Comment 9 for bug 1674776

Dmitry, thanks for the analysis. It looks like the conversion to using gethostbyname4_r for PF_UNSPEC only was for https://sourceware.org/bugzilla/show_bug.cgi?id=14505 (glibc git commit https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=8479f23aa1d5e5477a37f46823856bdafaedfa46 ). This change is in 14.04's (trusty) libc, but not 12.04 (precise).

Can people confirm that they're only seeing this on 12.04? The reason I ask is that the exact same patch for CVE-2016-3706 was applied in 14.04 as well as 12.04.

Using both the testcase you posted in the upstream glibc bug report and the reproducer from upstream #14505, I am now able to reproduce this with the libc 2.15-0ubuntu10.17 from precise, and confirm that things behaved correctly with eglibc 2.15-0ubuntu10.15. I also get correct results with eglibc 2.19-0ubuntu6.11 in 14.04.

At this point I'm inclined to revert the fix for CVE-2016-3706 for 12.04 as a less risky option, despite the appreciated effort you've taken, Dmitry, to come up with a patch to fix the issue. There is an eglibc package for precise that has that revert building in the ubuntu-security-proposed ppa https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/ and would very much appreciate any testing you can give it.

Thanks, and my apologies for how this update has gone.