libc6: getaddrinfo() sends DNS queries to random file descriptors

This bug was fixed in the package glibc - 2.19-4ubuntu1

---------------
glibc (2.19-4ubuntu1) utopic; urgency=medium

  * Merge with Debian unstable, switching us to glibc and fixing bugs:
    - Fix invalid fd reuse while sending DNS queries (LP: #1328975)
    - Avoid Freescale 8xx dcbz workaround on ppc64el (LP: #1333499)
    - Remove wrong ibm long double assembly routines (LP: #1294588)
    - Fix incorrect frexpl results with long doubles (LP: #1333506)
  * debian/patches/powerpc/local-tune-power8.diff: When configured for
    --with-cpu=power7, adjust -mtune for power8 instead (LP: #1333524)

glibc (2.19-4) unstable; urgency=medium

  [ Aurelien Jarno ]
  * debian/debhelper.in/libc.{preinst,postrm,postinst}: correctly remove
    old ld.so configuration if more than one libc6 package is installed
    (multiarch case). Closes: #752389, #752404.

  [ Samuel Thibault ]
  * patches/hurd-i386/tg-tls-threadvar.diff: Update to fix gcc-4.9 build.

  [ Adam Conrad ]
  * debian/control.in/main: glibc-source Conflics/Replaces eglibc-source.
  * debian/patches/powerpc/local-powerpc8xx-dcbz.diff: Restrict the trap
    to 32-bit builds, since the Freescale 8xx CPUs aren't 64-bit capable.

glibc (2.19-3experimental0) experimental; urgency=medium

  [ Aurelien Jarno]
  * Switch back to glibc sources:
    - debian/control.in/*: replace eglibc by glibc, update descriptions.
    - rename debian/debhelper.in/eglibc-source.install into
      glibc-source.install.
    - rename debian/debhelper.in/eglibc-source.lintian-overrides into
      glibc-source.lintian-overrides.
    - rename debian/eglibc-source.filelist into glibc-source.filelist
    - debian/copyright: update.
    - debian/rules, debian/rules.d/*: replace eglibc by glibc.
    - source/lintian-overrides: replace eglibc by glibc.
    - debian/sysdeps/*: replace eglibc by glibc.
    - debian/po/*: update using debconf-updatepo.
    - debian/rules.d/tarball.mk: rewrite to generate the orig tarball and
      to fetch the branch updates through git.
    - patches/any/submitted-nl_langinfo-static.diff: refresh.
    - patches/any/submitted-ldsodefs_rtld_debug.diff: drop.
    - patches/any/local-dynamic-resolvconf.diff: new patch from the eglibc
      tree to dynamically take into account changes in resolv.conf.
    - patches/powerpc/local-powerpc8xx-dcbz.diff: new patch from the eglibc
      tree to workaround dcbz issues on PowerPC 8XX CPUs.
    - patches/sh4/local-fpscr_values.diff: new patch from eglibc tree to
      export the ___fpscr_values symbol on SH4.
    - patches/any/local-libpic.diff: new patch from eglibc tree to install
      *_pic.a files.
    - patches/any/local-bootstrap-headers.diff: new patch from eglibc tree
      to ease header installation when bootstrapping.

eglibc (2.19-3) unstable; urgency=medium

  [ Aurelien Jarno ]
  * debian/control.in/libc: fix libtirpc1 breaks. Closes: #751852.
  * debian/rules.d/build.mk: generate ld.so configuration file using
    DEB_HOST_MULTIARCH instead of DEB_HOST_GNU_TYPE to have a stable
    path even when the GNU triplet change.
  * debian/debhelper.in/libc.{preinst,postrm,postinst}: remove old
    ld.so configuration file on hurd-i386, i386 and k...

Status changed to 'Confirmed' because the bug affects multiple users.

Hi all-- I apologize in advance if this is tracked somewhere here and I'm missing it, but I'm curious to know if this bugfix (and associated downstream packages) are planned to be backported to 14.04 repositories.

Would someone mind shedding some light on the backport process/timeline for LTS releases, and the status of this ticket in that regard?

Much thanks for your time!

I too cannot understand why this fix was refused to backport to trusty. We just spent two man-weeks tracking down this issue in one of our applications, and to find that a severe race condition in libc was fixed in Debian over a year ago but still not fixed in a *long term supported* version of Ubuntu is ... frustrating, to put it lightly.

Status changed to 'Confirmed' because the bug affects multiple users.

Additionally, attempting to bring in utopic libc to fix the bug causes dependency resolution problems down the road. Both the trusty python3 and Xamarin Mono repositories then start to fail with messages like:

The following packages have unmet dependencies:
nuget : Depends: libnuget-core-cil (= 2.8.7+md510+dhx1-0xamarin1) but it is not going to be installed
Depends: libmono-corlib4.5-cil (>= 4.0.0~alpha1) but 3.2.8+dfsg-4ubuntu1 is to be installed
Depends: libmono-microsoft-build-framework4.0-cil (>= 3.6.0) but 3.2.8+dfsg-4ubuntu1 is to be installed
Depends: libmono-microsoft-build4.0-cil (>= 3.6.0) but 3.2.8+dfsg-4ubuntu1 is to be installed
Depends: libmono-system-core4.0-cil (>= 4.0.0~alpha1) but 3.2.8+dfsg-4ubuntu1 is to be installed
Depends: libmono-system4.0-cil (>= 4.0.0~alpha1) but 3.2.8+dfsg-4ubuntu1 is to be installed
[91mE: Unable to correct problems, you have held broken packages. [0m [91m

This is an extremely frustrating situation to be in, our application is crashing almost daily due to this issue, and we seem to have no supported path forward.

It looks like the bug may actually be fixed in trusty-security eglibc 2.19-0ubuntu6.6

eglibc (2.19-0ubuntu6.6) trusty-security; urgency=medium

  * SECURITY UPDATE: getaddrinfo writes to random file descriptors under
    high load
    - debian/patches/any/cvs-resolv-reuse-fd.diff: reload file descriptor
      after calling reopen in resolv/res_send.c.
    - CVE-2013-7423

So this bug status is misleading; the issue should be fixed against Trusty I believe.