Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 27 Jan 2015 17:02:50 +0000
From: Marek Kroemeke <kroemeke@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: GHOST gethostbyname() heap overflow in glibc
 (CVE-2015-0235)

Hi there,

We just noticed CVE-2015-0235 , and we thought we will drop this one in - apologies 
for low quality , we didn't really have time yet to analyse it, but it seems to be
related, so it makes sense to patch things once right ?

-- cut --
valgrind ./traceroute/traceroute $(printf "\302a")
==12559== Memcheck, a memory error detector
==12559== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==12559== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==12559== Command: ./traceroute/traceroute Âa
==12559== 
==12559== Invalid free() / delete / delete[] / realloc()
==12559==    at 0x4C27D4E: free (vg_replace_malloc.c:427)
==12559==    by 0x537258A: gaih_inet (getaddrinfo.c:1328)
==12559==    by 0x53757C1: getaddrinfo (getaddrinfo.c:2433)
==12559==    by 0x40530F: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x405D1B: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x409EA1: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x405DAC: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute)
==12559==    by 0x52D9EAC: (below main) (libc-start.c:244)
==12559==  Address 0x7ff0005f7 is on thread 1's stack
==12559== 
-- cut --


-- cut --
marek@...STMYASS:~$ traceroute $(printf "\302a")
*** glibc detected *** traceroute: munmap_chunk(): invalid pointer: 0x00007fff1b43a547 ***
======= Backtrace: =========
/lib64/libc.so.6(cfree+0x166)[0x32244758c6]
/lib64/libc.so.6[0x32244bc116]
/lib64/libc.so.6(getaddrinfo+0x21a)[0x32244be94a]
traceroute[0x402926]
traceroute[0x4029f1]
traceroute[0x406281]
traceroute[0x403546]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x322441d9f4]
traceroute[0x401619]
======= Memory map: ========
00400000-00409000 r-xp 00000000 68:06 7103807                            /bin/traceroute
00608000-00609000 rw-p 00008000 68:06 7103807                            /bin/traceroute
00609000-0060a000 rw-p 00609000 00:00 0
00808000-00809000 rw-p 00008000 68:06 7103807                            /bin/traceroute
00ff7000-01018000 rw-p 00ff7000 00:00 0                                  [heap]
3224000000-322401c000 r-xp 00000000 68:06 7332914                        /lib64/ld-2.5.so
322421c000-322421d000 r--p 0001c000 68:06 7332914                        /lib64/ld-2.5.so
322421d000-322421e000 rw-p 0001d000 68:06 7332914                        /lib64/ld-2.5.so
3224400000-322454f000 r-xp 00000000 68:06 7333080                        /lib64/libc-2.5.so
322454f000-322474f000 ---p 0014f000 68:06 7333080                        /lib64/libc-2.5.so
322474f000-3224753000 r--p 0014f000 68:06 7333080                        /lib64/libc-2.5.so
3224753000-3224754000 rw-p 00153000 68:06 7333080                        /lib64/libc-2.5.so
3224754000-3224759000 rw-p 3224754000 00:00 0
3224c00000-3224c82000 r-xp 00000000 68:06 7333136                        /lib64/libm-2.5.so
3224c82000-3224e81000 ---p 00082000 68:06 7333136                        /lib64/libm-2.5.so
3224e81000-3224e82000 r--p 00081000 68:06 7333136                        /lib64/libm-2.5.so
3224e82000-3224e83000 rw-p 00082000 68:06 7333136                        /lib64/libm-2.5.so
3226800000-322680d000 r-xp 00000000 68:06 7333158                        /lib64/libgcc_s-4.1.2-20080825.so.1
322680d000-3226a0d000 ---p 0000d000 68:06 7333158                        /lib64/libgcc_s-4.1.2-20080825.so.1
3226a0d000-3226a0e000 rw-p 0000d000 68:06 7333158                        /lib64/libgcc_s-4.1.2-20080825.so.1
3227400000-3227411000 r-xp 00000000 68:06 7333100                        /lib64/libresolv-2.5.so
3227411000-3227611000 ---p 00011000 68:06 7333100                        /lib64/libresolv-2.5.so
3227611000-3227612000 r--p 00011000 68:06 7333100                        /lib64/libresolv-2.5.so
3227612000-3227613000 rw-p 00012000 68:06 7333100                        /lib64/libresolv-2.5.so
3227613000-3227615000 rw-p 3227613000 00:00 0
2b6dc1c15000-2b6dc1c17000 rw-p 2b6dc1c15000 00:00 0
2b6dc1c1e000-2b6dc1c20000 rw-p 2b6dc1c1e000 00:00 0
2b6dc1c20000-2b6dc51f3000 r--p 00000000 68:06 5051193                    /usr/lib/locale/locale-archive
2b6dc51fa000-2b6dc5227000 r-xp 00000000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5227000-2b6dc5427000 ---p 0002d000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5427000-2b6dc5428000 r--p 0002d000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5428000-2b6dc5429000 rw-p 0002e000 68:06 7332894                    /lib64/libcidn-2.5.so
2b6dc5429000-2b6dc5433000 r-xp 00000000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5433000-2b6dc5632000 ---p 0000a000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5632000-2b6dc5633000 r--p 00009000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5633000-2b6dc5634000 rw-p 0000a000 68:06 7332990                    /lib64/libnss_files-2.5.so
2b6dc5634000-2b6dc5638000 r-xp 00000000 68:06 7332988                    /lib64/libnss_dns-2.5.so
2b6dc5638000-2b6dc5837000 ---p 00004000 68:06 7332988                    /lib64/libnss_dns-2.5.so
2b6dc5837000-2b6dc5838000 r--p 00003000 68:06 7332988                    /lib64/libnss_dns-2.5.so
2b6dc5838000-2b6dc5839000 rw-p 00004000 68:06 7332988                    /lib64/libnss_dns-2.5.so
7fff1b426000-7fff1b43b000 rw-p 7ffffffe9000 00:00 0                      [stack]
7fff1b462000-7fff1b465000 r-xp 7fff1b462000 00:00 0                      [vdso]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vsyscall]
Aborted
marek@...STMYASS:~$ 

-- cut --

Cheers! 

Filip Palian,
AKAT-1,
Marek Kroemeke

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.