From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/12017
Path: news.gmane.org!.POSTED!not-for-mail
From: Rich Felker <dalias@libc.org>
Newsgroups: gmane.linux.lib.musl.general,gmane.comp.security.oss.general
Subject: Re: [oss-security] CVE request: musl libc 1.1.16 and earlier dns
 buffer overflow
Date: Thu, 19 Oct 2017 21:25:47 -0400
Message-ID: <20171020012547.GT1627@brightrain.aerifal.cx>
References: <20171019201757.GA31838@brightrain.aerifal.cx>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: blaine.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: blaine.gmane.org 1508462773 17720 195.159.176.226 (20 Oct 2017 01:26:13 GMT)
X-Complaints-To: usenet@blaine.gmane.org
NNTP-Posting-Date: Fri, 20 Oct 2017 01:26:13 +0000 (UTC)
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: Felix Wilhelm <fwilhelm@google.com>, musl@lists.openwall.com
To: oss-security@lists.openwall.com
Original-X-From: musl-return-12030-gllmg-musl=m.gmane.org@lists.openwall.com Fri Oct 20 03:26:08 2017
Return-path: <musl-return-12030-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by blaine.gmane.org with smtp (Exim 4.84_2)
	(envelope-from <musl-return-12030-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1e5M4T-0002k3-TE
	for gllmg-musl@m.gmane.org; Fri, 20 Oct 2017 03:25:58 +0200
Original-Received: (qmail 27699 invoked by uid 550); 20 Oct 2017 01:26:01 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 27653 invoked from network); 20 Oct 2017 01:26:00 -0000
Content-Disposition: inline
In-Reply-To: <20171019201757.GA31838@brightrain.aerifal.cx>
Original-Sender: Rich Felker <dalias@aerifal.cx>
Xref: news.gmane.org gmane.linux.lib.musl.general:12017 gmane.comp.security.oss.general:23449
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/12017>

On Thu, Oct 19, 2017 at 04:17:57PM -0400, Rich Felker wrote:
> Felix Wilhelm has discovered a flaw in the dns response parsing for
> musl libc 1.1.16 that leads to overflow of a stack-based buffer.
> Earlier versions are also affected.
> 
> When an application makes a request via getaddrinfo for both IPv4 and
> IPv6 results (AF_UNSPEC), an attacker who controls or can spoof the
> nameservers configured in resolv.conf can reply to both the A and AAAA
> queries with A results. Since A records are smaller than AAAA records,
> it's possible to fit more addresses than the precomputed bound, and a
> buffer overflow occurs.
> 
> Users are advised to upgrade to 1.1.17 or patch; the patch is simple
> and should apply cleanly to all recent versions:
> 
> https://git.musl-libc.org/cgit/musl/patch/?id=45ca5d3fcb6f874bf5ba55d0e9651cef68515395
> 
> Users who cannot patch or upgrade immediately can mitigate the issue
> by running a caching nameserver on localhost and pointing resolv.conf
> to 127.0.0.1.

CVE-2017-15650 has been assigned for this issue.

Rich