Okay, this is confirmed. It appears to be stack exhaustion within libc
while handling nss_files's getent call to read a 200K line from the
/etc/hosts file:
while (1)
{
rc = __gethostbyname2_r (name, family, &th, tmpbuf,
tmpbuflen, &h, &herrno);
if (rc != ERANGE || herrno != NETDB_INTERNAL)
break;
tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen);
}
This extend_alloca eventually reaches way above stack memory and seg
faults. This problem seems specific to nss_files, and requires a very
unusual local configuration, so I'm going to unmark this a private
security issue. Thanks!
** Changed in: glibc (Ubuntu)
Importance: Undecided => Low
Assignee: Kees Cook => (unassigned)
Status: Incomplete => Triaged
** Visibility changed to: Public
** This bug is no longer flagged as a security issue
--
Constant resolver crashes after fiesty upgrade
https://bugs.launchpad.net/bugs/130693
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
