Solved Security issue discovered in Linux glibc 2.9 and higher

According to this Ars Technica article, there is a buffer overflow bug in the GNU C Library v2.9 and later which was introduced in 2008. The problem is the function getaddrinfo(3) which does DNS lookups.

Now my question is, is FreeBSD vulnerable?
 
  • Thanks
Reactions: Oko
It's not because the FreeBSD libc is not based or related to glibc in any way. However, if a similar vulnerability was in FreeBSD's libc the result would be equally catastrophic. There is nothing that separates the stub resolver that is part of libc from the process that uses the resolver. Only measures such as ASLR would provide some protection because the attacker would then have to first guess where the important parts of the process are in the memory space. Even then it's a matter of time when the process can be hijacked.
 
I don't run Linux binaries and I don't have any of the Linux compatibility software installed on any of my machines on the network, so I guess that it is a non-issue for FreeBSD then. That blog article was informative. Thanks wblock@.
 
Be careful. FreeBSD desktops can have Linux in unexpected places, like for the Flash plugin for web browsers. Servers can have Linux virtual machines, or a Linux userland in a jail.
 
As I said before, I don't even have the Linux compatibility libraries installed in any way, shape, or form. I'm not using a graphical environment, so the web browser is the text based lynx. I do not have virtual machines or jails running, so there is nothing there.
 
Back
Top