nativeInstaller

2016-02-17 glibc getaddrinfo() stack-based buffer overflow (CVE-2015-7547)

It was discovered that the GNU C Library incorrectly handled receiving responses while performing DNS resolution (CVE-2015-7547). A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced in May 2008.

The defect is located in the glibc sources in the resolv/res_send.c file as part of the send_dg and send_vc functions which are part of the __libc_res_nsend (res_nsend) interface which is used by many of the higher level interfaces including getaddrinfo (indirectly via the DNS NSS module.)

Find more information about the issue.

Affected platforms

Ubuntu

Run the following command:

$ ldd --version

You should see output like this:

2.19-0ubuntu6.7

This is a secure version of the library. Any version between v2.9 and this one is affected.

Debian

Run the following command:

$ ldd --version

You should see output like this:

2.13-38+deb7u10

This is a secure version of the library. Any version between v2.9 and this one is affected.

RedHat Enterprise Linux and Oracle Linux

Run the following command:

$ rpm -q glibc

You should see output like this:

2.12-1.166.el6_7.7

This is a secure version of the library. Any version between v2.9 and this one is affected.

Amazon Linux

Run the following command:

$ rpm -q glibc

You should see output like this:

glibc-2.17-106.166.amzn1.x86_64

This is a secure version of the library. Any version between v2.9 and this one is affected.

How to patch it

If your system is affected, follow the steps below for your platform:

Ubuntu and Debian

Run the following command:

$ sudo apt-get update && sudo apt-get install unattended-upgrades && sudo unattended-upgrade

RedHat Enterprise Linux, Oracle Linux and Amazon Linux

Run the following command:

$ sudo yum update glibc