Re: [oss-security] CVE request: musl libc 1.1.16 and earlier dns buffer overflow

mailing list of musl libc
 help / color / mirror / code / Atom feed

From: Rich Felker <dalias@libc.org>
To: oss-security@lists.openwall.com
Cc: Felix Wilhelm <fwilhelm@google.com>, musl@lists.openwall.com
Subject: Re: [oss-security] CVE request: musl libc 1.1.16 and earlier dns buffer overflow
Date: Thu, 19 Oct 2017 21:25:47 -0400	[thread overview]
Message-ID: <20171020012547.GT1627@brightrain.aerifal.cx> (raw)
In-Reply-To: <20171019201757.GA31838@brightrain.aerifal.cx>

On Thu, Oct 19, 2017 at 04:17:57PM -0400, Rich Felker wrote:
> Felix Wilhelm has discovered a flaw in the dns response parsing for
> musl libc 1.1.16 that leads to overflow of a stack-based buffer.
> Earlier versions are also affected.
> 
> When an application makes a request via getaddrinfo for both IPv4 and
> IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
> nameservers configured in resolv.conf can reply to both the A and AAAA
> queries with A results. Since A records are smaller than AAAA records,
> it's possible to fit more addresses than the precomputed bound, and a
> buffer overflow occurs.
> 
> Users are advised to upgrade to 1.1.17 or patch; the patch is simple
> and should apply cleanly to all recent versions:
> 
> https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
> 
> Users who cannot patch or upgrade immediately can mitigate the issue
> by running a caching nameserver on localhost and pointing resolv.conf
> to 127.0.0.1.

CVE-2017-15650 has been assigned for this issue.

Rich

     prev parent reply	other threads:[~2017-10-20  1:25 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-19 20:17 Rich Felker
2017-10-20  1:25 ` Rich Felker [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171020012547.GT1627@brightrain.aerifal.cx \
    --to=dalias@libc.org \
    --cc=fwilhelm@google.com \
    --cc=musl@lists.openwall.com \
    --cc=oss-security@lists.openwall.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/musl/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).