Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Author

Topic: GLIBC Vulnerability a Concern for bitcoin.org Wallet Software? (Read 1259 times)

spin
sr. member
Activity: 362
Merit: 262
GLIBC Vulnerability a Concern for bitcoin.org Wallet Software?
February 02, 2015, 04:28:30 AM
#4
Quote from: Foxpup on January 30, 2015, 01:36:24 AM
Quote from: Newar on January 29, 2015, 01:12:01 PM
Not sure how it affects bitcoin.
It shouldn't. The vulnerability is in the gethostby­name() function, specifically that if it is given an IP address instead of a domain name, it just returns the IP address itself (which is reasonable) with no bounds checking on the length of the IP address (they're always less than 16 characters, right?), leading to a buffer overflow if it is given a bogus IP address containing impossibly large numbers (whoops). This function is obsolete, replaced by getaddrinfo(), which has no such vulnerability, and as far as I can tell Bitcoin doesn't use the vulnerable function.

The function is obsolete on newer systems but still on use in some older systems e.g.:
http://www.ubuntu.com/usn/usn-2485-1/ (ubuntu 12.04 and 10.04)

I'm not sure how it affects bitcoin directly.  Don't think it uses the function.  Of course if bitcoin is a on a vulnerable system there is of course a risk in any case.
Foxpup
legendary
Activity: 4494
Merit: 3178
Vile Vixen and Miss Bitcointalk 2021-2023
Re: GLIBC Vulnerability a Concern for bitcoin.org Wallet Software?
January 30, 2015, 01:36:24 AM
#3
Quote from: Newar on January 29, 2015, 01:12:01 PM
Not sure how it affects bitcoin.
It shouldn't. The vulnerability is in the gethostby­name() function, specifically that if it is given an IP address instead of a domain name, it just returns the IP address itself (which is reasonable) with no bounds checking on the length of the IP address (they're always less than 16 characters, right?), leading to a buffer overflow if it is given a bogus IP address containing impossibly large numbers (whoops). This function is obsolete, replaced by getaddrinfo(), which has no such vulnerability, and as far as I can tell Bitcoin doesn't use the vulnerable function.
Newar
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
Re: GLIBC Vulnerability a Concern for bitcoin.org Wallet Software?
January 29, 2015, 01:12:01 PM
#2
Check:

Glibc: GHOST Vulnerability Test To See If a Linux Sever Is Secure
http://www.cyberciti.biz/faq/cve-2015-0235-ghost-glibc-buffer-overflow-linux-test-program/

Not sure how it affects bitcoin.
The00Dustin
hero member
Activity: 807
Merit: 500
Re: GLIBC Vulnerability a Concern for bitcoin.org Wallet Software?
January 29, 2015, 09:05:36 AM
#1
Got this information in an e-mail from McAfee today...
Quote
Vulnerability to CVE-2015-2035/GHOST is currently being investigated across all McAfee products.

Impact:
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. This buffer overflow vulnerability can be triggered both locally and remotely.  CVE-2015-0235 has been assigned to this issue.

The GNU C Library or glibc is an implementation of the standard C library and is a core part of the Linux operating system.  Linux distribution vendors have released patches for all distribution as of January 27, 2015.
If it is accurate, then it seems like glibc would be used in a lot of places, possibly including bitcoind or bitcoin-qt...
Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Jump to: