Note to readers

This publication does not currently meet the Government of Canada's Web Standards. The information remains valid.

glibc Library - Stack-Based Buffer Overflow Vulnerability

Number: AV16-031
Date: 18 February 2016

Purpose

The purpose of this advisory is to bring attention to a vulnerability discovered in the glibc library of code, a key component of most Linux distributions.

Assessment

GNU C Library (glibc) is a collection of open source code that powers standalone applications and most Linux distributions.

The vulnerability in glibc relates to a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function, which is responsible for performing domain-name lookups, is used.

Affected Software:  All versions of glibc Version 2.9 to 2.22 are vulnerable.

CVE Reference: CVE-2015-7547

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

https://www.kb.cert.org/vuls/id/457759

https://www.us-cert.gov/ncas/current-activity/2016/02/17/GNU-glibc-Vulnerability

https://rhn.redhat.com/errata/RHSA-2016-0175.html

https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

http://www.zdnet.com/article/patch-linux-now-google-red-hat-warn-over-critical-glibc-bug/

https://threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/

Date modified: