'Re: [oss-security] the other glibc issue'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] the other glibc issue
From:       Rich Felker <dalias () libc ! org>
Date:       2015-01-30 23:08:12
Message-ID: 20150130230812.GO4574 () brightrain ! aerifal ! cx
[Download RAW message or body]

On Thu, Jan 29, 2015 at 11:50:23AM +0300, Solar Designer wrote:
> Oh, can we use descriptive Subjects, please?  (I am leaving this one
> intact not to introduce even further confusion.)
> 
> On Wed, Jan 28, 2015 at 01:17:40PM -0500, cve-assign@mitre.org wrote:
> > Use CVE-2013-7423 for ths initial bug report at 2013-09-12 09:50:17 UTC 
> > stating: "Under high load, getaddrinfo() starts sending DNS queries to 
> > random file descriptors, e.g. some unrelated socket connected to a remote 
> > service."
> > 
> > Which comment says that the issue is unfixed?  The 2015-01-08 14:21:11 UTC 
> > comment by David Nilsson says "I'm unable to reproduce the correct 
> > behaviour," but does not suggest that the vulnerability is still present.
> 
> That comment you mention seemed to imply that, but here are the news off
> Twitter:
> 
> <solardiz> glibc "getaddrinfo() writes DNS queries to random file descriptors under high \
> load" https://sourceware.org/bugzilla/show_bug.cgi?id=15946 "Fixed in 2.20", reopened, CVE? \
> <@RichFelker> @solardiz Yeah I've been following this and pushing for it to be taken \
> seriously for a long time... <@RichFelker> @solardiz Looks like a false positive, a bug in \
> the testcase rather than in #glibc. See \
> https://sourceware.org/ml/glibc-bugs/2015-01/msg00226.html <@solardiz> @RichFelker To me, \
> this message says that the bug still being reproducible on glibc 2.20 is a false positive, \
> but the fix in 2.20 was needed <@solardiz> @RichFelker Someone should run the corrected \
> testcase on pre-2.20 to see if the issue was reproducible before the fix or not 
> So glibc 2.20 appears OK, and we need to re-test older glibc - but from
> the patch it looks like there was indeed this bug before 2.20.

I followed up on the bug tracker, and Jiri Hruska reports having
tested the fixed testcase against the pre-fix glibc and is correctly
detects the original bug. See:

https://sourceware.org/ml/glibc-bugs/2015-01/msg00273.html

Rich


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic