From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/7292 Path: news.gmane.org!not-for-mail From: =?UTF-8?B?0KDRi9GB0Yw=?= Newsgroups: gmane.linux.lib.musl.general Subject: Re: Security advisory for musl libc - stack-based buffer overflow in ipv6 literal parsing [CVE-2015-1817] Date: Mon, 30 Mar 2015 12:18:48 +0700 Message-ID: <20150330121848.2248ee3e@r2lynx> References: <20150330040125.GA9622@brightrain.aerifal.cx> <20150330113337.430f2b0c@r2lynx> <20150330044153.GK6817@brightrain.aerifal.cx> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Trace: ger.gmane.org 1427692804 20221 80.91.229.3 (30 Mar 2015 05:20:04 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 30 Mar 2015 05:20:04 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-7305-gllmg-musl=m.gmane.org@lists.openwall.com Mon Mar 30 07:20:00 2015 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1YcS7D-00079H-VG for gllmg-musl@m.gmane.org; Mon, 30 Mar 2015 07:20:00 +0200 Original-Received: (qmail 25956 invoked by uid 550); 30 Mar 2015 05:19:58 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 25938 invoked from network); 30 Mar 2015 05:19:58 -0000 X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NO_RECEIVED, NO_RELAYS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 In-Reply-To: <20150330044153.GK6817@brightrain.aerifal.cx> X-Mailer: claws_mail Xref: news.gmane.org gmane.linux.lib.musl.general:7292 Archived-At: On Mon, 30 Mar 2015 00:41:53 -0400 Rich Felker wrote: > On Mon, Mar 30, 2015 at 11:33:37AM +0700, =D0=A0=D1=8B=D1=81=D1=8C wrote: > > On Mon, 30 Mar 2015 00:01:25 -0400 > > Rich Felker wrote: > >=20 > > > A stack-based buffer overflow has been found in musl libc's ipv6 > > > address literal parsing code. Programs which call the inet_pton or > > > getaddrinfo function with AF_INET6 or AF_UNSPEC and untrusted > > > address strings are affected. Successful exploitation yields > > > control of the return address. Having enabled stack protector at > > > the application level does not mitigate the issue. All users > > > should patch or upgrade. > > >=20 > > > Software: musl libc (http://www.musl-libc.org) > > >=20 > > > Severity: high > > >=20 > > > Affected Versions: 0.9.15 - 1.0.4, 1.1.0 - 1.1.7. > > >=20 > > > Bug introduced in commit: 78f889153167452de4cbced921f6428b3d4f663a > > >=20 > > > Bug fixed in commit: fc13acc3dcb5b1f215c007f583a63551f6a71363 > > >=20 > > > Patch: musl_dn_expand_overflow_fix.diff (attached) (fix+hardening) > >=20 > > How much it affects readonly embedded systems as well? Does almost > > latest dropbear listening ssh port publicly is actually vulnerable? >=20 > I don't think so, but I haven't done analysis of specific software. > Busybox is affected if it's installed setuid and ping is enabled (a > configuration I strongly recommend not using since they don't handle > setuid securely in general) but that's limited to local attacks. I > don't think there's any way you can make dropbear (server) attempt to > parse ip literal strings remotely, but verifying this would take some > checking of the source. >=20 > Rich Well thanks for your efforts to design musl such as it can be swapped atomically at runtime without rebooting the machines! I already upgraded it and critical daemons on my servers and all works nice :-)