Date: Tue, 3 Feb 2015 13:15:17 +0200 From: Constantine Shulyupin <const@...elinux.com> To: Florian Weimer <fweimer@...hat.com> Cc: oss-security <oss-security@...ts.openwall.com> Subject: Re: workaround for GHOST glibc vulnerability CVE-2015-0235 Added static, thank. You are right, gethostbyname is vulnerable too, but less. gethostbyname is implemented in http://osxr.org/glibc/source/nss/getXXbyYY.c?v=glibc-2.17#0101 It allocates buffer from heap, not stack, which is less danger. Actually the bug is in __nss_hostname_digits_dots @ http://osxr.org/glibc/source/nss/digits_dots.c?v=glibc-2.17#0036. Is it much more complex and dangerous to overload __nss_hostname_digits_dots. Better upgrade to newer glibc. Thanks On Tue, Feb 3, 2015 at 12:30 PM, Florian Weimer <fweimer@...hat.com> wrote: > On 02/02/2015 03:52 PM, Constantine Shulyupin wrote: > > CVE-2015-0235-workaround is a shared library wrapper with additional > checks > > for the vulnerable functions gethostbyname2_r and gethostbyname_r . > > > > The proper solution for CVE-2015-0235 is to upgrade glibc to at least > > glibc-2.18. > > > > In some cases, an immediate glibc upgrade is not possible, for example in > > custom production embedded systems, because such an upgrade requires a > > validation of the whole system. > > > > In such cases, this workaround provides a hot fix solution, which is > easier > > to validate. > > > > Source code: https://github.com/makelinux/CVE-2015-0235-workaround > > You should make all symbols static. With the current code, you risk > symbol collisions. > > Why don't you hook gethostbyname? I'm not sure if gethosybyname is > implement in terms of gethostbyname_r. (The call stacks I have suggest > it isn't.) > > -- > Florian Weimer / Red Hat Product Security > -- Constantine Shulyupin http://www.MakeLinux.com/ Embedded Linux Systems and Device Drivers
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ