Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow
[Posted January 28, 2015 by jake]
| From: |
| Stephane Chazelas <stephane.chazelas-Re5JQEeQqe8AvxtiuMwx3w-AT-public.gmane.org> |
| To: |
| oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org |
| Subject: |
| Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow |
| Date: |
| Wed, 28 Jan 2015 10:42:52 +0000 |
| Message-ID: |
| <20150128104252.GA5404@chaz.gmail.com> |
2015-01-27 11:54:10 -0800, Michal Zalewski:
> > apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
> > nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
> > pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
> > vsftpd, xinetd.
>
> Cool, thanks!
[...]
What about clients? AFAICT from the output of:
sudo stap -e 'probe
process("/lib/x86_64-linux-gnu/libc.so.6").function("__gethostbyname_r"),
process("/lib/x86_64-linux-gnu/libc.so.6").function("gethostbyname"),
process("/lib/x86_64-linux-gnu/libc.so.6").function("gethostbyname2"),
process("/lib/x86_64-linux-gnu/libc.so.6").function("__gethostbyname2_r"),
process("/lib/x86_64-linux-gnu/libc.so.6").function("__new_gethostbyname2_r")
{ printf("[%s][%d]->%s(%s)\n", execname(), pid(), pp(), $name$)}'
All of google-chrome, firefox, thunderbird call at least one of
those with network supplied data.
Things like spam filters and antivirus are likely at risk
(thinking of network IDSes and other spam filtering/proxy appliances).
DHCP clients? Fancy wireless auth?
Cheers,
Stephane
