Date: Thu, 29 Jan 2015 03:38:38 +0100 From: Polytropon <freebsd@edvax.de> To: freebsd-questions@freebsd.org Subject: Re: Linux "Ghost" Remote Code Execution Vulnerability Message-ID: <20150129033838.810254de.freebsd@edvax.de> In-Reply-To: <20150128145247.5086e9a4@scorpio> References: <20150128145247.5086e9a4@scorpio>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote: > Does this vulnerability affect FreeBSD? > > https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability FreeBSD's gethostbyname() is located in the standard C library, which is libc, not glibc (that Linux is using), so probably FreeBSD is not affected. However, programs linked against glibc and run in the Linux ABI environment might be affected, I assume. You can find a demonstration program here: http://www.openwall.com/lists/oss-security/2015/01/27/9 It's in section 4. On my home system, I get this: % cc -Wall -o ghost ghost.c % ./ghost should not happen Surprise: Neither "vulnerable" nor "not vulnerable" is printed. That result is interesting. It might indicate ternary logic. YES, NO, FILE_NOT_FOUND. :-) Note that 4.1 explicitely talks about "The GNU C Library" which FreeBSD does not use (or have). Section 4 mentions other programs (such as mount.nfs, ping, procmail) for further explanation. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150129033838.810254de.freebsd>