It’s time to patch up glibc. The popular open-source implementation of the standard C library contains a stack-based buffer overflow related to the DNS client-side resolver. This vulnerability has been patched, but is also now publicly known, and thus developers are advised to patch as soon as possible.
Despite Google’s announcement of the bug today in its security blog, there was already a bug report related to the issue submitted back in July of 2015. There was no indication that a patch was in the works, however, so Google submitted its own patch. The company has stated that Red Hat was also working on fixing this bug.
(Related: x86 exploit released)
The bug was discovered while a Google engineer was tracking down an issue with SSH. The vulnerability relies on oversized UDP or TCP responses larger than 2,048 bytes. Google suggested mitigating the responses coming to any machine using software such as Dnsmasq to filter out large UDP or TCP responses.
According to Google, “Glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.
“Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
“Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.
“The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.”