Your submission was sent successfully! Close

CVE-2015-5180

Published: 10 August 2015

res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).

From the Ubuntu security team

Florian Weimer discovered a NULL pointer dereference in the DNS resolver of the GNU C Library. An attacker could use this to cause a denial of service.

Notes

AuthorNote
tyhicks
See test case in the bug
no fix upstream as of 2016-09-09
sbeattie
patch committed upstream on 2016-12-31; renames symbol so
backporting may not be easy.
commit included in glibc 2.25 release
debian fixed this in unstable in 2.24-9
fixing this does indeed break the internal ABI between
libnss_dns and libresolv. We're backing out this change.
reverted from zesty in 2.24-9ubuntu2 by infinity.
For existing releases, DO NOT APPLY THIS PATCH due to ABI
breakage. Fix will come in to 17.10 when we get glibc-2.25 as we
do not guarantee ABI for libresolv internals across different glibc
releases, just for upgrades for same versions e.g. (2.24 -> 2.24)
REPEAT: DO NOT APPLY THIS PATCH (UNMODIFIED) IN A STABLE RELEASE
mdeslaur
marking this issue as ignored, as we will not be fixing this
in Ubuntu stable releases.
Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
eglibc
Launchpad, Ubuntu, Debian
artful Does not exist

bionic Does not exist

cosmic Does not exist

disco Does not exist

eoan Does not exist

focal Does not exist

precise Ignored

trusty Ignored

upstream Needed

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

glibc
Launchpad, Ubuntu, Debian
artful Ignored
(reached end-of-life)
bionic Not vulnerable
(2.27-3ubuntu1)
cosmic Not vulnerable
(2.27-3ubuntu1)
disco Not vulnerable
(2.27-3ubuntu1)
eoan Not vulnerable
(2.27-3ubuntu1)
focal Not vulnerable
(2.27-3ubuntu1)
precise Does not exist

trusty Does not exist

upstream
Released (2.25)
vivid Ignored
(reached end-of-life)
wily Ignored
(reached end-of-life)
xenial Ignored

yakkety Ignored
(reached end-of-life)
zesty Ignored
(reached end-of-life)
Patches:
upstream: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fc82b0a2dfe7dbd35671c10510a8da1043d746a5 (2.25)
upstream: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=b3b37f1a5559a7620e31c8053ed1b44f798f2b6d (2.24)