CVE-2021-27645

Name	CVE-2021-27645
Description	The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3152-1
Debian Bugs	983479

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
glibc (PTS)	jessie, jessie (lts)	2.19-18+deb8u14	fixed
	stretch (security)	2.24-11+deb9u1	fixed
	stretch (lts), stretch	2.24-11+deb9u7	fixed
	buster (security), buster, buster (lts)	2.28-10+deb10u4	fixed
	bullseye	2.31-13+deb11u11	fixed
	bullseye (security)	2.31-13+deb11u10	fixed
	bookworm	2.36-9+deb12u9	fixed
	bookworm (security)	2.36-9+deb12u7	fixed
	sid, trixie	2.40-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
glibc	source	jessie	(not affected)
glibc	source	stretch	(not affected)
glibc	source	buster	2.28-10+deb10u2	DLA-3152-1
glibc	source	(unstable)	2.31-10		983479

Notes

https://sourceware.org/bugzilla/show_bug.cgi?id=27462
Introduced by: https://sourceware.org/git/?p=glibc.git;a=commit;h=745664bd798ec8fd50438605948eea594179fba1 (glibc-2.29)
Fixed by: https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673
Introducing commit present in Debian since 2.28-1 with addition of
https://salsa.debian.org/glibc-team/glibc/-/commit/aea56157b456d4d9bef337d0149e952a41a7d919
[stretch] - glibc <not-affected> (Introduced around 2.28 via 745664bd798ec8fd50438605948eea594179fba1)
[jessie] - glibc <not-affected> (Introduced around 2.28 via 745664bd798ec8fd50438605948eea594179fba1)