Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]

To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 491809@bugs.debian.org
Subject: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
From: Florian Weimer <fw@deneb.enyo.de>
Date: Tue, 22 Jul 2008 11:07:39 +0200
Message-id: <[🔎] 871w1mmgmc.fsf@mid.deneb.enyo.de>
Reply-to: Florian Weimer <fw@deneb.enyo.de>, 491809@bugs.debian.org
In-reply-to: <[🔎] 20080722001613.GA28684@crustytoothpaste.ath.cx> (brian m. carlson's message of "Tue, 22 Jul 2008 00:16:14 +0000")
References: <[🔎] 20080722001613.GA28684@crustytoothpaste.ath.cx>

* brian m. carlson:

> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
> 1605.  Since the vast majority of network-using programs use glibc as a
> resolver, this vulnerability affects virtually any network-using
> program, hence the severity.  libc6 should not be released without a fix
> for this problem.
>
> The vulnerability has been exposed:
>
> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008

I fail to see how this attack has a chance to work against non-caching
stub resolvers like the GNU libc resolver.

However, we're working on a solution.

Reply to:

Follow-Ups:
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: Aurelien Jarno <aurelien@aurel32.net>

References:
- Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
  - From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>

Prev by Date: Bug#489906: glibc: tst-regex fails on hppa
Next by Date: Bug#478183: libc6-dev: Various header problems:
Previous by thread: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Next by thread: Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]
Index(es):
- Date
- Thread