CVE-2015-7547: getaddrinfo() stack-based buffer overflow

Florian Weimer fw at deneb.enyo.de
Wed Feb 17 19:11:31 UTC 2016


* Alan Clegg:

> While I agree that the "major distributions" (and even the minor ones) are
> getting patches out, I'd like to point out something that Alan Cox posted
> over on G+:
>
> "You can upgrade all your servers but if that little cheapo plastic box on
> your network somewhere has a vulnerable post 2008 glibc and ever does DNS
> lookups chances are it's the equivalent of a trapdoor into your network."
>
> https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6

glibc is usually considered way too bloated for use in embedded devices.
I'm sure there are some uses in this space, but glibc is probably not
a relevant player in this field.

That being said, there are apparently supported glibc ports to
Android, specifically for running mostly unported GNU/Linux
applications on top of Android devices (applications which do not work
with Android's native Bionic libc, which is not affected by this
issue).


More information about the bind-users mailing list