CVE-2016-5417

Published: 16 February 2017

Memory leak in the __res_vinit function in the IPv6 name server management code in libresolv in GNU C Library (aka glibc or libc6) before 2.24 allows remote attackers to cause a denial of service (memory consumption) by leveraging partial initialization of internal resolver data structures.

From the Ubuntu security team

Tim Ruehsen discovered that the getaddrinfo() implementation in the GNU C Library did not properly track memory allocations. An attacker could use this to cause a denial of service.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
eglibc
Launchpad, Ubuntu, Debian
Upstream Not vulnerable
(pre 2.22)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(pre 2.22)
glibc
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.23-0ubuntu6)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 (trunk)
Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=317da342ba4417c30d985f5593d78bb1364a62c3 (2.23)