Page MenuHomePhabricator
Create Task
Maniphest T7057

gethostbyname() allows some set of horrible things, up to arbitrary remote execution
Closed, ResolvedPublic
Actions

Description

CVE-2015-0235: heap overflow in gethostbyname()
https://news.ycombinator.com/item?id=8953545

Details are a little spotty at the moment, but this appears to be very severe.

However, it looks like we can't do too much about this specifically until updates are available. This call is ubiquitous and there's no reasonable way to make sure no service on a box invokes it other than shutting everything down, and then we couldn't get back into the box later to patch it. Although I rebuilt OpenSSL ahead of patches, I'm less confident I can safely replace libc faster than proper packages become available.

I'll keep an eye on it, but the likely course of action is to to update once a fix is generally available.

Event Timeline

epriestley created this task.Jan 27 2015, 4:28 PM
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added a project: Security.
epriestley added subscribers: epriestley, btrahan, chad.
fabe awarded a token.Jan 27 2015, 4:46 PM
epriestley added a comment.Jan 27 2015, 5:09 PM

This analysis is much more detailed:

http://www.openwall.com/lists/oss-security/2015/01/27/9

epriestley closed this task as Resolved.Jan 28 2015, 6:51 PM
epriestley claimed this task.

This host is patched now.

Phabricator · Built by Phacility