Linux "Ghost" Remote Code Execution Vulnerability
Polytropon
freebsd at edvax.de
Thu Jan 29 02:38:49 UTC 2015
On Wed, 28 Jan 2015 14:52:47 -0500, Jerry wrote:
> Does this vulnerability affect FreeBSD?
>
> https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability
FreeBSD's gethostbyname() is located in the standard C library,
which is libc, not glibc (that Linux is using), so probably
FreeBSD is not affected. However, programs linked against
glibc and run in the Linux ABI environment might be affected,
I assume.
You can find a demonstration program here:
http://www.openwall.com/lists/oss-security/2015/01/27/9
It's in section 4.
On my home system, I get this:
% cc -Wall -o ghost ghost.c
% ./ghost
should not happen
Surprise: Neither "vulnerable" nor "not vulnerable" is printed.
That result is interesting. It might indicate ternary logic.
YES, NO, FILE_NOT_FOUND. :-)
Note that 4.1 explicitely talks about "The GNU C Library"
which FreeBSD does not use (or have). Section 4 mentions
other programs (such as mount.nfs, ping, procmail) for
further explanation.
--
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions
mailing list