Bug 32328

Summary: glibc new DoS security issue due to memory leak in getaddrinfo.c, CVE-2023-5156
Product: Mageia Reporter: Marja Van Waes <marja11>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, fri, nicolas.salguero, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2023-5156 https://bugzilla.redhat.com/show_bug.cgi?id=2240541
See Also: https://bugs.mageia.org/show_bug.cgi?id=32292
Whiteboard: MGA9-64-OK
Source RPM: glibc-2.36-49.mga9.src.rpm CVE: 2023-5156
Status comment:

Description Marja Van Waes 2023-09-27 11:38:10 CEST 
A new glibc security issue was introduced by the fix for CVE-2023-4806.

The affected glibc package for Mageia 9 has (at this moment) not yet been moved from testing to core/updates, but is ready to be moved
Marja Van Waes 2023-09-27 11:38:28 CEST

Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2023-09-28 11:15:51 CEST 
Hi,

Actually, the glibc package has been moved to core/updates.

glibc-2.36-50.mga{9|10} are currently building and they contain the patch for that new CVE.

Best regards,

Nico.

CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Assignee: basesystem => nicolas.salguero

Comment 2 Nicolas Salguero 2023-09-29 09:46:19 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A flaw was found in the GNU C Library. A recent fix for CVE-2023-4806 introduced the potential for a memory leak, which may result in an application crash. (CVE-2023-5156)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5156
========================

Updated packages in core/updates_testing:
========================
glibc-2.36-50.mga9
glibc-devel-2.36-50.mga9
glibc-doc-2.36-50.mga9
glibc-i18ndata-2.36-50.mga9
glibc-profile-2.36-50.mga9
glibc-static-devel-2.36-50.mga9
glibc-utils-2.36-50.mga9
nscd-2.36-50.mga9

from SRPM:
glibc-2.36-50.mga9.src.rpm

Version: Cauldron => 9
Source RPM: glibc-2.36-49.mga9, glibc-2.36-49.mga10 => glibc-2.36-49.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Assignee: nicolas.salguero => qa-bugs

Comment 3 Morgan Leijström 2023-09-30 09:42:03 CEST 
mga9-64 no regressions noted.
Normal dekstop activities
Plasma, Intel I7-870

CC: (none) => fri

Comment 4 Thomas Andrews 2023-10-03 02:08:55 CEST 
Have used this for a couple of days now, with no regressions noticed.

Giving it an OK and Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA9-64-OK

Marja Van Waes 2023-10-03 10:10:22 CEST

Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-10-03 12:56:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0281.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED