[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow
Florian Weimer
fw at deneb.enyo.de
Thu Feb 18 06:35:01 UTC 2016
* Robert Edmonds:
> Florian Weimer wrote:
>> I'm happy to answer technical questions and clarify our analysis.
>
> getaddrinfo() has been blamed a lot (e.g. VU#457759: "The getaddrinfo()
> function allows a buffer overflow condition in which arbitrary code may
> be executed"), but is it correct that the vulnerable code was actually
> in glibc's libresolv and not the "front end" getaddrinfo() code?
The libresolv public interface does not support dual A/AAAA queries
and therefore does not expose the vulnerability. The libresolv
vulnerability materializes only if called through a special internal
function which is exported for use by nss_dns, for the implementation
of getaddrinfo.
> That is, the vulnerable version of glibc could be safely used with
> an alternative 'hosts' NSS module, because the vulnerable code would
> never be reached? (Not that I am proposing this as a workaround.)
Yes, removing “dns” from /etc/nsswitch.conf mitigates the
vulnerability. It is rarely an option, though.
This is different from CVE-2015-0235, where the vulnerability was not
in the NSS service module, but the code libc.so.6 which is in front of
that.
More information about the dns-operations
mailing list