On Wed 2015-01-28 07:11:06 -0500, Tim Ruehsen wrote:
> Meanwhile everybody knows about
> https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
>
> In short: gethostbyname* class functions have a vulnerability. Qualys made up
> an exploit for Exim that sounds pretty bad.
>
> I had a (very quick) look at Wget and we are using gethostbyname()
> 1. in the case ENABLE_IPV6 is not set.
> 2. via gnulib getaddrinfo() which calls gethostbyname(). We use it in
> host.c/lookup_host().
>
>
> From what I know, a prepared server may exploit this vulnerability in Wget as
> well. Despite updating glibc, what can we do ? Is it worth to remove
> gethostbyname() from Wget ? In this case we should not use gnulib getaddrinfo
> function and replace it by calling getaddrinfo directly, with a fallback to
> gnulib. And in case ENABLE_IPV6 is not set, we should replace gethostbyname()
> by getaddrinfo().
>
> What do you think ?
I think the right thing to do is to update glibc, where the problem
resides :)
Replacing gethostbyname() with getaddrinfo() would be reasonable, but
mainly for forward-looking reasons, not to work around this specific
bug.
--dkg
