[Bug 2037516] Re: glibc: CVE-2023-5156: Memory leak in getaddrinfo after fix for CVE-2023-4806

Daniel Black 2037516 at bugs.launchpad.net
Fri Nov 24 10:30:36 UTC 2023 

The CVE status on https://ubuntu.com/security/CVE-2023-5156 for most
Ubuntu Distos is "Deferred" however according to
https://git.launchpad.net/ubuntu-cve-tracker/tree/README#n352-
"Deferred" says the "package is vulnerable".

As a result of this vulnerable indicator, all ubuntu (non-manic) based
container images are being reported as vulnerable on Docker Scout.

e.g.: top CVE on
https://hub.docker.com/layers/library/mariadb/latest/images/sha256-7c58576f7e85def1dab9bf216d2de666c72e724aa4a7cf8c8cd5f1f0935827aa?context=explore


A "not-affected" affected classification would be more appropriate.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2037516

Title:
  glibc: CVE-2023-5156: Memory leak in getaddrinfo after fix for
  CVE-2023-4806

Status in glibc package in Ubuntu:
  Fix Released
Status in glibc package in Debian:
  Fix Released

Bug description:
  Imported from Debian bug http://bugs.debian.org/1053002:

  Source: glibc
  Version: 2.37-10
  Severity: important
  Tags: security upstream
  Forwarded: https://sourceware.org/bugzilla/show_bug.cgi?id=30884
  X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

  Hi,

  The following vulnerability was published for glibc.

  Filling mainly for tracking of the issue.

  CVE-2023-5156[0]:
  | A flaw was found in the GNU C Library. A recent fix for
  | CVE-2023-4806 introduced the potential for a memory leak, which may
  | result in an application crash.

  
  If you fix the vulnerability please also make sure to include the
  CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

  For further information see:

  [0] https://security-tracker.debian.org/tracker/CVE-2023-5156
      https://www.cve.org/CVERecord?id=CVE-2023-5156
  [1] https://sourceware.org/bugzilla/show_bug.cgi?id=30884

  Regards,
  Salvatore

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2037516/+subscriptions

More information about the foundations-bugs mailing list