CVE-2016-10739

Published: 21 January 2019

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

Priority

Low

CVSS 3 base score: 5.3

Status

Package Release Status
eglibc
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

Ubuntu 12.04 ESM (Precise Pangolin) Needs triage

glibc
Launchpad, Ubuntu, Debian
Upstream
Released (2.29)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.29-0ubuntu2)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.29-0ubuntu2)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd (master)
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa (2.28)
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37edf1d3f8ab9adefb61cc466ac52b53114fbd5b (2.28)
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2373941bd73cb288c8a42a33e23e7f7bb81151e7 (2.28)
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c533244b8e00ae701583ec50aeb43377d292452d (2.28)

Notes

AuthorNote
mdeslaur glibc uses this internally to parse config files, fixing this may introduce unwanted regressions and changes in behaviour
leosilva See CVE-2019-18348 for Python that is affected by this issue.

References

Bugs