CVE-2024-33601

Name	CVE-2024-33601
Description	nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3850-1, DSA-5678-1, ELA-1119-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
glibc (PTS)	jessie, jessie (lts)	2.19-18+deb8u14	fixed
	stretch (security)	2.24-11+deb9u1	vulnerable
	stretch (lts), stretch	2.24-11+deb9u7	fixed
	buster (security), buster, buster (lts)	2.28-10+deb10u4	fixed
	bullseye	2.31-13+deb11u11	fixed
	bullseye (security)	2.31-13+deb11u10	fixed
	bookworm	2.36-9+deb12u9	fixed
	bookworm (security)	2.36-9+deb12u7	fixed
	sid, trixie	2.40-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
glibc	source	jessie	2.19-18+deb8u14	ELA-1119-1
glibc	source	stretch	2.24-11+deb9u7	ELA-1119-1
glibc	source	buster	2.28-10+deb10u4	DLA-3850-1
glibc	source	bullseye	2.31-13+deb11u10	DSA-5678-1
glibc	source	bookworm	2.36-9+deb12u7	DSA-5678-1
glibc	source	(unstable)	2.37-19

Notes

https://sourceware.org/bugzilla/show_bug.cgi?id=31679
https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/
https://www.openwall.com/lists/oss-security/2024/04/24/2
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007
Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=c04a21e050d64a1193a6daab872bca2528bda44b