[ELDK] glibc getaddrinfo() bug (CVE-2015-7547)

Albrecht Dreß albrecht.dress at arcor.de
Thu Feb 18 20:53:42 CET 2016


Hi all,

short question - is the glibc version (2.21?) coming with ELDK 5.8 affected by the recently published glibc getaddrinfo() bug CVE-2015-7547 [1]?  If so, will you provide a patched version of '5.8 (like 5.8.1), or do we have to re-compile glibc with a fix [2] ourselves?

IMO, this bug is a really critical one, much worse than CVE-2015-0235 aka 'GHOST' which strikes the obsolescent (though still used by some older applications) gethostbyname() function only.

I still use ELDK 5.4 on two PowerPC platforms (MPC5200; P2020) which *is* vulnerable on both according to the proof-of-concept [3].  This in turn means that *any* system built with ELDK 5.4 (and earlier and later versions?) is also vulnerable if any application running on it uses getaddrinfo() - which is /very/ likely.

As ELDK 5.8 now comes with gcc 4.9.1 which should have the issue described in [4] fixed, this would be the perfect time to move to the new ELDK, if CVE-2015-7547 is fixed.

Any insight would be highly appreciated!

Thanks in advance,
Albrecht.


[1] <https://googleonlinesecurity.blogspot.de/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>
[2] <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>
[3] <https://github.com/fjserna/CVE-2015-7547>
[4] <http://lists.denx.de/pipermail/eldk/2014-October/002548.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/eldk/attachments/20160218/32359921/attachment.sig>


More information about the eldk mailing list