Summary: | <sys-libs/glibc-2.19-r1: heap overflow in gethostbyname() (CVE-2015-0235) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | b4b1, bertrand, cedk, djc, doug, hu, mark, oleg.fiksel, pacho, pchrist, randalla, tamiko, toolchain |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A2 [glsa cleanup] | ||
Package list: | Runtime testing required: | --- |
Description
Hanno Böck
2015-01-27 15:58:12 UTC
This vulnrability is a CRITICAL one. It could permits to gain access to any glibc based server remotely by exploiting _gethostbyname et gethostbyaddr_ function. I don't know if the current stable glibc used on gentoo is affected but this CVE is enough critical to be sure the security team have checked it. Above patch was applied on the development branch after version 2.17 and before version 2.18: »un correctif publié le 21 mai 2013 entre les versions glibc-2.17 et glibc-2.18« A quick peek at the glibc git repository confirms this. Assuming above patch was not applied in any gentoo changesets this would leave any version <2.18 vulnerable. yeah, I saw the version info after I posted this bug. If this is correct then Gentoo is only mildly affected. 2.19-r1 is stable on all archs, so everyone running an up-to-date system should be safe. Thanks, guys. New version with fix has been already stabilized on all relevant arches. GLSA request is filed While the stable release is fine, Gentoo currently has 14 (!) different glibc versions pre 2.18 that are probably all affected. I assume some of them are there for a reason, however I doubt all of them. Probably a big cleanup and then backporting the patch to the rest that are really needed is required. I apologize if this is not the place to discuss this. I have proprietary software that has issues on glibc-2.19-r1, so a backport of the patch to 2.17 would be appreciated. I would change/fix the software we rely on, but that's currently not a possibility. (In reply to Hanno Boeck from comment #0) I found original source in english: http://www.openwall.com/lists/oss-security/2015/01/27/9 CVE-2015-0235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0235): Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST." This issue was resolved and addressed in GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |