 2.24-9ubuntu2 by infinity.
 sbeattie> For existing releases, DO NOT APPLY THIS PATCH due to ABI
  breakage. Fix will come in to 17.10 when we get glibc-2.25 as we
  do not guarantee ABI for libresolv internals across different
  different glibc releases, just for upgrades for same versions
  e.g. (2.24 -> 2.24)
  REPEAT: DO NOT APPLY THIS PATCH (UNMODIFIED) IN A STABLE RELEASE
Package
Upstream:needed
Ubuntu 17.10 (Artful Aardvark):DNE
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 17.04 (Zesty Zapus):DNE
Package
Source: glibc (LP Ubuntu Debian)
Upstream:released (2.25)
Ubuntu 17.10 (Artful Aardvark):needed
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 17.04 (Zesty Zapus):needed
Patches:
Upstream:https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5 (2.25)
Upstream:https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d (2.24)
More Information

Updated: 2017-10-23 12:20:51 UTC (commit 13562)