CVE-2016-10739

Description

In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possibility of embedded HTTP headers or other potentially dangerous substrings.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
eglibc	25.10 questing	Not in release
	25.04 plucky	Not in release
	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	19.10 eoan	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Vulnerable
glibc	25.10 questing	Not affected
	25.04 plucky	Not affected
	24.10 oracular	Not affected
	24.04 LTS noble	Not affected
	23.10 mantic	Not affected
	23.04 lunar	Not affected
	22.10 kinetic	Not affected
	22.04 LTS jammy	Not affected
	21.10 impish	Not affected
	21.04 hirsute	Not affected
	20.10 groovy	Not affected
	20.04 LTS focal	Not affected
	19.10 eoan	Not affected
	19.04 disco	Not affected
	18.10 cosmic	Ignored end of life
	18.04 LTS bionic	Ignored change too intrusive
	16.04 LTS xenial	Ignored change too intrusive
	14.04 LTS trusty	Not in release

Notes

mdeslaur

glibc uses this internally to parse config files, fixing this may introduce unwanted regressions and changes in behaviour

leosilva

See CVE-2019-18348 for Python that is affected by this issue.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
glibc	Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=108bc4049f8ae82710aec26a92ffdb4b439c83fd Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8e92ca5dd7a7e38a4dddf1ebc4e1e8f0cb27e4aa Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37edf1d3f8ab9adefb61cc466ac52b53114fbd5b Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2373941bd73cb288c8a42a33e23e7f7bb81151e7 Upstream: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c533244b8e00ae701583ec50aeb43377d292452d

Package

Patch details

glibc

Severity score breakdown

Parameter	Value
Base score	5.3 · Medium
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	Low
Integrity impact	Low
Availability impact	Low
Vector	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

Other references

https://www.cve.org/CVERecord?id=CVE-2016-10739

CVE-2016-10739

Cvss 3 Severity Score

Description

Status

Notes

Patch details

Severity score breakdown

References

Other references