CVE-2024-33601

NameCVE-2024-33601
Descriptionnscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3850-1, DSA-5678-1, ELA-1119-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glibc (PTS)jessie, jessie (lts)2.19-18+deb8u14fixed
stretch (security)2.24-11+deb9u1vulnerable
stretch (lts), stretch2.24-11+deb9u7fixed
buster (security), buster, buster (lts)2.28-10+deb10u4fixed
bullseye2.31-13+deb11u11fixed
bullseye (security)2.31-13+deb11u10fixed
bookworm2.36-9+deb12u8fixed
bookworm (security)2.36-9+deb12u7fixed
sid, trixie2.40-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glibcsourcejessie2.19-18+deb8u14ELA-1119-1
glibcsourcestretch2.24-11+deb9u7ELA-1119-1
glibcsourcebuster2.28-10+deb10u4DLA-3850-1
glibcsourcebullseye2.31-13+deb11u10DSA-5678-1
glibcsourcebookworm2.36-9+deb12u7DSA-5678-1
glibcsource(unstable)2.37-19

Notes

https://sourceware.org/bugzilla/show_bug.cgi?id=31679
https://inbox.sourceware.org/libc-alpha/cover.1713974801.git.fweimer@redhat.com/
https://www.openwall.com/lists/oss-security/2024/04/24/2
https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0007
Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=c04a21e050d64a1193a6daab872bca2528bda44b
Search for package or bug name: Reporting problems