[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Marek Vavruša marek at vavrusa.com
Wed Feb 17 11:16:16 UTC 2016


On 17 February 2016 at 09:24, Florian Weimer <fw at deneb.enyo.de> wrote:
> * Stephane Bortzmeyer:
>
>> On Tue, Feb 16, 2016 at 03:49:18PM +0000,
>>  Tony Finch <dot at dotat.at> wrote
>>  a message of 41 lines which said:
>>
>>> Technical analysis and patch:
>>>
>>>  https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
>>
>> And a lot of stupid advice (limiting answers to 512 bytes in the
>> firewall),
>
> Which is fine for a default configuration because the glibc stub
> resolver does not enable EDNS0, so a compliant recursor will not send
> larger responses anyway.

It may over TCP though.

>> disabling IPv6 and/or DNSSEC in applications, etc.
>
> Disabling IPv6 does not actually work as a mitigation, and neither
> does filtering AAAA responses.
>
> But it's certainly true there aren't any good network-side mitigation
> options.

A scrubbing resolver/recursor is a good start to tackle this if you're
behind personal/organization resolver.
Encouraging cropping answers network-side is going to cripple DNS even
more than it is today.

Marek

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs



More information about the dns-operations mailing list