CVE-2017-15650 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15650): musl libc before 1.1.17 has a buffer overflow via crafted DNS replies because dns_parse_callback in network/lookup_name.c does not restrict the number of addresses, and thus an attacker can provide an unexpected number by sending A records in a reply to an AAAA query.
@Maintainers please confirm if we are affected, call for stabilization when ready in that case. Thank you
(In reply to Christopher Díaz from comment #1) > @Maintainers please confirm if we are affected, call for stabilization when > ready in that case. > > Thank you We are. Since this is a libc I will take care of the stabilization on all arches. I've already stabilized amd64 and x86, and will work on arm and ppc next.
This can be closed now.
1.1.16 is still in the tree and is vulnerable.
(In reply to Aaron Bauman from comment #4) > 1.1.16 is still in the tree and is vulnerable. I'll try to get to arm and ppc soon, but its a lot of work to build the stage3's.
(In reply to Anthony Basile from comment #5) > (In reply to Aaron Bauman from comment #4) > > 1.1.16 is still in the tree and is vulnerable. > > I'll try to get to arm and ppc soon, but its a lot of work to build the > stage3's. Understandable and thanks!
(In reply to Aaron Bauman from comment #6) > (In reply to Anthony Basile from comment #5) > > (In reply to Aaron Bauman from comment #4) > > > 1.1.16 is still in the tree and is vulnerable. > > > > I'll try to get to arm and ppc soon, but its a lot of work to build the > > stage3's. > > Understandable and thanks! okay all done. versions < 1.1.18 are all off the tree.