[tor-talk] The CVE-2015-7547 glibc getaddrinfo() vulnerability, and you.
Nick Mathewson
nickm at freehaven.net
Tue Feb 16 15:30:18 UTC 2016
summary: New glibc bug. If you use glibc, install your vendor's
patches as they become available. Tor is not an easy target for this
attack, but you should upgrade anyway.
Hello, all!
There's apparently a new buffer overflow vulnerability in glibc, with
a patch out today. If you are running some GNU/linux distribution
that uses the GNU C library, then you should upgrade as soon as your
distribution has a patch. (And if they don't get a patch for you
soon, maybe you should switch to a distribution that fixes security
holes promptly.)
More info abouve CVE-2015-7547 here:
* https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html
If I'm reading Tor's code correctly, and if I'm reading the
vulnerability description correctly, Tor should not be an easy target
here. Tor never uses glibc's resolver to make DNS requests for any
attacker-controlled addresses. So in order to mount an attack based on
the this vulnerability, I think you'd need to successfully take over
one of somebody's configured addresses, first by figuring out what
they're resolving, and then either by compromising an appropriate DNS
server or running an appropriate DNS cache poisoning attack.
Of course, glibc users should upgrade anyway, for a few reasons:
* Tor is not the only program you are running; some other program
is probably affected.
* My analysis could be wrong.
* Who knows, your nameserver might be evil or MITM'd.
Stay safe out there!
--
Nick
More information about the tor-talk
mailing list