Announcement

Collapse
No announcement yet.

Glibc Gets Patched For Three Year Old Security Vulnerability

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Glibc Gets Patched For Three Year Old Security Vulnerability

    Phoronix: Glibc Gets Patched For Three Year Old Security Vulnerability

    CVE-2016-10739 has been around since April 2016 as implied by the number and finally today this security issue has been fixed in the Git development code for the upcoming Glibc 2.29 GNU C Library...

    Glibc Gets Patched For Three Year Old Security Vulnerability - Phoronix
    http://www.phoronix.com/scan.php?page=news_item&px=Glibc-2.29-Fixes-CVE-2016-10739
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    For backwards compatibility, the getaddrinfo function still recognizes legacy name syntax, such as 192.000.002.010 interpreted as 192.0.2.8 (octal).
    Mixing of of base 10 and base 8 in a single IP address :O

    I wouldn't say that's for backwards compatibility. I'd say that's for backwards developers.

    I can also picture this going wrong where some other algorithm sanitizes / normalizes the address and removes the leading zeros under the assumption they are just padding. So you could have getaddrinfo act on one address and some application layer protocol handler acting on another address (that assumes the zeros are just padding and the number is base 10).
    • Likes 7

    Comment

    • #3
      glibc should have just discontinued all support for IPv4.

      Comment

      • #4
        Originally posted by cybertraveler View Post
        I can also picture this going wrong where some other algorithm sanitizes / normalizes the address and removes the leading zeros under the assumption they are just padding.
        I've seen some devices that pad out addresses with leading zeroes to make all the octets three digits. Debugging code to parse a log from something like that could cause a great deal of desk-chewing while you try to figure out why the addresses are being imported wrongly.
        • Likes 2

        Comment

        • #5
          Originally posted by chilinux View Post
          glibc should have just discontinued all support for IPv4.
          you can just disable your internet manually, no need to wait for glibc help
          • Likes 6

          Comment

          • #6
            phoronix , while we're at it, there was another vulnerability on Linux in the form of a virus: https://news.softpedia.com/news/linu...o-524623.shtml
            • Likes 1

            Comment

            • #7
              Originally posted by chilinux View Post
              glibc should have just discontinued all support for IPv4.
              Why would you suggest that?

              Comment

              • #8
                Originally posted by cybertraveler View Post
                Mixing of of base 10 and base 8 in a single IP address :O

                I wouldn't say that's for backwards compatibility. I'd say that's for backwards developers.

                I can also picture this going wrong where some other algorithm sanitizes / normalizes the address and removes the leading zeros under the assumption they are just padding. So you could have getaddrinfo act on one address and some application layer protocol handler acting on another address (that assumes the zeros are just padding and the number is base 10).
                Leading 0 is pretty standard for octal though, same with 0x for hex.
                • Likes 2

                Comment

                Previous template Next
                Working...
                X