Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
BSD libc contains a buffer overflow vulnerability (cert.org)
74 points by kumaranvpl on Dec 7, 2016 | hide | past | favorite | 13 comments


The flaw appears in the oldest version of the source on GitHub, circa 1994; "BSD 4.4 Lite Lib Sources." Who knows how far back it really goes.

It's really basic; get the kernel to cough up a bad sockaddr and bcopy will scribble on your memory. That may seem far fetched but then you remember LKM and maybe not. Incidentally OpenBSD dropped LKM support in 2014 [1], presumably for hardening purposes.

[1] https://news.ycombinator.com/item?id=8554003


4.3BSD-Reno, basically unchanged since 1990 until yesterday.

http://minnie.tuhs.org/cgi-bin/utree.pl?file=4.3BSD-Reno/src...

Personally I'm more worried about the function returning obuf, a pointer to a stack variable in link_ntoa.


That's not on the stack.


Oh indeed. Static it is...


4.3 Reno, apparently added as part of OSI networking, which explains why no one has ever heard of it.

(Pretty sure 4.3BSD didn't have loadable kernel modules; you built your kernel from source, uphill both ways in the snow.)


Unrelated: In responsible disclosure, is it standard to notify the biggest vendor first? I noticed apple was notified on Oct 10th, quite some time prior to the other vendors.


Perhaps it was discovered by an individual on OS X, reported (by the individual) to Apple, reported (by either the individual or Apple) to CERT, then CERT looked at it, found the other affected operating systems, and reported it to them?

There's a number of ways this particular "ordering" could have occurred.


It's possible it was reported to Apple because they have a vulnerability bounty program, so they individual who reported it could get a reward. That might create an incentive to report it to larger targets who may run larger bounty programs.


It'll be interesting to know if OpenBSD is affected. They don't seem to have responded yet.


tedu wrote a post about it: http://www.tedunangst.com/flak/post/who-even-calls-link-ntoa


This came up in the openbsd-misc mailing list yesterday[1]. Someone also mentioned the link that elchief posted.

[1] https://marc.info/?l=openbsd-misc&m=148105687011923&w=2


Top-Right corner shows this is Sponsored by the Department of Homeland Security...nice to hear that agency is doing something good for regular people's security.

from http://www.dhs.gov/office-cybersecurity-and-communications "The Office of Cybersecurity and Communications (CS&C), within the National Protection and Programs Directorate, is responsible for enhancing the security, resilience, and reliability of the Nation’s cyber and communications infrastructure."


"The Office of Cybersecurity and Communications (CS&C), within the National Protection and Programs Directorate, is responsible for enhancing the security, resilience, and reliability of the Nation’s cyber and communications infrastructure."

That used to be part of the NSA's charter, more or less, before they decided that playing offense was more fun.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: