[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#491809: libc6: DNS spoofing vulnerability [CVE-2008-1447]

brian m. carlson a écrit :
> Package: libc6
> Version: 2.7-12
> Severity: critical
> Tags: security
> 
> The glibc stub resolver is vulnerable to CVE-2008-1447, according to DSA
> 1605.  Since the vast majority of network-using programs use glibc as a
> resolver, this vulnerability affects virtually any network-using
> program, hence the severity.  libc6 should not be released without a fix
> for this problem.
> 
> The vulnerability has been exposed:
> 
> http://demosthen.es/post/43048623/reliable-dns-forgery-in-2008
> 
> If Slashdot knows it, so does everyone else.
> 

With a recent kernel, I don't think the glibc stub resolver is
vulnerable: contrary to some other resolvers, the it binds to an
unspecified port and let the kernel decide the source port.

The source port randomization has been implemented in the kernel one
year ago [1], so all machines using a kernel >= 2.6.24 should be safe.

Also please note that the glibc as a stub resolver is less vulnerable
than a recursive resolver, as an attacker would have to spoof one of the
ISP's nameservers, which is much more unlikely than spoofing one of the
servers on a recursive resolution path.

[1]
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=32c1da70810017a98aa6c431a5494a302b6b9a30

-- 
  .''`.  Aurelien Jarno	            | GPG: 1024D/F1BCDB73
 : :' :  Debian developer           | Electrical Engineer
 `. `'   aurel32@debian.org         | aurelien@aurel32.net
   `-    people.debian.org/~aurel32 | www.aurel32.net
Reply to: