Re: GHOST gethostbyname() heap overflow in glibc (CVE-2015-0235)

[Qualys Security Advisory <qsa () qualys com>]

On Tue, Jan 27, 2015 at 08:45:12PM +0300, Solar Designer wrote:
> He found out that apparently the ghost image appeared on the Qualys
> website on October 2.

What?!  No idea where this image came from, who created it, or why, or
when.  What is absolutely certain is that October 2 has nothing to do
with this bug, simply because the first time someone here had the idea
of calling it "GHOST" was on Friday evening!  Yes, Friday, January 23,
2015!

> The GHOST name was not yet in the (almost final) advisory draft sent to
> the linux-distros list on January 18, nor was there any other name for
> this vulnerability in there.

Exactly, thank you!  And if some of you conspiracy theorists need more
proof, even SuSE's Bugzilla entry is still referencing the original name
of our proof-of-concept (charged-ghbn.c), which appeared in the advisory
draft we sent to the linux-distros mailing-list last week:

https://bugzilla.suse.com/show_bug.cgi?id=913646

In the end, some information was leaked before the Coordinated Release
Date (which was January 27, 2015 at 18:00 UTC), but it was just a few
hours early.  And again, we sincerely apologize.

Please please please, less pointless bickering, more code auditing.
Thank you.

-- 
the "technical folks"