From: Рысь <lynx@sibserver.ru>
To: musl@lists.openwall.com
Subject: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817]
Date: Mon, 30 Mar 2015 12:18:48 +0700 [thread overview]
Message-ID: <20150330121848.2248ee3e@r2lynx> (raw)
In-Reply-To: <20150330044153.GK6817@brightrain.aerifal.cx>
On Mon, 30 Mar 2015 00:41:53 -0400
Rich Felker <dalias@libc.org> wrote:
> On Mon, Mar 30, 2015 at 11:33:37AM +0700, Рысь wrote:
> > On Mon, 30 Mar 2015 00:01:25 -0400
> > Rich Felker <dalias@libc.org> wrote:
> >
> > > A stack-based buffer overflow has been found in musl libc's ipv6
> > > address literal parsing code. Programs which call the inet_pton or
> > > getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted
> > > address strings are affected. Successful exploitation yields
> > > control of the return address. Having enabled stack protector at
> > > the application level does not mitigate the issue. All users
> > > should patch or upgrade.
> > >
> > > Software: musl libc (http://www.musl-libc.org)
> > >
> > > Severity: high
> > >
> > > Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7.
> > >
> > > Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a
> > >
> > > Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363
> > >
> > > Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening)
> >
> > How much it affects readonly embedded systems as well? Does almost
> > latest dropbear listening ssh port publicly is actually vulnerable?
>
> I don't think so, but I haven't done analysis of specific software.
> Busybox is affected if it's installed setuid and ping is enabled (a
> configuration I strongly recommend not using since they don't handle
> setuid securely in general) but that's limited to local attacks. I
> don't think there's any way you can make dropbear (server) attempt to
> parse ip literal strings remotely, but verifying this would take some
> checking of the source.
>
> Rich
Well thanks for your efforts to design musl such as it can be swapped
atomically at runtime without rebooting the machines! I already
upgraded it and critical daemons on my servers and all works nice :-)
next prev parent reply other threads:[~2015-03-30 5:18 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-30 4:01 Rich Felker
2015-03-30 4:33 ` Рысь
2015-03-30 4:41 ` Rich Felker
2015-03-30 5:18 ` Рысь [this message]
2015-04-17 13:10 Matt Johnston
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150330121848.2248ee3e@r2lynx \
--to=lynx@sibserver.ru \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).