537990 – (CVE-2015-0235) <sys-libs/glibc-2.19-r1: heap overflow in gethostbyname() (CVE-2015-0235)

Bug 537990 (CVE-2015-0235) - <sys-libs/glibc-2.19-r1: heap overflow in gethostbyname() (CVE-2015-0235)

Summary: <sys-libs/glibc-2.19-r1: heap overflow in gethostbyname() (CVE-2015-0235)

Status:	RESOLVED FIXED

Alias:	CVE-2015-0235

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa cleanup]
Keywords:

Depends on:
Blocks:

Reported:	2015-01-27 15:58 UTC by Hanno Böck
Modified:	2015-03-08 14:54 UTC (History)
CC List:	13 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Hanno Böck gentoo-dev

2015-01-27 15:58:12 UTC

The original source is in french, which I don't understand, so I have a hard time estimating how serious this is:
http://www.frsag.org/pipermail/frsag/2015-January/005722.html

Here's redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

And here's upstream's patch:
https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd

Comment 1 Zentoo 2015-01-27 16:32:02 UTC

This vulnrability is a CRITICAL one.

It could permits to gain access to any glibc based server remotely by exploiting _gethostbyname et gethostbyaddr_ function.

I don't know if the current stable glibc used on gentoo is affected but this CVE is enough critical to be sure the security team have checked it.

Comment 2 Matthias Maier gentoo-dev

2015-01-27 16:34:15 UTC

Above patch was applied on the development branch after version 2.17 and before version 2.18:

  »un correctif publié le 21 mai 2013 entre les versions glibc-2.17 et glibc-2.18«

A quick peek at the glibc git repository confirms this. Assuming above patch was not applied in any gentoo changesets this would leave any version <2.18 vulnerable.

Comment 3 Hanno Böck gentoo-dev

2015-01-27 16:37:33 UTC

yeah, I saw the version info after I posted this bug. If this is correct then Gentoo is only mildly affected. 2.19-r1 is stable on all archs, so everyone running an up-to-date system should be safe.

Comment 4 Sergey Popov gentoo-dev

2015-01-27 20:06:31 UTC

Thanks, guys.

New version with fix has been already stabilized on all relevant arches.

GLSA request is filed

Comment 5 Hanno Böck gentoo-dev

2015-01-27 21:35:21 UTC

While the stable release is fine, Gentoo currently has 14 (!) different glibc versions pre 2.18 that are probably all affected.

I assume some of them are there for a reason, however I doubt all of them. Probably a big cleanup and then backporting the patch to the rest that are really needed is required.

Comment 6 Adam Randall 2015-01-27 23:07:28 UTC

I apologize if this is not the place to discuss this. I have proprietary software that has issues on glibc-2.19-r1, so a backport of the patch to 2.17 would be appreciated. I would change/fix the software we rely on, but that's currently not a possibility.

Comment 7 Florian Steinel 2015-01-28 01:49:12 UTC

(In reply to Hanno Boeck from comment #0)
I found original source in english:
http://www.openwall.com/lists/oss-security/2015/01/27/9

Comment 8 GLSAMaker/CVETool Bot gentoo-dev

2015-02-13 09:42:16 UTC

CVE-2015-0235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0235):
  Heap-based buffer overflow in the __nss_hostname_digits_dots function in
  glibc 2.2, and other 2.x versions before 2.18, allows context-dependent
  attackers to execute arbitrary code via vectors related to the (1)
  gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2015-03-08 14:54:55 UTC

This issue was resolved and addressed in
 GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).