* CVE request: musl libc 1.1.16 and earlier dns buffer overflow
@ 2017-10-19 20:17 Rich Felker
2017-10-20 1:25 ` [oss-security] " Rich Felker
0 siblings, 1 reply; 2+ messages in thread
From: Rich Felker @ 2017-10-19 20:17 UTC (permalink / raw)
To: oss-security; +Cc: Felix Wilhelm, musl
Felix Wilhelm has discovered a flaw in the dns response parsing for
musl libc 1.1.16 that leads to overflow of a stack-based buffer.
Earlier versions are also affected.
When an application makes a request via getaddrinfo for both IPv4 and
IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
nameservers configured in resolv.conf can reply to both the A and AAAA
queries with A results. Since A records are smaller than AAAA records,
it's possible to fit more addresses than the precomputed bound, and a
buffer overflow occurs.
Users are advised to upgrade to 1.1.17 or patch; the patch is simple
and should apply cleanly to all recent versions:
https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
Users who cannot patch or upgrade immediately can mitigate the issue
by running a caching nameserver on localhost and pointing resolv.conf
to 127.0.0.1.
Rich
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [oss-security] CVE request: musl libc 1.1.16 and earlier dns buffer overflow
2017-10-19 20:17 CVE request: musl libc 1.1.16 and earlier dns buffer overflow Rich Felker
@ 2017-10-20 1:25 ` Rich Felker
0 siblings, 0 replies; 2+ messages in thread
From: Rich Felker @ 2017-10-20 1:25 UTC (permalink / raw)
To: oss-security; +Cc: Felix Wilhelm, musl
On Thu, Oct 19, 2017 at 04:17:57PM -0400, Rich Felker wrote:
> Felix Wilhelm has discovered a flaw in the dns response parsing for
> musl libc 1.1.16 that leads to overflow of a stack-based buffer.
> Earlier versions are also affected.
>
> When an application makes a request via getaddrinfo for both IPv4 and
> IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
> nameservers configured in resolv.conf can reply to both the A and AAAA
> queries with A results. Since A records are smaller than AAAA records,
> it's possible to fit more addresses than the precomputed bound, and a
> buffer overflow occurs.
>
> Users are advised to upgrade to 1.1.17 or patch; the patch is simple
> and should apply cleanly to all recent versions:
>
> https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
>
> Users who cannot patch or upgrade immediately can mitigate the issue
> by running a caching nameserver on localhost and pointing resolv.conf
> to 127.0.0.1.
CVE-2017-15650 has been assigned for this issue.
Rich
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-10-20 1:25 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-10-19 20:17 CVE request: musl libc 1.1.16 and earlier dns buffer overflow Rich Felker
2017-10-20 1:25 ` [oss-security] " Rich Felker
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).