Author

Topic: GLIBC Vulnerability a Concern for bitcoin.org Wallet Software? (Read 1268 times)

sr. member
Activity: 362
Merit: 262
Not sure how it affects bitcoin.
It shouldn't. The vulnerability is in the gethostby­name() function, specifically that if it is given an IP address instead of a domain name, it just returns the IP address itself (which is reasonable) with no bounds checking on the length of the IP address (they're always less than 16 characters, right?), leading to a buffer overflow if it is given a bogus IP address containing impossibly large numbers (whoops). This function is obsolete, replaced by getaddrinfo(), which has no such vulnerability, and as far as I can tell Bitcoin doesn't use the vulnerable function.

The function is obsolete on newer systems but still on use in some older systems e.g.:
http://www.ubuntu.com/usn/usn-2485-1/ (ubuntu 12.04 and 10.04)

I'm not sure how it affects bitcoin directly.  Don't think it uses the function.  Of course if bitcoin is a on a vulnerable system there is of course a risk in any case.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
Not sure how it affects bitcoin.
It shouldn't. The vulnerability is in the gethostby­name() function, specifically that if it is given an IP address instead of a domain name, it just returns the IP address itself (which is reasonable) with no bounds checking on the length of the IP address (they're always less than 16 characters, right?), leading to a buffer overflow if it is given a bogus IP address containing impossibly large numbers (whoops). This function is obsolete, replaced by getaddrinfo(), which has no such vulnerability, and as far as I can tell Bitcoin doesn't use the vulnerable function.
legendary
Activity: 1358
Merit: 1001
https://gliph.me/hUF
Check:

Glibc: GHOST Vulnerability Test To See If a Linux Sever Is Secure
http://www.cyberciti.biz/faq/cve-2015-0235-ghost-glibc-buffer-overflow-linux-test-program/

Not sure how it affects bitcoin.
hero member
Activity: 807
Merit: 500
Got this information in an e-mail from McAfee today...
Quote
Vulnerability to CVE-2015-2035/GHOST is currently being investigated across all McAfee products.

Impact:
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. This buffer overflow vulnerability can be triggered both locally and remotely.  CVE-2015-0235 has been assigned to this issue.

The GNU C Library or glibc is an implementation of the standard C library and is a core part of the Linux operating system.  Linux distribution vendors have released patches for all distribution as of January 27, 2015.
If it is accurate, then it seems like glibc would be used in a lot of places, possibly including bitcoind or bitcoin-qt...
Jump to: