CVE-2015-7547: getaddrinfo() stack-based buffer overflow

[Mark Andrews]

In message <87io1nrw2k.fsf at mid.deneb.enyo.de>, Florian Weimer writes:
> * Alan Clegg:
> 
> > While I agree that the "major distributions" (and even the minor ones) are
> > getting patches out, I'd like to point out something that Alan Cox posted
> > over on G+:
> >
> > "You can upgrade all your servers but if that little cheapo plastic box on
> > your network somewhere has a vulnerable post 2008 glibc and ever does DNS
> > lookups chances are it's the equivalent of a trapdoor into your network."
> >
> > https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6
> 
> glibc is usually considered way too bloated for use in embedded devices.
> I'm sure there are some uses in this space, but glibc is probably not
> a relevant player in this field.
> 
> That being said, there are apparently supported glibc ports to
> Android, specifically for running mostly unported GNU/Linux
> applications on top of Android devices (applications which do not work
> with Android's native Bionic libc, which is not affected by this
> issue).

And the best way to deal with this is to have manufacturers update
https://www.kb.cert.org/vuls/id/457759 with their status.  Yes it
should be a much bigger list than what is there.  Every IoT vendor.
Every router vendor.  Every OS vendor.  Yes, ISC needs to put in a
offical status.  If you have a internet connected product and the
manufacture is not on the list, contact the manufacture and ask
them to provide a status update.

The list may have a lot of "affected if run on a vulnerable OS"
responses.  For most of these the solution will be "fix the OS,
relink if statically linked, and reboot the machine".  The last
step is important as it ensures that you are using the new library
in all products on the machine.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org