Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20150330121848.2248ee3e@r2lynx>
Date: Mon, 30 Mar 2015 12:18:48 +0700
From: Рысь <lynx@...server.ru>
To: musl@...ts.openwall.com
Subject: Re: Security advisory for musl libc - stack-based buffer
 overflow in ipv6 literal parsing [CVE-2015-1817]

On Mon, 30 Mar 2015 00:41:53 -0400
Rich Felker <dalias@...c.org> wrote:

> On Mon, Mar 30, 2015 at 11:33:37AM +0700, Рысь wrote:
> > On Mon, 30 Mar 2015 00:01:25 -0400
> > Rich Felker <dalias@...c.org> wrote:
> > 
> > > A stack-based buffer overflow has been found in musl libc's ipv6
> > > address literal parsing code. Programs which call the inet_pton or
> > > getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted
> > > address strings are affected. Successful exploitation yields
> > > control of the return address. Having enabled stack protector at
> > > the application level does not mitigate the issue. All users
> > > should patch or upgrade.
> > > 
> > > Software: musl libc (http://www.musl-libc.org)
> > > 
> > > Severity: high
> > > 
> > > Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7.
> > > 
> > > Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a
> > > 
> > > Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363
> > > 
> > > Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening)
> > 
> > How much it affects readonly embedded systems as well? Does almost
> > latest dropbear listening ssh port publicly is actually vulnerable?
> 
> I don't think so, but I haven't done analysis of specific software.
> Busybox is affected if it's installed setuid and ping is enabled (a
> configuration I strongly recommend not using since they don't handle
> setuid securely in general) but that's limited to local attacks. I
> don't think there's any way you can make dropbear (server) attempt to
> parse ip literal strings remotely, but verifying this would take some
> checking of the source.
> 
> Rich

Well thanks for your efforts to design musl such as it can be swapped
atomically at runtime without rebooting the machines! I already
upgraded it and critical daemons on my servers and all works nice :-)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.