Date: Tue, 03 Feb 2015 11:30:13 +0100 From: Florian Weimer <fweimer@...hat.com> To: const@...elinux.com CC: oss-security@...ts.openwall.com Subject: Re: workaround for GHOST glibc vulnerability CVE-2015-0235 On 02/02/2015 03:52 PM, Constantine Shulyupin wrote: > CVE-2015-0235-workaround is a shared library wrapper with additional checks > for the vulnerable functions gethostbyname2_r and gethostbyname_r . > > The proper solution for CVE-2015-0235 is to upgrade glibc to at least > glibc-2.18. > > In some cases, an immediate glibc upgrade is not possible, for example in > custom production embedded systems, because such an upgrade requires a > validation of the whole system. > > In such cases, this workaround provides a hot fix solution, which is easier > to validate. > > Source code: https://github.com/makelinux/CVE-2015-0235-workaround You should make all symbols static. With the current code, you risk symbol collisions. Why don't you hook gethostbyname? I'm not sure if gethosybyname is implement in terms of gethostbyname_r. (The call stacks I have suggest it isn't.) -- Florian Weimer / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ