[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] GHOST vulnerability and Wget
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Bug-wget] GHOST vulnerability and Wget |
|
Date: |
Wed, 28 Jan 2015 12:01:00 -0500 |
|
User-agent: |
Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) |
On Wed 2015-01-28 07:11:06 -0500, Tim Ruehsen wrote:
> Meanwhile everybody knows about
> https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
>
> In short: gethostbyname* class functions have a vulnerability. Qualys made up
> an exploit for Exim that sounds pretty bad.
>
> I had a (very quick) look at Wget and we are using gethostbyname()
> 1. in the case ENABLE_IPV6 is not set.
> 2. via gnulib getaddrinfo() which calls gethostbyname(). We use it in
> host.c/lookup_host().
>
>
> From what I know, a prepared server may exploit this vulnerability in Wget as
> well. Despite updating glibc, what can we do ? Is it worth to remove
> gethostbyname() from Wget ? In this case we should not use gnulib getaddrinfo
> function and replace it by calling getaddrinfo directly, with a fallback to
> gnulib. And in case ENABLE_IPV6 is not set, we should replace gethostbyname()
> by getaddrinfo().
>
> What do you think ?
I think the right thing to do is to update glibc, where the problem
resides :)
Replacing gethostbyname() with getaddrinfo() would be reasonable, but
mainly for forward-looking reasons, not to work around this specific
bug.
--dkg