Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Feb 2015 13:15:17 +0200
From: Constantine Shulyupin <const@...elinux.com>
To: Florian Weimer <fweimer@...hat.com>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: workaround for GHOST glibc vulnerability CVE-2015-0235

Added static, thank.

You are right, gethostbyname is vulnerable too, but less.
gethostbyname is implemented in
http://osxr.org/glibc/source/nss/getXXbyYY.c?v=glibc-2.17#0101
It allocates buffer from heap, not stack, which is less danger.

Actually the bug is in __nss_hostname_digits_dots @
http://osxr.org/glibc/source/nss/digits_dots.c?v=glibc-2.17#0036.
Is it much more complex and dangerous to overload
__nss_hostname_digits_dots. Better upgrade to newer glibc.

Thanks

On Tue, Feb 3, 2015 at 12:30 PM, Florian Weimer <fweimer@...hat.com> wrote:

> On 02/02/2015 03:52 PM, Constantine Shulyupin wrote:
> > CVE-2015-0235-workaround is a shared library wrapper with additional
> checks
> > for the vulnerable functions gethostbyname2_r and gethostbyname_r .
> >
> > The proper solution for CVE-2015-0235 is to upgrade glibc to at least
> > glibc-2.18.
> >
> > In some cases, an immediate glibc upgrade is not possible, for example in
> > custom production embedded systems, because such an upgrade requires a
> > validation of the whole system.
> >
> > In such cases, this workaround provides a hot fix solution, which is
> easier
> > to validate.
> >
> > Source code: https://github.com/makelinux/CVE-2015-0235-workaround
>
> You should make all symbols static.  With the current code, you risk
> symbol collisions.
>
> Why don't you hook gethostbyname?  I'm not sure if gethosybyname is
> implement in terms of gethostbyname_r.  (The call stacks I have suggest
> it isn't.)
>
> --
> Florian Weimer / Red Hat Product Security
>



-- 
Constantine Shulyupin
http://www.MakeLinux.com/
Embedded Linux Systems
and Device Drivers

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ