[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Florian Weimer fw at deneb.enyo.de
Wed Feb 17 09:24:29 UTC 2016

* Stephane Bortzmeyer:

> On Tue, Feb 16, 2016 at 03:49:18PM +0000,
>  Tony Finch <dot at dotat.at> wrote 
>  a message of 41 lines which said:
>> Technical analysis and patch:
>>  https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
> And a lot of stupid advice (limiting answers to 512 bytes in the
> firewall),

Which is fine for a default configuration because the glibc stub
resolver does not enable EDNS0, so a compliant recursor will not send
larger responses anyway.

> disabling IPv6 and/or DNSSEC in applications, etc.

Disabling IPv6 does not actually work as a mitigation, and neither
does filtering AAAA responses.

But it's certainly true there aren't any good network-side mitigation

More information about the dns-operations mailing list