Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 03 Feb 2015 11:30:13 +0100
From: Florian Weimer <>
Subject: Re: workaround for GHOST glibc vulnerability CVE-2015-0235

On 02/02/2015 03:52 PM, Constantine Shulyupin wrote:
> CVE-2015-0235-workaround is a shared library wrapper with additional checks
> for the vulnerable functions gethostbyname2_r and gethostbyname_r .
> The proper solution for CVE-2015-0235 is to upgrade glibc to at least
> glibc-2.18.
> In some cases, an immediate glibc upgrade is not possible, for example in
> custom production embedded systems, because such an upgrade requires a
> validation of the whole system.
> In such cases, this workaround provides a hot fix solution, which is easier
> to validate.
> Source code:

You should make all symbols static.  With the current code, you risk
symbol collisions.

Why don't you hook gethostbyname?  I'm not sure if gethosybyname is
implement in terms of gethostbyname_r.  (The call stacks I have suggest
it isn't.)

Florian Weimer / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.