Date: Thu, 29 Jan 2015 11:50:23 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Subject: Re: the other glibc issue Oh, can we use descriptive Subjects, please? (I am leaving this one intact not to introduce even further confusion.) On Wed, Jan 28, 2015 at 01:17:40PM -0500, cve-assign@...re.org wrote: > Use CVE-2013-7423 for ths initial bug report at 2013-09-12 09:50:17 UTC > stating: "Under high load, getaddrinfo() starts sending DNS queries to > random file descriptors, e.g. some unrelated socket connected to a remote > service." > > Which comment says that the issue is unfixed? The 2015-01-08 14:21:11 UTC > comment by David Nilsson says "I'm unable to reproduce the correct > behaviour," but does not suggest that the vulnerability is still present. That comment you mention seemed to imply that, but here are the news off Twitter: <solardiz> glibc "getaddrinfo() writes DNS queries to random file descriptors under high load" https://sourceware.org/bugzilla/show_bug.cgi?id=15946 "Fixed in 2.20", reopened, CVE? <@...hFelker> @solardiz Yeah I've been following this and pushing for it to be taken seriously for a long time... <@...hFelker> @solardiz Looks like a false positive, a bug in the testcase rather than in #glibc. See https://sourceware.org/ml/glibc-bugs/2015-01/msg00226.html <@...ardiz> @RichFelker To me, this message says that the bug still being reproducible on glibc 2.20 is a false positive, but the fix in 2.20 was needed <@...ardiz> @RichFelker Someone should run the corrected testcase on pre-2.20 to see if the issue was reproducible before the fix or not So glibc 2.20 appears OK, and we need to re-test older glibc - but from the patch it looks like there was indeed this bug before 2.20. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ