Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 29 Jan 2015 11:50:23 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: the other glibc issue

Oh, can we use descriptive Subjects, please?  (I am leaving this one
intact not to introduce even further confusion.)

On Wed, Jan 28, 2015 at 01:17:40PM -0500, cve-assign@...re.org wrote:
> Use CVE-2013-7423 for ths initial bug report at 2013-09-12 09:50:17 UTC 
> stating: "Under high load, getaddrinfo() starts sending DNS queries to 
> random file descriptors, e.g. some unrelated socket connected to a remote 
> service."
> 
> Which comment says that the issue is unfixed?  The 2015-01-08 14:21:11 UTC 
> comment by David Nilsson says "I'm unable to reproduce the correct 
> behaviour," but does not suggest that the vulnerability is still present.

That comment you mention seemed to imply that, but here are the news off
Twitter:

<solardiz> glibc "getaddrinfo() writes DNS queries to random file descriptors under high load" https://sourceware.org/bugzilla/show_bug.cgi?id=15946 "Fixed in 2.20", reopened, CVE?
<@...hFelker> @solardiz Yeah I've been following this and pushing for it to be taken seriously for a long time...
<@...hFelker> @solardiz Looks like a false positive, a bug in the testcase rather than in #glibc. See https://sourceware.org/ml/glibc-bugs/2015-01/msg00226.html
<@...ardiz> @RichFelker To me, this message says that the bug still being reproducible on glibc 2.20 is a false positive, but the fix in 2.20 was needed
<@...ardiz> @RichFelker Someone should run the corrected testcase on pre-2.20 to see if the issue was reproducible before the fix or not

So glibc 2.20 appears OK, and we need to re-test older glibc - but from
the patch it looks like there was indeed this bug before 2.20.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ