GNU C Library Stack Memory Leak Vulnerability in DNS Network Component

A vulnerability exists in the GNU C Library (glibc) versions 2.0 through 2.42 within the DNS network component. When the `getnetbyaddr` or `getnetbyaddr_r` functions are called with a network value of zero, the library can unintentionally leak uninitialized stack memory to the configured DNS resolver. This issue arises from a flaw in the handling of the network value, which prevents the function from properly initializing the query buffer before it is sent as a DNS query.

Impact

Exploitation of this vulnerability leads to the unintentional disclosure of stack contents to a DNS server, which could be manipulated to extract sensitive information.

Reproduction

To reproduce this vulnerability, call the `getnetbyaddr` function with a network value of zero. This can be done in a C program by including the `<netdb.h>` header and passing zero as the network argument to `getnetbyaddr`. The vulnerability occurs because the function does not properly initialize the query buffer before sending it to the DNS server, allowing uninitialized stack data to be leaked.

Remediation

A patch for this vulnerability has been proposed and is available for review.