Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 19 Oct 2017 21:25:47 -0400
From: Rich Felker <>
Cc: Felix Wilhelm <>,
Subject: Re: [oss-security] CVE request: musl libc 1.1.16 and earlier dns
 buffer overflow

On Thu, Oct 19, 2017 at 04:17:57PM -0400, Rich Felker wrote:
> Felix Wilhelm has discovered a flaw in the dns response parsing for
> musl libc 1.1.16 that leads to overflow of a stack-based buffer.
> Earlier versions are also affected.
> When an application makes a request via getaddrinfo for both IPv4 and
> IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
> nameservers configured in resolv.conf can reply to both the A and AAAA
> queries with A results. Since A records are smaller than AAAA records,
> it's possible to fit more addresses than the precomputed bound, and a
> buffer overflow occurs.
> Users are advised to upgrade to 1.1.17 or patch; the patch is simple
> and should apply cleanly to all recent versions:
> Users who cannot patch or upgrade immediately can mitigate the issue
> by running a caching nameserver on localhost and pointing resolv.conf
> to

CVE-2017-15650 has been assigned for this issue.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.