CVE-2016-10739
Published: 21 January 2019
In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.
Notes
Author | Note |
---|---|
mdeslaur | glibc uses this internally to parse config files, fixing this may introduce unwanted regressions and changes in behaviour |
leosilva | See CVE-2019-18348 for Python that is affected by this issue. |
Priority
Status
Package | Release | Status |
---|---|---|
eglibc Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
trusty |
Needed
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
glibc Launchpad, Ubuntu, Debian |
bionic |
Ignored
(change too intrusive)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Not vulnerable
(2.29-0ubuntu2)
|
|
eoan |
Not vulnerable
(2.29-0ubuntu2)
|
|
focal |
Not vulnerable
(2.29-0ubuntu2)
|
|
groovy |
Not vulnerable
(2.29-0ubuntu2)
|
|
hirsute |
Not vulnerable
(2.29-0ubuntu2)
|
|
impish |
Not vulnerable
(2.29-0ubuntu2)
|
|
jammy |
Not vulnerable
(2.29-0ubuntu2)
|
|
kinetic |
Not vulnerable
(2.29-0ubuntu2)
|
|
lunar |
Not vulnerable
(2.29-0ubuntu2)
|
|
mantic |
Not vulnerable
(2.29-0ubuntu2)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(2.29)
|
|
xenial |
Ignored
(change too intrusive)
|
|
Patches: upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37edf1d3f8ab9adefb61cc466ac52b53114fbd5b upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2373941bd73cb288c8a42a33e23e7f7bb81151e7 upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c533244b8e00ae701583ec50aeb43377d292452d |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | Low |
Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |