GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.
CWE-121: Stack-based Buffer Overflow - CVE-2015-7547
According to a Google security blog post:
The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.
Apply an update
Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.
This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O𠆝onell of Red Hat. Google thanks: "Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O𠆝onell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development."
This document was written by Garret Wassermann.
|Date First Published:||2016-02-17|
|Date Last Updated:||2016-03-14 14:25 UTC|