Dear Albrecht, In message <dqiV/LnHNeiZOsLhR9Mgzf@SyWqmvdG7uuP9L7gmgFa0> you wrote: > > short question - is the glibc version (2.21?) coming with ELDK 5.8 > affected by the recently published glibc getaddrinfo() bug > CVE-2015-7547 [1]? If so, will you provide a patched version of '5.8 > (like 5.8.1), or do we have to re-compile glibc with a fix [2] > ourselves?
Yes, CVE-2015-7547 is serious enough to be fixed in a v5.8.1 bugfix release. > IMO, this bug is a really critical one, much worse than CVE-2015-0235 > aka 'GHOST' which strikes the obsolescent (though still used by some > older applications) gethostbyname() function only. Agreed. > I still use ELDK 5.4 on two PowerPC platforms (MPC5200; P2020) which > *is* vulnerable on both according to the proof-of-concept [3]. This > in turn means that *any* system built with ELDK 5.4 (and earlier and > later versions?) is also vulnerable if any application running on it > uses getaddrinfo() - which is /very/ likely. Agreed. > As ELDK 5.8 now comes with gcc 4.9.1 which should have the issue > described in [4] fixed, this would be the perfect time to move to the > new ELDK, if CVE-2015-7547 is fixed. Plain v5.8 ist based on Yocto 1.8.1, which does not contain the fix yet: Yocto 1.8.1 was released on Nov 6, 2015, while the CVE-2015-7547 fix was only added on Feb 17 (plus a number of other glibc fixes [for CVE-2015-8776, CVE-2015-9761, CVE-2015-8779, CVE-2015-8777] on Jan 22); a number of other components have also been fixed since (CVE-2015-7511, CVE-2016-2090, CVE-2016-2198, CVE-2016-2197, CVE-2016-1568, CVE-2016-0754, CVE-2016-0755, CVE-2016-0701, CVE-2015-3197, CVE-2015-0860, CVE-2015-8704, CVE-2015-8705,CVE-2016-1907, CVE-2015-1283, CVE-2015-8370, CVE-2014-9496, CVE-2014-9756, CVE-2015-7805, CVE-2015-8380, CVE-2015-8395, CVE-2015-8126, CVE-2015-7236, CVE-2015-3187, CVE-2015-7942, CVE-2015-8035, ...). So yes, there is reason for some updates... However, due to the upcoming Embedded World trade show in Nuremberg next week wewill not be able to provide such an update as quickly as we'd like to. If you need the fixes faster, please feel free to go ahead and cherrypick/backport the related patches from Youcto mainline yourself. If you post the patches here I promise to pick these up ASAP and roll them into v5.8.1. Thanks for bringing this up, and thanks in advance for any potential patches :-) Best regards, Wolfgang Denk -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: [email protected] There are three things I always forget. Names, faces - the third I can't remember. - Italo Svevo _______________________________________________ eldk mailing list [email protected] http://lists.denx.de/mailman/listinfo/eldk
