CVE-2023-4527: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in glibc (CVE-2023-4527) that affects systems configured with no-aaaa mode via /etc/resolv.conf. The issue was introduced in glibc version 2.36 and affects versions prior to 2.39. When the getaddrinfo function is called with the AF_UNSPEC address family and a DNS response via TCP larger than 2048 bytes is received, it can potentially disclose stack contents through the function returned address data, and may cause a crash (NVD, Red Hat).

The vulnerability stems from the implementation of the no-aaaa stub resolver option in glibc. The issue occurs specifically when three conditions are met: the system is configured in no-aaaa mode via /etc/resolv.conf, getaddrinfo is called with AF_UNSPEC address family, and a DNS response over TCP exceeds 2048 bytes. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H (Red Hat).

The successful exploitation of this vulnerability can lead to the disclosure of sensitive information through stack contents via the returned address data. Additionally, it may cause system crashes. The vulnerability affects systems where the no-aaaa diagnostic option is enabled in /etc/resolv.conf (Openwall).

The primary mitigation is to update to a patched version of glibc. For systems that cannot be immediately updated, removing the no-aaaa diagnostic option from /etc/resolv.conf will mitigate this flaw. The vulnerability has been fixed in glibc versions 2.36-14.fc37 for Fedora 37, 2.37-10.fc38 for Fedora 38, and 2.38-6.fc39 for Fedora 39, as well as in corresponding Red Hat Enterprise Linux updates (Fedora).