Add advisory text for CVE-2026-5435
Checks
| Context |
Check |
Description |
| redhat-pt-bot/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
| redhat-pt-bot/TryBot-32bit |
success
|
Build for i686
|
| redhat-pt-bot/TryBot-still_applies |
warning
|
Patch no longer applies to master
|
Commit Message
---
advisories/GLIBC-SA-2026-0011 | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
create mode 100644 advisories/GLIBC-SA-2026-0011
Comments
On 27/04/2026 17:52, Carlos O'Donell wrote:
> ---
> advisories/GLIBC-SA-2026-0011 | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
> create mode 100644 advisories/GLIBC-SA-2026-0011
LGTM.
Reviewed-by: Siddhesh Poyarekar <siddhesh@gotplt.org>
>
> diff --git a/advisories/GLIBC-SA-2026-0011 b/advisories/GLIBC-SA-2026-0011
> new file mode 100644
> index 0000000000..6c1e50fa74
> --- /dev/null
> +++ b/advisories/GLIBC-SA-2026-0011
> @@ -0,0 +1,24 @@
> +Potential buffer overflow in ns_sprintrrf TSIG handling path
> +
> +The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the
> +GNU C Library version 2.2 and newer fail to enforce the caller-supplied
> +buffer length, and can result in an out-of-bounds write when printing
> +TSIG records.
> +
> +A defect in the TSIG case handling within ns_sprintrrf performs a
> +formatted write using sprintf without checking the remaining buffer
> +length, and may write up to 6 bytes past the end of the buffer. If the
> +library is compiled with assertions, and the out-of-bounds write doesn't
> +terminate the process, then a subsequent check for "len <= *buflen" will
> +trigger an assertion failure.
> +
> +These functions are for debugging only and hence not in the default path
> +of code executed by the DNS resolver. Further, they have been deprecated
> +since version 2.34 (2021-08-02) and should not be used by any new
> +applications. Applications should consider porting away from these
> +interfaces since they may be removed in future versions.
> +
> +CVE-Id: CVE-2026-5435
> +Public-Date: 2026-04-02
> +Vulnerable-Commit: b43b13ac2544b11f35be301d1589b51a8473e32b (2.2)
> +Reported-by: shinobu
* Carlos O'Donell:
> +These functions are for debugging only and hence not in the default path
> +of code executed by the DNS resolver. Further, they have been deprecated
> +since version 2.34 (2021-08-02) and should not be used by any new
> +applications. Applications should consider porting away from these
> +interfaces since they may be removed in future versions.
Drop the “default”, maybe say “application debugging”? The proposed
wording makes it sound like it's configurable to be on the execution
path, which is I believe not the case.
Thanks,
Florian
On 4/28/26 12:47 AM, Florian Weimer wrote:
> * Carlos O'Donell:
>
>> +These functions are for debugging only and hence not in the default path
>> +of code executed by the DNS resolver. Further, they have been deprecated
>> +since version 2.34 (2021-08-02) and should not be used by any new
>> +applications. Applications should consider porting away from these
>> +interfaces since they may be removed in future versions.
>
> Drop the “default”, maybe say “application debugging”? The proposed
> wording makes it sound like it's configurable to be on the execution
> path, which is I believe not the case.
Correct, it's not the case that this code is ever in the execution pathh
of the stub resolver.
I've used your suggestions in my advisory text.
new file mode 100644
@@ -0,0 +1,24 @@
+Potential buffer overflow in ns_sprintrrf TSIG handling path
+
+The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the
+GNU C Library version 2.2 and newer fail to enforce the caller-supplied
+buffer length, and can result in an out-of-bounds write when printing
+TSIG records.
+
+A defect in the TSIG case handling within ns_sprintrrf performs a
+formatted write using sprintf without checking the remaining buffer
+length, and may write up to 6 bytes past the end of the buffer. If the
+library is compiled with assertions, and the out-of-bounds write doesn't
+terminate the process, then a subsequent check for "len <= *buflen" will
+trigger an assertion failure.
+
+These functions are for debugging only and hence not in the default path
+of code executed by the DNS resolver. Further, they have been deprecated
+since version 2.34 (2021-08-02) and should not be used by any new
+applications. Applications should consider porting away from these
+interfaces since they may be removed in future versions.
+
+CVE-Id: CVE-2026-5435
+Public-Date: 2026-04-02
+Vulnerable-Commit: b43b13ac2544b11f35be301d1589b51a8473e32b (2.2)
+Reported-by: shinobu