This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow
- From: "Carlos O'Donell" <carlos at redhat dot com>
- To: Nix <nix at esperi dot org dot uk>, GNU C Library <libc-alpha at sourceware dot org>
- Date: Wed, 17 Feb 2016 19:44:15 -0500
- Subject: Re: [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow
- Authentication-results: sourceware.org; auth=none
- References: <56C32C20 dot 1070006 at redhat dot com> <56C32DB0 dot 7090409 at redhat dot com> <87k2m3owqt dot fsf at esperi dot org dot uk> <56C4E997 dot 7090700 at redhat dot com> <20160217222023 dot GR7732 at vapier dot lan>
On 02/17/2016 05:20 PM, Mike Frysinger wrote:
> On 17 Feb 2016 16:43, Carlos O'Donell wrote:
>> It's a very good idea. I think we should stack protect libresolv, libdl,
>> nscd, etc, and we do already. Extending that is only going to be a good
>> thing.
>
> on a related note, seems like nscd should take advantage of seccomp &
> namespaces when available. that would also significantly mitigate on
> systems. any reason to not ?
I see no reason why not. We would have to test for the availability of
that functionality in as old a kernel as we support running on, but
as newer kernels are booted the features should just turn on automatically.
For now we've just been using SELinux in nscd to restrict the damage the
daemon could do, but it could potentially be restricted even further.
Cheers,
Carlos.