[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Florian Weimer fw at deneb.enyo.de
Tue Feb 23 20:42:52 UTC 2016

* Brian Hartvigsen:

> (For me this is also an issue with the disclosure, we want to protect
> people from being exploited obviously, but the initial posting didn’t
> give a ton of information on what an actual attack could/would look
> like.

We were pretty sure that there was no effective recursor-side
mitigation of unknown attacks, without resorting to
non-protocol-compliant hacks.  This has not changed.

I expect that it will be relatively straightforward to filter concrete
attacks (if they ever happen), with the usual whack-a-mole approach,
as they pass through the DNS hierarchy.  Of course, this does not
apply to exploitation by on-path or blind-spoofing attackers,
bypassing the DNS hierarchy.

More information about the dns-operations mailing list