Security Innovation's Microsoft/Linux web server security study [LWN.net]

Security Innovation's Microsoft/Linux web server security study

Posted Mar 23, 2005 15:55 UTC (Wed) by tzafrir (subscriber, #11501)
In reply to: Security Innovation's Microsoft/Linux web server security study by ballombe
Parent article: Security Innovation's Microsoft/Linux web server security study

Have a look at the original bug:

http://bugs.mysql.com/bug.php?id=4017

The original report was unreproducable from 4-jun-2004 to 16-jun-2004. Then a discussion started. A quote from it:

[17 Jun 2004 2:20am] Lukasz Wojtow

Everything depends on library you use. In glibc there is a limitation for an IP
address to have only 4 bytes (obviously), but generally speaking the length of
the address comes with a response for dns query (i know it sounds funny but read
rfc1035 if you don't believe). This bug can occur on libraries where
gethostbyname function takes length from dns's response and puts it to h_length.
see sources for ping and squid (just do grep for 'gethostbyname' and look a few
lines lower) to see how it should be done. doing thing like
memcpy(&sa.sin_addr,he->h_addr,he->h_length) is like
strncpy(buffer,user_input,strlen(user_input)). It is an overflow, just not
exploitable on Linux (glibc) and OpenBSD (i don't know about others).
Lukasz Wojtow

So Theoretically RHEL was volnurable. Practically it wasn't. Still it is worth fixing because who knows what other pathes may lead there. No reason for urshing out an emergency fix for this one.

(Log in to post comments)