[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug-wget] GHOST vulnerability and Wget

From: Tim Ruehsen
Subject: [Bug-wget] GHOST vulnerability and Wget
Date: Wed, 28 Jan 2015 13:11:06 +0100
User-agent: KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; )

Meanwhile everybody knows about

In short: gethostbyname* class functions have a vulnerability. Qualys made up 
an exploit for Exim that sounds pretty bad.

I had a (very quick) look at Wget and we are using gethostbyname()
1. in the case ENABLE_IPV6 is not set.
2. via gnulib getaddrinfo() which calls gethostbyname(). We use it in 

From what I know, a prepared server may exploit this vulnerability in Wget as 
well. Despite updating glibc, what can we do ? Is it worth to remove 
gethostbyname() from Wget ? In this case we should not use gnulib getaddrinfo 
function and replace it by calling getaddrinfo directly, with a fallback to 
gnulib. And in case ENABLE_IPV6 is not set, we should replace gethostbyname() 
by getaddrinfo().

What do you think ?


Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]