Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Feb 2015 11:30:13 +0100
From: Florian Weimer <>
Subject: Re: workaround for GHOST glibc vulnerability CVE-2015-0235

On 02/02/2015 03:52 PM, Constantine Shulyupin wrote:
> CVE-2015-0235-workaround is a shared library wrapper with additional checks
> for the vulnerable functions gethostbyname2_r and gethostbyname_r .
> The proper solution for CVE-2015-0235 is to upgrade glibc to at least
> glibc-2.18.
> In some cases, an immediate glibc upgrade is not possible, for example in
> custom production embedded systems, because such an upgrade requires a
> validation of the whole system.
> In such cases, this workaround provides a hot fix solution, which is easier
> to validate.
> Source code:

You should make all symbols static.  With the current code, you risk
symbol collisions.

Why don't you hook gethostbyname?  I'm not sure if gethosybyname is
implement in terms of gethostbyname_r.  (The call stacks I have suggest
it isn't.)

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ