[ELDK] glibc getaddrinfo() bug (CVE-2015-7547)

Wolfgang Denk wd at denx.de
Fri Feb 19 08:44:19 CET 2016 

Dear Albrecht,

In message <dqiV/LnHNeiZOsLhR9Mgzf at SyWqmvdG7uuP9L7gmgFa0> you wrote:
> 
> short question - is the glibc version (2.21?) coming with ELDK 5.8
> affected by the recently published glibc getaddrinfo() bug
> CVE-2015-7547 [1]? If so, will you provide a patched version of '5.8
> (like 5.8.1), or do we have to re-compile glibc with a fix [2]
> ourselves?

Yes, CVE-2015-7547 is serious enough to be fixed in a v5.8.1 bugfix
release.

> IMO, this bug is a really critical one, much worse than CVE-2015-0235
> aka 'GHOST' which strikes the obsolescent (though still used by some
> older applications) gethostbyname() function only.

Agreed.

> I still use ELDK 5.4 on two PowerPC platforms (MPC5200; P2020) which
> *is* vulnerable on both according to the proof-of-concept [3]. This
> in turn means that *any* system built with ELDK 5.4 (and earlier and
> later versions?) is also vulnerable if any application running on it
> uses getaddrinfo() - which is /very/ likely.

Agreed.

> As ELDK 5.8 now comes with gcc 4.9.1 which should have the issue
> described in [4] fixed, this would be the perfect time to move to the
> new ELDK, if CVE-2015-7547 is fixed.

Plain v5.8 ist based on Yocto 1.8.1, which does not contain the fix
yet: Yocto 1.8.1 was released on Nov 6, 2015, while the CVE-2015-7547
fix was only added on Feb 17 (plus a number of other glibc fixes [for
CVE-2015-8776, CVE-2015-9761, CVE-2015-8779, CVE-2015-8777] on Jan
22); a number of other components have also been fixed since
(CVE-2015-7511, CVE-2016-2090, CVE-2016-2198, CVE-2016-2197,
CVE-2016-1568, CVE-2016-0754, CVE-2016-0755, CVE-2016-0701,
CVE-2015-3197, CVE-2015-0860, CVE-2015-8704,
CVE-2015-8705,CVE-2016-1907, CVE-2015-1283, CVE-2015-8370,
CVE-2014-9496, CVE-2014-9756, CVE-2015-7805, CVE-2015-8380,
CVE-2015-8395, CVE-2015-8126, CVE-2015-7236, CVE-2015-3187,
CVE-2015-7942, CVE-2015-8035, ...).

So yes, there is reason for some updates...

However, due to the upcoming Embedded World trade show in Nuremberg
next week wewill not be able to provide such an update as quickly as
we'd like to.   If you need the fixes faster, please feel free to go
ahead and cherrypick/backport the related patches from Youcto mainline
yourself.  If you post the patches here I promise to pick these up
ASAP and roll them into v5.8.1.

Thanks for bringing this up, and thanks in advance for any potential
patches :-)

Best regards,

Wolfgang Denk

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
There are three things I always forget. Names, faces -  the  third  I
can't remember.                                         - Italo Svevo

More information about the eldk mailing list