oss-sec mailing list archives
Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)
From: Marek Kroemeke <kroemeke () gmail com>
Date: Tue, 27 Jan 2015 17:02:50 +0000
Hi there, We just noticed CVE-2015-0235 , and we thought we will drop this one in - apologies for low quality , we didn't really have time yet to analyse it, but it seems to be related, so it makes sense to patch things once right ? -- cut -- valgrind ./traceroute/traceroute $(printf "\302a") ==12559== Memcheck, a memory error detector ==12559== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==12559== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==12559== Command: ./traceroute/traceroute Âa ==12559== ==12559== Invalid free() / delete / delete[] / realloc() ==12559== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==12559== by 0x537258A: gaih_inet (getaddrinfo.c:1328) ==12559== by 0x53757C1: getaddrinfo (getaddrinfo.c:2433) ==12559== by 0x40530F: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute) ==12559== by 0x405D1B: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute) ==12559== by 0x409EA1: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute) ==12559== by 0x405DAC: ??? (in /home/marek/Downloads/traceroute-2.0.19/traceroute/traceroute) ==12559== by 0x52D9EAC: (below main) (libc-start.c:244) ==12559== Address 0x7ff0005f7 is on thread 1's stack ==12559== -- cut -- -- cut -- marek@GHOSTMYASS:~$ traceroute $(printf "\302a") *** glibc detected *** traceroute: munmap_chunk(): invalid pointer: 0x00007fff1b43a547 *** ======= Backtrace: ========= /lib64/libc.so.6(cfree+0x166)[0x32244758c6] /lib64/libc.so.6[0x32244bc116] /lib64/libc.so.6(getaddrinfo+0x21a)[0x32244be94a] traceroute[0x402926] traceroute[0x4029f1] traceroute[0x406281] traceroute[0x403546] /lib64/libc.so.6(__libc_start_main+0xf4)[0x322441d9f4] traceroute[0x401619] ======= Memory map: ======== 00400000-00409000 r-xp 00000000 68:06 7103807 /bin/traceroute 00608000-00609000 rw-p 00008000 68:06 7103807 /bin/traceroute 00609000-0060a000 rw-p 00609000 00:00 0 00808000-00809000 rw-p 00008000 68:06 7103807 /bin/traceroute 00ff7000-01018000 rw-p 00ff7000 00:00 0 [heap] 3224000000-322401c000 r-xp 00000000 68:06 7332914 /lib64/ld-2.5.so 322421c000-322421d000 r--p 0001c000 68:06 7332914 /lib64/ld-2.5.so 322421d000-322421e000 rw-p 0001d000 68:06 7332914 /lib64/ld-2.5.so 3224400000-322454f000 r-xp 00000000 68:06 7333080 /lib64/libc-2.5.so 322454f000-322474f000 ---p 0014f000 68:06 7333080 /lib64/libc-2.5.so 322474f000-3224753000 r--p 0014f000 68:06 7333080 /lib64/libc-2.5.so 3224753000-3224754000 rw-p 00153000 68:06 7333080 /lib64/libc-2.5.so 3224754000-3224759000 rw-p 3224754000 00:00 0 3224c00000-3224c82000 r-xp 00000000 68:06 7333136 /lib64/libm-2.5.so 3224c82000-3224e81000 ---p 00082000 68:06 7333136 /lib64/libm-2.5.so 3224e81000-3224e82000 r--p 00081000 68:06 7333136 /lib64/libm-2.5.so 3224e82000-3224e83000 rw-p 00082000 68:06 7333136 /lib64/libm-2.5.so 3226800000-322680d000 r-xp 00000000 68:06 7333158 /lib64/libgcc_s-4.1.2-20080825.so.1 322680d000-3226a0d000 ---p 0000d000 68:06 7333158 /lib64/libgcc_s-4.1.2-20080825.so.1 3226a0d000-3226a0e000 rw-p 0000d000 68:06 7333158 /lib64/libgcc_s-4.1.2-20080825.so.1 3227400000-3227411000 r-xp 00000000 68:06 7333100 /lib64/libresolv-2.5.so 3227411000-3227611000 ---p 00011000 68:06 7333100 /lib64/libresolv-2.5.so 3227611000-3227612000 r--p 00011000 68:06 7333100 /lib64/libresolv-2.5.so 3227612000-3227613000 rw-p 00012000 68:06 7333100 /lib64/libresolv-2.5.so 3227613000-3227615000 rw-p 3227613000 00:00 0 2b6dc1c15000-2b6dc1c17000 rw-p 2b6dc1c15000 00:00 0 2b6dc1c1e000-2b6dc1c20000 rw-p 2b6dc1c1e000 00:00 0 2b6dc1c20000-2b6dc51f3000 r--p 00000000 68:06 5051193 /usr/lib/locale/locale-archive 2b6dc51fa000-2b6dc5227000 r-xp 00000000 68:06 7332894 /lib64/libcidn-2.5.so 2b6dc5227000-2b6dc5427000 ---p 0002d000 68:06 7332894 /lib64/libcidn-2.5.so 2b6dc5427000-2b6dc5428000 r--p 0002d000 68:06 7332894 /lib64/libcidn-2.5.so 2b6dc5428000-2b6dc5429000 rw-p 0002e000 68:06 7332894 /lib64/libcidn-2.5.so 2b6dc5429000-2b6dc5433000 r-xp 00000000 68:06 7332990 /lib64/libnss_files-2.5.so 2b6dc5433000-2b6dc5632000 ---p 0000a000 68:06 7332990 /lib64/libnss_files-2.5.so 2b6dc5632000-2b6dc5633000 r--p 00009000 68:06 7332990 /lib64/libnss_files-2.5.so 2b6dc5633000-2b6dc5634000 rw-p 0000a000 68:06 7332990 /lib64/libnss_files-2.5.so 2b6dc5634000-2b6dc5638000 r-xp 00000000 68:06 7332988 /lib64/libnss_dns-2.5.so 2b6dc5638000-2b6dc5837000 ---p 00004000 68:06 7332988 /lib64/libnss_dns-2.5.so 2b6dc5837000-2b6dc5838000 r--p 00003000 68:06 7332988 /lib64/libnss_dns-2.5.so 2b6dc5838000-2b6dc5839000 rw-p 00004000 68:06 7332988 /lib64/libnss_dns-2.5.so 7fff1b426000-7fff1b43b000 rw-p 7ffffffe9000 00:00 0 [stack] 7fff1b462000-7fff1b465000 r-xp 7fff1b462000 00:00 0 [vdso] ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0 [vsyscall] Aborted marek@GHOSTMYASS:~$ -- cut -- Cheers! Filip Palian, AKAT-1, Marek Kroemeke
Current thread:
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235), (continued)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Michal Zalewski (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) endrazine (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) endrazine (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Jonathan Brossard (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Qualys Security Advisory (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Solar Designer (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Filip Palian (Jan 27)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Huzaifa Sidhpurwala (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) cve-assign (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Florian Weimer (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Huzaifa Sidhpurwala (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) Kurt Seifried (Jan 28)
- Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235) cve-assign (Jan 29)
- Please REJECT CVE-2012-6686 Florian Weimer (Feb 24)