Announcement

Collapse
No announcement yet.

Glibc Gets Patched For Three Year Old Security Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Glibc Gets Patched For Three Year Old Security Vulnerability

    Phoronix: Glibc Gets Patched For Three Year Old Security Vulnerability

    CVE-2016-10739 has been around since April 2016 as implied by the number and finally today this security issue has been fixed in the Git development code for the upcoming Glibc 2.29 GNU C Library...

    http://www.phoronix.com/scan.php?pag...CVE-2016-10739

  • #2
    For backwards compatibility, the getaddrinfo function still recognizes legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8 (octal).
    Mixing of of base 10 and base 8 in a single IP address :O

    I wouldn't say that's for backwards compatibility. I'd say that's for backwards developers.

    I can also picture this going wrong where some other algorithm sanitizes / normalizes the address and removes the leading zeros under the assumption they are just padding. So you could have getaddrinfo act on one address and some application layer protocol handler acting on another address (that assumes the zeros are just padding and the number is base 10).

    Comment


    • #3
      glibc should have just discontinued all support for IPv4.

      Comment


      • #4
        Originally posted by cybertraveler View Post
        I can also picture this going wrong where some other algorithm sanitizes / normalizes the address and removes the leading zeros under the assumption they are just padding.
        I've seen some devices that pad out addresses with leading zeroes to make all the octets three digits. Debugging code to parse a log from something like that could cause a great deal of desk-chewing while you try to figure out why the addresses are being imported wrongly.

        Comment


        • #5
          Originally posted by chilinux View Post
          glibc should have just discontinued all support for IPv4.
          you can just disable your internet manually, no need to wait for glibc help

          Comment


          • #6
            phoronix , while we're at it, there was another vulnerability on Linux in the form of a virus: https://news.softpedia.com/news/linu...o-524623.shtml

            Comment


            • #7
              Originally posted by chilinux View Post
              glibc should have just discontinued all support for IPv4.
              Why would you suggest that?

              Comment


              • #8
                Originally posted by cybertraveler View Post
                Mixing of of base 10 and base 8 in a single IP address :O

                I wouldn't say that's for backwards compatibility. I'd say that's for backwards developers.

                I can also picture this going wrong where some other algorithm sanitizes / normalizes the address and removes the leading zeros under the assumption they are just padding. So you could have getaddrinfo act on one address and some application layer protocol handler acting on another address (that assumes the zeros are just padding and the number is base 10).
                Leading 0 is pretty standard for octal though, same with 0x for hex.

                Comment

                Working...
                X