[arch-security] CVE-2015-0235 "ghost"

Remi Gacogne rgacogne at archlinux.org
Tue Jan 27 16:30:43 UTC 2015


Hello,

A critical vulnerability has been found in glibc [1] in the form of a
heap buffer overflow in the gethostbyname() and gethostbyname2() calls.
It may allow a remote attacker to execute arbitrary code.

Arch Linux does not seem vulnerable because we use a recent glibc
version, which includes a patch [2] for this issue.
This seems confirmed by the test case included with the fix [3].


[1] https://sourceware.org/bugzilla/show_bug.cgi?id=15014
[2]
https://sourceware.org/git/?p=glibc.git;a=commit;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
[3]
https://sourceware.org/git/?p=glibc.git;a=blob;f=nss/test-digits-dots.c;h=1efa3449a3724786783ce167f14eec98403d1ef2;hb=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150127/024cceb0/attachment.asc>


More information about the arch-security mailing list