Date: Mon, 30 Mar 2015 00:41:53 -0400 From: Rich Felker <dalias@...c.org> To: musl@...ts.openwall.com Subject: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] On Mon, Mar 30, 2015 at 11:33:37AM +0700, Рысь wrote: > On Mon, 30 Mar 2015 00:01:25 -0400 > Rich Felker <dalias@...c.org> wrote: > > > A stack-based buffer overflow has been found in musl libc's ipv6 > > address literal parsing code. Programs which call the inet_pton or > > getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted address > > strings are affected. Successful exploitation yields control of the > > return address. Having enabled stack protector at the application > > level does not mitigate the issue. All users should patch or upgrade. > > > > Software: musl libc (http://www.musl-libc.org) > > > > Severity: high > > > > Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7. > > > > Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a > > > > Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363 > > > > Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening) > > How much it affects readonly embedded systems as well? Does almost > latest dropbear listening ssh port publicly is actually vulnerable? I don't think so, but I haven't done analysis of specific software. Busybox is affected if it's installed setuid and ping is enabled (a configuration I strongly recommend not using since they don't handle setuid securely in general) but that's limited to local attacks. I don't think there's any way you can make dropbear (server) attempt to parse ip literal strings remotely, but verifying this would take some checking of the source. Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.