Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 537990 (CVE-2015-0235) - <sys-libs/glibc-2.19-r1: heap overflow in gethostbyname() (CVE-2015-0235)
Summary: <sys-libs/glibc-2.19-r1: heap overflow in gethostbyname() (CVE-2015-0235)
Alias: CVE-2015-0235
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cleanup]
Depends on:
Reported: 2015-01-27 15:58 UTC by Hanno Böck
Modified: 2015-03-08 14:54 UTC (History)
13 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2015-01-27 15:58:12 UTC
The original source is in french, which I don't understand, so I have a hard time estimating how serious this is:

Here's redhat:

And here's upstream's patch:;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
Comment 1 Zentoo 2015-01-27 16:32:02 UTC
This vulnrability is a CRITICAL one.

It could permits to gain access to any glibc based server remotely by exploiting _gethostbyname et gethostbyaddr_ function.

I don't know if the current stable glibc used on gentoo is affected but this CVE is enough critical to be sure the security team have checked it.
Comment 2 Matthias Maier gentoo-dev 2015-01-27 16:34:15 UTC
Above patch was applied on the development branch after version 2.17 and before version 2.18:

  »un correctif publié le 21 mai 2013 entre les versions glibc-2.17 et glibc-2.18«

A quick peek at the glibc git repository confirms this. Assuming above patch was not applied in any gentoo changesets this would leave any version <2.18 vulnerable.
Comment 3 Hanno Böck gentoo-dev 2015-01-27 16:37:33 UTC
yeah, I saw the version info after I posted this bug. If this is correct then Gentoo is only mildly affected. 2.19-r1 is stable on all archs, so everyone running an up-to-date system should be safe.
Comment 4 Sergey Popov gentoo-dev 2015-01-27 20:06:31 UTC
Thanks, guys.

New version with fix has been already stabilized on all relevant arches.

GLSA request is filed
Comment 5 Hanno Böck gentoo-dev 2015-01-27 21:35:21 UTC
While the stable release is fine, Gentoo currently has 14 (!) different glibc versions pre 2.18 that are probably all affected.

I assume some of them are there for a reason, however I doubt all of them. Probably a big cleanup and then backporting the patch to the rest that are really needed is required.
Comment 6 Adam Randall 2015-01-27 23:07:28 UTC
I apologize if this is not the place to discuss this. I have proprietary software that has issues on glibc-2.19-r1, so a backport of the patch to 2.17 would be appreciated. I would change/fix the software we rely on, but that's currently not a possibility.
Comment 7 Florian Steinel 2015-01-28 01:49:12 UTC
(In reply to Hanno Boeck from comment #0)
I found original source in english:
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-02-13 09:42:16 UTC
CVE-2015-0235 (
  Heap-based buffer overflow in the __nss_hostname_digits_dots function in
  glibc 2.2, and other 2.x versions before 2.18, allows context-dependent
  attackers to execute arbitrary code via vectors related to the (1)
  gethostbyname or (2) gethostbyname2 function, aka "GHOST."
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2015-03-08 14:54:55 UTC
This issue was resolved and addressed in
 GLSA 201503-04 at
by GLSA coordinator Kristian Fiskerstrand (K_F).