[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Florian Weimer fw at deneb.enyo.de
Thu Feb 18 06:35:01 UTC 2016

* Robert Edmonds:

> Florian Weimer wrote:
>> I'm happy to answer technical questions and clarify our analysis.
> getaddrinfo() has been blamed a lot (e.g. VU#457759: "The getaddrinfo()
> function allows a buffer overflow condition in which arbitrary code may
> be executed"), but is it correct that the vulnerable code was actually
> in glibc's libresolv and not the "front end" getaddrinfo() code?

The libresolv public interface does not support dual A/AAAA queries
and therefore does not expose the vulnerability.  The libresolv
vulnerability materializes only if called through a special internal
function which is exported for use by nss_dns, for the implementation
of getaddrinfo.

> That is, the vulnerable version of glibc could be safely used with
> an alternative 'hosts' NSS module, because the vulnerable code would
> never be reached? (Not that I am proposing this as a workaround.)

Yes, removing “dns” from /etc/nsswitch.conf mitigates the
vulnerability. It is rarely an option, though.

This is different from CVE-2015-0235, where the vulnerability was not
in the NSS service module, but the code libc.so.6 which is in front of

More information about the dns-operations mailing list