CVE-2016-10739: Input Validation
First published: Thu Apr 28 2016(Updated: )
For historic reasons, inet_addr and inet_aton accept trailing garbage. Some parsers rely on this (for example, libresolv when it parses “nameserver” directives in /etc/resolv.conf). This causes problems because some applications assume that a successful parse as an IPv4 address means that the string consists of just an IPv4 address, and nothing more. Glibc should add a check for trailing garbage and relegate the old behavior to a compatibility symbol. For backporting, glibc should just fix getaddrinfo (and related functions if necessary) so that they will not accept trailing garbage. Upstream bug : <a href="https://sourceware.org/bugzilla/show_bug.cgi?id=20018">https://sourceware.org/bugzilla/show_bug.cgi?id=20018</a> Additional note : When used in combination with flaw described in <a href="https://access.redhat.com/security/cve/CVE-2016-5699">CVE-2016-5699</a>, an attacker could direct an HTTP connection to a malicious server, using the following combined issues: * Python's httplib does not validate HTTP header values. A malicious 'Host' header with quoted new lines can inject additional headers and more * glibc's getaddrinfo() ignores new lines and everything after a new line character when the first part looks like a IPv4 address See the following blog post for additional information: <a href="http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html">http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/glibc | <2.29 | 2.29 |
| redhat/glibc | <0:2.17-292.el7 | 0:2.17-292.el7 |
| redhat/glibc | <0:2.28-72.el8 | 0:2.28-72.el8 |
| GNU glibc | <=2.28 | |
| openSUSE Leap | =15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://sourceware.org/bugzilla/show_bug.cgi?id=20018
- https://access.redhat.com/security/cve/CVE-2016-5699
- http://blog.blindspotsecurity.com/2016/06/advisory-http-header-injection-in.html
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1168979
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1168979&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1303699
- https://access.redhat.com/security/updates/classification/
- https://bugs.python.org/issue37495
- https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd
- https://sourceware.org/ml/libc-announce/2019/msg00000.html
- https://access.redhat.com/errata/RHSA-2019:2118
- https://access.redhat.com/security/cve/cve-2016-10739
- https://access.redhat.com/errata/RHSA-2019:3513
- https://bugzilla.redhat.com/show_bug.cgi?id=1347549
- https://www.cve.org/CVERecord?id=CVE-2016-10739 https://nvd.nist.gov/vuln/detail/CVE-2016-10739
- https://access.redhat.com/errata/RHBA-2020:0547
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00082.html
- http://www.securityfocus.com/bid/106672
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- agent/references
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-10739
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- vendor/gnu
- canonical/gnu glibc
- version/gnu glibc/2.28
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0