[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] GHOST vulnerability and Wget

From: Tim Ruehsen
Subject: Re: [Bug-wget] GHOST vulnerability and Wget
Date: Thu, 29 Jan 2015 10:22:50 +0100
User-agent: KMail/4.14.2 (Linux/3.16.0-4-amd64; KDE/4.14.2; x86_64; ; )

On Wednesday 28 January 2015 12:01:00 Daniel Kahn Gillmor wrote:
> On Wed 2015-01-28 07:11:06 -0500, Tim Ruehsen wrote:
> > Meanwhile everybody knows about
> > https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.tx
> > t
> > 
> > In short: gethostbyname* class functions have a vulnerability. Qualys made
> > up an exploit for Exim that sounds pretty bad.
> > 
> > I had a (very quick) look at Wget and we are using gethostbyname()
> > 1. in the case ENABLE_IPV6 is not set.
> > 2. via gnulib getaddrinfo() which calls gethostbyname(). We use it in
> > host.c/lookup_host().

I saw from objdump -x that gnulib checks for native availability of functions 
to use them if available. getaddrinfo() is available in glibc since a very 
long time. So 2. is likely not a problem.

> > From what I know, a prepared server may exploit this vulnerability in Wget
> > as well. Despite updating glibc, what can we do ? Is it worth to remove
> > gethostbyname() from Wget ? In this case we should not use gnulib
> > getaddrinfo function and replace it by calling getaddrinfo directly, with
> > a fallback to gnulib. And in case ENABLE_IPV6 is not set, we should
> > replace gethostbyname() by getaddrinfo().
> > 
> > What do you think ?
> I think the right thing to do is to update glibc, where the problem
> resides :)

That is the obvious solution (in most cases).

But there are some old systems with a no more supported Linux. No glibc 
distribution updates. No money to pay people for a hand-crafted patch and 
update (you have to get+patch the 10-years old sources of glibc, build up a 
test environment with expensive, hard-to-get hardware and do lot's of tests). 
Not easy to upgrade because of special hardware with no drivers for newer 
kernels. That is my reality resp. the reality of some of my customers. These 
machines will definitely stay unpatched until they die.
Patching the used web clients like wget is a cheap option.
I guess, there are more situations like this out there.


Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]