Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Feb 2015 11:30:13 +0100
From: Florian Weimer <fweimer@...hat.com>
To: const@...elinux.com
CC: oss-security@...ts.openwall.com
Subject: Re: workaround for GHOST glibc vulnerability CVE-2015-0235

On 02/02/2015 03:52 PM, Constantine Shulyupin wrote:
> CVE-2015-0235-workaround is a shared library wrapper with additional checks
> for the vulnerable functions gethostbyname2_r and gethostbyname_r .
> 
> The proper solution for CVE-2015-0235 is to upgrade glibc to at least
> glibc-2.18.
> 
> In some cases, an immediate glibc upgrade is not possible, for example in
> custom production embedded systems, because such an upgrade requires a
> validation of the whole system.
> 
> In such cases, this workaround provides a hot fix solution, which is easier
> to validate.
> 
> Source code: https://github.com/makelinux/CVE-2015-0235-workaround

You should make all symbols static.  With the current code, you risk
symbol collisions.

Why don't you hook gethostbyname?  I'm not sure if gethosybyname is
implement in terms of gethostbyname_r.  (The call stacks I have suggest
it isn't.)

-- 
Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ