The original source is in french, which I don't understand, so I have a hard time estimating how serious this is: http://www.frsag.org/pipermail/frsag/2015-January/005722.html Here's redhat: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235 And here's upstream's patch: https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
This vulnrability is a CRITICAL one. It could permits to gain access to any glibc based server remotely by exploiting _gethostbyname et gethostbyaddr_ function. I don't know if the current stable glibc used on gentoo is affected but this CVE is enough critical to be sure the security team have checked it.
Above patch was applied on the development branch after version 2.17 and before version 2.18: »un correctif publié le 21 mai 2013 entre les versions glibc-2.17 et glibc-2.18« A quick peek at the glibc git repository confirms this. Assuming above patch was not applied in any gentoo changesets this would leave any version <2.18 vulnerable.
yeah, I saw the version info after I posted this bug. If this is correct then Gentoo is only mildly affected. 2.19-r1 is stable on all archs, so everyone running an up-to-date system should be safe.
Thanks, guys. New version with fix has been already stabilized on all relevant arches. GLSA request is filed
While the stable release is fine, Gentoo currently has 14 (!) different glibc versions pre 2.18 that are probably all affected. I assume some of them are there for a reason, however I doubt all of them. Probably a big cleanup and then backporting the patch to the rest that are really needed is required.
I apologize if this is not the place to discuss this. I have proprietary software that has issues on glibc-2.19-r1, so a backport of the patch to 2.17 would be appreciated. I would change/fix the software we rely on, but that's currently not a possibility.
(In reply to Hanno Boeck from comment #0) I found original source in english: http://www.openwall.com/lists/oss-security/2015/01/27/9
CVE-2015-0235 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0235): Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
This issue was resolved and addressed in GLSA 201503-04 at http://security.gentoo.org/glsa/glsa-201503-04.xml by GLSA coordinator Kristian Fiskerstrand (K_F).