Serious Network Function Vulnerability Found In Glibc

An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.

Accidental bugs?

[Nightlight3]

I don't think so. There are just too many of these buffer overflow security holes in commercial and open source software to be a chance. In over two decades of programming in every language and platform that came along, from Z8, x86 assembly, then FORTRAN, C, Pascal,... Java, Javascript, Python, awk, objective C, ... from embedded coding on routers, switches and misc. controllers, to numerous versions of MS DOS, Windows, Linux and iPhones, I have yet to have one such buffer overflow bug in my code. It's the most basic rule to check for buffer boundaries that even beginner programmer learns it quickly.

There must be agencies seeding these projects, commercial and open source, with toxic contributors injected there to deliberately contaminate the code with such bugs. The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.