[arch-security] [ASA-201504-25] glibc: arbitrary code execution
rgacogne at archlinux.org
Thu Apr 23 07:59:44 UTC 2015
Arch Linux Security Advisory ASA-201504-25
Date : 2015-04-23
CVE-ID : CVE-2015-1781
Package : glibc
Type : arbitrary code execution
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package glibc before version 2.21-3 is vulnerable to a buffer
overflow resulting in arbitrary code execution.
Upgrade to 2.21-3.
# pacman -Syu "glibc>=2.21-3"
The problem has been fixed upstream but a new version has yet to be
A buffer overflow in gethostbyname_r() and related functions performing
DNS requests has been fixed. If the NSS functions were called with a
misaligned buffer, the buffer length change due to pointer alignment was
not taken into account. This could result in application crashes or
potentially arbitrary code execution using crafted but syntactically
valid DNS responses.
A remote attacker can crash or execute arbitrary code by crafting
malicious DNS responses to the requests made by an application. To be
vulnerable, the application must be passing a misaligned buffer to
gethostbyname_r() or related functions.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 801 bytes
Desc: OpenPGP digital signature
More information about the arch-security