Serious Network Function Vulnerability Found In Glibc

An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.

Open source code is open for everyone

And can be audited by anyone anytime, so it is more secure... Ohh, wait

Re:Open source code is open for everyone

I don't get it. Proprietary software has all sorts of serious vulnerabilities. Why is it that when a vulnerability is found in FOSS, you people all come out and mock it while ignoring all the incompetence of proprietary software?

FOSS *is* more secure, and that's true even with the occasional vulnerability. You're extremely illogical to point to some vulnerabilities and conclude that it isn't more secure. How many vulnerabilities are not known about because no one can look at the source code?

Re:Open source code is open for everyone

[Wootery]

So long as we're writing in C, this kind of thing (buffer overflows in particular) will probably continue.

(Lest I start a flame-war: C is awesome in its way, but more than almost any other language, it really does make it easy to miss things like this.)

Re:Open source code is open for everyone

FOSS *is* more secure, and that's true even with the occasional vulnerability.

Loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool.

Re:Open source code is open for everyone

[Serenissima]

I don't get it......Why is it that when a vulnerability is found in FOSS, you people all come out and mock it while ignoring all the incompetence of proprietary software?

I see that this is your first visit to Slashdot. Welcome!

Re:Open source code is open for everyone

You know what you should run away from? Any large group of black people! Everybody knows it is true. Its just not socially acceptable to admit it. BUt when push comes to shove you know you would avoid them. You know it. You will mod me down anyway because that is the socially acceptable thing to do, even knowing what i say is true. Congrats, you are the sheeple, letting the collective do your thinking for you even when you know it is wrong. The health of a neighborhood is directly measurable by the proportion of blacks that inhabit it. Everybody knows it. You might say that is terrible to look good before other people but you know deep down you would not take your wife and small children to a neighborhood that's 85% black and expect to safely raise a family there. You would have some reason to move away, of course it would be "incidental" to the black population but you would find one anyway. Yes, we cannot openly admit it but we all know it is true. This is the insanity of socially defined pseudo-reality. It is why things dont change.

Re: Open source code is open for everyone

Wat?

Re:Open source code is open for everyone

[jythie]

I am suspicious of any C coder (myself included) who does not acknowledge this basic problem ^_^

Re:Open source code is open for everyone

Let me inform you that C does not require buffer overruns to operate. The fast and loose easy implementation of C does. I've experimented with a different implementation of C for my VM that grows your stack upwards, places all function call frames on the heap, and isolates return code pointers from stack parameters. It is by far more secure than the GCC / LLVM / MSVC(++) implementations.

In my implementation: A buffer overrun doesn't affect the call stack. A buffer overrun writes into unused memory or causes segfault if it goes beyond the current allocated page. printf based stack manipulation simply screws with variable values, never code pointers.

It is the implementation that is to blame. I must avoid the x86 CPU instructions like ENTER and LEAVE or RET and CALL that assume I want code pointers on my stack, so the system runs slower. However, my point is that the CPU architecture itself was designed by morons who built in the stack smashing buffer overflow vulnerabilities by design, when they could have been mitigated by design instead. It was a different time then, but this is why we should ditch the legacy machine codes and design security in at the chipset level. FUCK YOU ARM for only having 1 bit of execution privilege rings, because with 2 or 4 as on x86 I can actually build secure OSs other than monolithic kernels: One ring for user/plugin separation, another for user/driver another for driver/kernel.

You blame the language for the hardware's fault. We should have MULTIPLE STACKS and ISOLATE THE CALL STACK FROM THE DATA. ISOLATE CODE AND DATA, this isn't rocket science, it's just dumb by design.

Re:Open source code is open for everyone

Yea we should write our system libraries in Go and Haskell. Maybe Coffeescript and run them all on node.js?

Get a clue.

Re:Open source code is open for everyone

Let me inform you that C does not require buffer overruns to operate. The fast and loose easy implementation of C does. I've experimented with a different implementation of C for my VM that grows your stack upwards, places all function call frames on the heap, and isolates return code pointers from stack parameters. It is by far more secure than the GCC / LLVM / MSVC(++) implementations.

In my implementation: A buffer overrun doesn't affect the call stack. A buffer overrun writes into unused memory or causes segfault if it goes beyond the current allocated page. printf based stack manipulation simply screws with variable values, never code pointers.

And I bet your implementation is slow as fuck.

Re:Open source code is open for everyone

When a FOSS hole is found... it is a hole... but not yet being exploited.

When we hear about issues with some closed source software, it is a 0 day, and the bad guys are already using it in the field as an exploit. IMHO, If the closed source stuff is "just" a hole, it sits unfixed until someone finds it and attacks become widespread.

Re:Open source code is open for everyone

[geantvert]

Yes! Probably like Java.

Re:Open source code is open for everyone

[bobbied]

The poster admits as much, but his point is still valid.

Re: Open source code is open for everyone

> When a FOSS hole is found... it is a hole...
> but not yet being exploited.

You have no more reason to believe it's not being exploited than you do for a closed source bug. Just because you haven't heard about it doesn't mean that no one else has found it previously.

Re: Open source code is open for everyone

[Billly+Gates]

"You people"?

Gee a little insecure are we? News flash software is software and has bugs. It doesn't matter which license it is under. It still is software and no being from Microsoft doesn't make it insecure by default anymore than being GNU makes it more secure.

Yes Apple, Google, and Microsoft are mentioned here when a serious flaw is discovered. Why should Linux or anything GNU get a free pass?

Re:Open source code is open for everyone

Well the thing is that FOSS people tend to be pretty derisive of the likes of Microsoft when problems are found in their software while smugly proclaiming that such problems do not exist in open source code. It gets kind of grating to those of us who are employed by companies to develop proprietary closed source software (yes that's right, we're sellouts)

Re: Open source code is open for everyone

[Billly+Gates]

Because C is cool and Java and flash suck. Get with the program

Re:Open source code is open for everyone

You can call that same function from within most other languages even without realizing you're doing it.

I'm pretty sure this vulnerability hits more server software than any openssl one ever did. Even software not written in C.

Re: Open source code is open for everyone

He's trying to tell us that he's really racist, and should be marginalized, but unfortunately he was too cowardly to post his name.

Re: Open source code is open for everyone

[Billly+Gates]

C is like a powerful table saw. Don't practice safety and know what you are doing and you lose a limb. Powerful but not all should play with one.

Re:Open source code is open for everyone

But heap overflows are just as exploitable as stack overflows. Stepping on all the program variables can be just as damaging as stepping on return pointers. Really, there's not much point in preventing that specific kind of overflow if you still allow the others.

Re:Open source code is open for everyone

Unless the FOSS hole was put there many years ago by a contributor specifically so it could be exploited.

Re:Open source code is open for everyone

Why don't you just switch to a harvard based architecture?

Re:Open source code is open for everyone

[myowntrueself]

FOSS *is* more secure, and that's true even with the occasional vulnerability.

Loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool.

Its true *ESPECIALLY* with the occasional vulnerability because thats a vulnerability thats been found, publicised and fixed unlike in the proprietary shit where the vulnerability will be found by a limited group of people and kept secret so they can use it.

Re: Open source code is open for everyone

[jythie]

Hrm, can't argue with that logic.

Re:Open source code is open for everyone

People are stupid. Free software is merely a critical starting point for a system that aims to be secure.

Re:Open source code is open for everyone

[mean+pun]

You can call that same function from within most other languages even without realizing you're doing it.

It may be true that the vulnerable functions are called from other languages as well, but that does not necessarily mean these languages are also vulnerable. They may do sufficient memory management and/or parameter sanitation to avoid the vulnerability.

Re: Open source code is open for everyone

[mean+pun]

C is like a powerful table saw. Don't practice safety and know what you are doing and you lose a limb. Powerful but not all should play with one.

Table saws have safety features that are not perfect but at least make it less likely to lose a limb. One could easily define a subset of C that also would make it far less accident-prone. Converting existing code to this subset would be painful but healthy.

Re:Open source code is open for everyone

So, you haven't really fixed all buffer overflows, but you've created an implementation of C that eliminates most of the advantages of C.

Why go to the trouble when you could have just used a language that is immune to buffer overflows?

Re:Open source code is open for everyone

[RabidReindeer]

FOSS *is* more secure, and that's true even with the occasional vulnerability.

Loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool.

Its true *ESPECIALLY* with the occasional vulnerability because thats a vulnerability thats been found, publicised and fixed unlike in the proprietary shit where the vulnerability will be found by a limited group of people and kept secret so they can use it.

Oh, you mean those nice folks over in Eastern Europe?

Re:Open source code is open for everyone

[phantomfive]

People who think that Java (or C#, or Python) language will fix their security problems write more security bugs than C programmers who work around the weaknesses of their language.

Similarly, people who think Java (or C#, or Javascript) will fix the problem of memory leaks, are probably leaking memory all over the place. Recently I've been fixing a bunch of memory leaks in Javascript.....if you attach something to the DOM, make sure you have a plan for getting it off, otherwise you're probably leaking.

Re:Open source code is open for everyone

[myowntrueself]

FOSS *is* more secure, and that's true even with the occasional vulnerability.

Loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool.

Its true *ESPECIALLY* with the occasional vulnerability because thats a vulnerability thats been found, publicised and fixed unlike in the proprietary shit where the vulnerability will be found by a limited group of people and kept secret so they can use it.

Oh, you mean those nice folks over in Eastern Europe?

and the intelligence network of the 5 main english speaking nations...

Re: Open source code is open for everyone

Racists and other "ists" you don't like should murder you fucks who look to get men fired for the views they hold. They should torture you to death.

Re:Open source code is open for everyone

[digitalPhant0m]

C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.

-Bjarne_Stroustrup, Creator of C++; cite

Re:Open source code is open for everyone

[peppepz]

In fact, the bug had already been audited and fixed, almost two years ago, when the security researchers found a way to exploit it. From TFA:

We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18)

Current glibc release is 2.20. That's three relases without the bug already.

Nothing to see here, move along.

Re:Open source code is open for everyone

[im_thatoneguy]

It's because we've put up with 30 years of FOSS community trumpeting the fact that Linux isn't hacked, only Microsoft needs anti-virus, Open Source means that "something like this will never happen".

If a community spends decades puffing its chest and talking shit it's going to get 10x the scorn when it's revealed to be as vulnerable as the next guy. The fact is that all software can be hacked. And at any given time there is a zero day exploit that can probably penetrate any system. Commercial tools used to be the target of this research and and attack and now that open source is gaining traction it's getting the same scrutiny--and similarly failing.

Re:Open source code is open for everyone

But heap overflows are just as exploitable as stack overflows. Stepping on all the program variables can be just as damaging as stepping on return pointers.

Here's a tip. Best not to pontificate on something about which you know NOTHING.

Re:Open source code is open for everyone

FOSS *is* more secure, and that's true even with the occasional vulnerability. You're extremely illogical to point to some vulnerabilities and conclude that it isn't more secure.

Wrong. It is illogical to conclude anything without having all the data, saying FOSS is more or less secure is stupid and wrong. People can write secure and insecure (and there are varying levels of both) FOSS and non-FOSS software, the fact that there is the ability to look at the code doesn't make it more secure, all it does is all for the possibility to identify it as being insecure and fix it assuming you have the right people looking at the right places at the right time.

Neither is inherently more or less secure than the other.

Re:Open source code is open for everyone

[firewrought]

People who think that Java (or C#, or Python) language will fix their security problems write more security bugs than C programmers who work around the weaknesses of their language.

Apparently, your experienced C developer is still leaving holes for arbitrary execution, despite all of the tools (fuzzing/NX/ASLR) targeting this specific issue. Managed languages (like Java and C#) give you a "secure-by-default" memory and execution model that's a lot harder to accidentally mess up. The more "stuff" (languages, libraries, operating systems, etc.) that's secure-by-default, the less security holes we will have.

Re:Open source code is open for everyone

[exomondo]

When a FOSS hole is found... it is a hole... but not yet being exploited.

Where do you get the idea that when a FOSS hole is found nobody is exploiting it? How do you even know when one is found? You wait for somebody to tell you about it and assume that nothing is ever found by anybody until then?

Re:Open source code is open for everyone

But heap overflows are just as exploitable as stack overflows. Stepping on all the program variables can be just as damaging as stepping on return pointers.

Here's a tip. Best not to pontificate on something about which you know NOTHING.

It's a nice tip. You should try to follow it. TFA talks about a heap overflow, did you read it?

Re:Open source code is open for everyone

[phantomfive]

Managed languages (like Java and C#) give you a "secure-by-default" memory and execution model that's a lot harder to accidentally mess up.

If you think managed languages will prevent you from leaving security vulnerabilities, you are either not writing significant server software, or your software has vulnerabilities.

The hardest security problems to solve aren't the overflows, it's the features given to users. Think of VB macro viruses, that spread wildly in a managed language. Wordpress is another example of software written in a managed language with tons of exploits.

There are so many examples of exploits in managed systems that it's a display of ignorance to claim otherwise. .Net is especially bad in this regard, not because C# is inherently more insecure, but because the community applauds and encourages ignorance, and even makes people feel bad for knowing things. See this presentation for an example. Notice (for example) his micro-agressions against people who understand garbage collection. The implication is you don't need to think about it, C# will take care of memory.......which if you take seriously, means you'll be leaking crap all over the place and someone like me will have to come clean it up for you.

Re:Open source code is open for everyone

[WaffleMonster]

I don't get it. Proprietary software has all sorts of serious vulnerabilities. Why is it that when a vulnerability is found in FOSS, you people all come out and mock it while ignoring all the incompetence of proprietary software?

OP's comments are worthless because it cherry picks a specific example to speak about a general category.

Your comments are equally silly..

Dude, man that Big Mac was awwwwefulll... Mc Donald's blows...

Why is it that "you people" all come out and mock it while ignoring the equally awful food served at Burger King?

As if it the commenter had some kind of duty to enumerate their disposition to everything else just to be "fair".

FOSS *is* more secure, and that's true even with the occasional vulnerability.

This is a worthless generalization that may be true or false depending on quality of specific systems under comparison.

You're extremely illogical to point to some vulnerabilities and conclude that it isn't more secure.

What is basis for your assumption FOSS is automatically more secure just because it is FOSS? Please cite a study or statistical information supporting your assumption.

How many vulnerabilities are not known about because no one can look at the source code?

I give up... how many?

Re:Open source code is open for everyone

> So long as we're writing, this kind of thing will continue.

Fixed that for you!

People who don't actually work with core system functions would not *believe* the twisty path of scoped wackiness that tools like Java put on top of basic system functions. But oooh, wait!!!! systemd will fix all that!!!!

Re:Open source code is open for everyone

Straw men, in other words. Show me someone who says that free/open source software means perfect security and I'll tell you they're an idiot in a very small minority. The actual claim is that it's more secure, not perfectly secure.

Re: Open source code is open for everyone

[Aighearach]

You tried. Lots of people died, but the Union won the war. Trying again won't turn out better for you; you'll all die and your communities will be burnt to the ground.

The Civil War was a real thing. Us Americans are still willing to fight for our nation if you want to go that route again.

Re: Open source code is open for everyone

He's trying to tell us that he's really racist, and should be marginalized, but unfortunately he was too cowardly to post his name.

So, what 85% (or greater) majority black area do you currently live in, or plan to relocate to? Since you are of course a principled not-racist individual you should, obviously, practice what you preach. To do otherwise would be the highest hypocrisy. To be consistent with what you say here, your neighborhood better not be majority-white. Otherwise you would be the very sort of racist you accuse me of being.

Truth is, I'm not racist. It isn't my fault that black culture has adopted such violence and savagery. They didn't ask me for my opinion before they decided that being a street thug gangsta was the highest virtue in life that they should all celebrate and romanticise en masse. I really have no control over that decision. What I do have control over is that I do not wish to be in areas full of wannabe thug gangstas because I do not want to be victimized by them, nor do I want my family to be menaced by them. They choose to be the way they are and I respond accordingly (incidentally there are plenty of poor white people, I've never seen them riot and loot like the blacks did in L.A. and Ferguson and New Orleans). I really have no problem with nonviolent people who happen to have darker skin. The problem is that a very high percentage of dark-skinned people have decied to adopt this street-thug life, so I avoid them because I would be foolish not to. I want to work hard and earn a living and feed my family and invest in our future, not get into street fights over stupid shit.

If the goal truly is to eliminate perceived "racism", the black people themselves have the most control over that situation. I don't fear for my safety when I go into an Amish area, because the Amish are not known to be a violent aggressive thuggish people. In fact they have built up a reputation for hospitality and kindness. And I'm not particularly pro-Amish nor do I subscribe to their beliefs, yet I can observe that this is so. But if our prisons were overwhelmingly filled with Amish criminals, far beyond the proportion of the population that is Amish, then I would soon take steps to avoid interactions with the Amish, and there is nothing bigoted about that. See how that works? It's truly amazing how nerdy types who can figure out the most complex mathematical, computational, and engineering problems fail to grasp and identify the very most basic social observations.

Re:Open source code is open for everyone

[Aighearach]

Because none of those systems let them play Murdering Hoes In Defense of Ethics in Journalism at the highest frame rate.

I'm actually trying to offload as many tasks as I can to network-connected microcontrollers using Harvard architecture. Given the importance of networking, it might make sense to move the whole application API to a dedicated Harvard chip. There is really no reason for things like gethostbyname to be frequently updated. And then the network processor can have a direct connection to the ethernet or other network chips. And if you need to update, you can just include an In System Programmer on the MB, and then you can update the network API firmware by connecting a cable on the board, allowing an updater to run on the main system.

Re:Open source code is open for everyone

Stepping on all the program variables can be just as damaging as stepping on return pointers.

He's kinda right. Once a pointer goes off the reservation so to speak, anything can happen.

Re:Open source code is open for everyone

Let me know when you've made Java self-hosting.

Re:Open source code is open for everyone

Ooooh fresh kool-aid!

Re:Open source code is open for everyone

This.

The thread here is chock full of dismissive comments as to why this FOSS exploit (like all the others) doesn't really matter. Except it does. They all do!

FOSS security holes:

'First they ignore you, then they ridicule you, then they fight you, and then you win.'

- M.K. Ghandi, time travelling into the future and grokking a subject he didn't even know about!

Re: Open source code is open for everyone

Dude, I never thought of it that way. That is brilliant!

Re: Open source code is open for everyone

Yeah, but when that same group starts chanting 'kill whitey!' they're fighting for 'social justice'!

Re:Open source code is open for everyone

[Cacadril]

Mod parent up!

Re:Open source code is open for everyone

[ghettoimp]

To be fair, derision toward the likes of Microsoft has historically been pretty well warranted. Windows has, historically, obviously, been plagued by viruses, malware, crapware, etc., to a degree far surpassing any other operating system.

That's not to say this necessarily has anything to do with proprietary versus open-source. Obviously Windows has always been far more popular than any alternative, making it a much more tempting target for attackers. High profile bugs like shellshock have certainly pointed out that open source isn't a magical elixir that wards off security problems.

Nobody does security very well, yet. (Well, maybe excepting folks like the CompCert people and Sel4 people.) The underlying causes, I'm sure, is that it's not what your average (or even above average) consumer can evaluate and value, and it's not what your average programmer can deliver.

Re: Open source code is open for everyone

What language is the program written in?

Re:Open source code is open for everyone

Oh, they don't need to look for the vulnerabilities. They put them in there!

Re:Open source code is open for everyone

Why is it that when a vulnerability is found .. you people all come out and mock it

Take it for granted that every day, something needs to be mocked. If your thing isn't going to be it, then what will? Maybe they'll mock that other thing, the one nobody ever mocks?

Re: Open source code is open for everyone

Yes! We could call it C++ or something!

Oh, wait...

Re:Open source code is open for everyone

[bytesex]

Not necessarily: to come to this point, you need two things: development quality, and auditing quality. The first to create, the second to discover, the bugs. The second is what you get plenty of, in the open source world, presumably. But you assume that an open source developer is just as good as a closed source developer. That might not necessarily be true.

Re:Open source code is open for everyone

C++ also gives you many new and complicated ways to shoot yourself in the foot.

Re: Open source code is open for everyone

[Wootery]

You mean JVMs? They're generally written in C++. No, this doesn't entitle you to grin smugly.

Although it's essentially impossible for a well-intentioned Java program to have a buffer-overflow vulnerability, the JVM itself is full of security bugs, so bytecode from an untrusted source generally shouldn't be executed.

To put that another way: the Java language has proven to be successful in preventing things like buffer-overflow attacks, but the JVM has proven unsuccessful in providing a secure sandbox in which untrusted code can be executed in a contained virtual environment. People tend to confuse these two distinct properties when they say Java is insecure.

If we wrote production JVMs in Java rather than C++, this wouldn't be a problem. (Yes, I'm serious. Unfortunately, it looks as though the most prominent such JVM, "Jikes RVM", will forever remain a research project.)

Re:Open source code is open for everyone

[Wootery]

Does that affect your day-to-day work?

If you really want Java-written-in-Java, take a look at Jikes RVM.

Re:Open source code is open for everyone

[Wootery]

I'm not terribly familiar with this particular exploit, but from the summary it looks as though it might have been avoided if they'd used automated reference-counting like C++ smart pointers.

Re:Open source code is open for everyone

[Wootery]

Smart pointers are helpful though. Might've prevented this particular exploit.

Re:Open source code is open for everyone

[gweihir]

That is because all these people mocking FOSS have absolutely no clue, but try to elevate themselves by pretending to be smart. If they know how abysmally bad many/most commercial closed software products are (I have seen a few samples), they would think differently.

Re:Open source code is open for everyone

[firewrought]

Hey, if your point is that too many PHB's and programmers think "managed" is a cure-all, I won't stand in your way. What I'm saying is that managed is a huge win for security.

The hardest security problems to solve aren't the overflows, it's the features given to users.

By contrast, the most common security problems are any situation where you silently expect the programmer to manually preserve some invariant (e.g, never allocate memory without a plan to deallocate it, never deallocate if anything else holds a pointer to it, never write to a buffer without checking bounds, etc.). Managed languages eliminate C/C++'s largest (and most critical) attack surface.

Now sure, I agree that they don't eliminate all attack surfaces. Security is hard. Java/C# have their own "manual invariants", such as always escaping/parameterizing SQL. ASP.NET Forms have a nightmarish arrangement where some controls/properties auto-escape HTML and others don't. Crypto primitives are widely available but poorly explained. Multi-threading is a minefield. But even here, the industry can eliminate the widest number of security issues using secure-by-default design. In C# for instance, EF/Razor/TPL make it (1) easier to accomplish programmer intent while also (2) making it harder to break low-level invariants.

Think of VB macro viruses, that spread wildly in a managed language. Wordpress is another example of software written in a managed language with tons of exploits.

Office macros and PHP are some of the most hilariously bad designs in computing history. By necessity, any programming language worth its salt will let you make farcically bad decisions.

Notice (for example) his micro-agressions against people who understand garbage collection. The implication is you don't need to think about it, C# will take care of memory.......which if you take seriously, means you'll be leaking crap all over the place and someone like me will have to come clean it up for you.

As a Google developer, he can probably just throw clusters of auto-recycling web servers at the problem. Aside from opening avenues for DOS attacks, the consequences of this sort of problem (e.g., not knowing how your GC works) have more to do with performance/reliability than security (albeit the 3 are intimately linked).

Something we can probably both agrees on is that there's no substitute for knowing how things work. However, the reality is that most programmers don't care and even those who do have a limited mental budget for complexity. So there's also no substitute for being able to eliminate sources of complexity that are ancillary to the task at hand.

Re:Open source code is open for everyone

You know what you should run away from? Any large group of black people in America!

Fixed that for you.
Not every country is the same.

Re:Open source code is open for everyone

[phantomfive]

Managed languages eliminate C/C++'s largest (and most critical) attack surface.

Do they? Do you have data to back this up, or are you just guessing? Because from where I'm sitting, it looks a lot like the hardest security problems are the features you expose to users.

Something we can probably both agrees on is that there's no substitute for knowing how things work.

True, we do agree on this point. Although you contradict yourself at the end of the paragraph and try to come up with a reasonable substitute. When someone says "however" immediately after they say they agree with you........that's a strong sign they don't agree with you.

Re:Open source code is open for everyone

I love you.

Re:Open source code is open for everyone

[firewrought]

Do they? Do you have data to back this up, or are you just guessing? Because from where I'm sitting, it looks a lot like the hardest security problems are the features you expose to users.

If you don't have to have any features, then yes, you can make your software very, very secure. :-)

The CWE publishes a list of the Top 25 Most Dangerous Software Errors which aims to "list of the most widespread and critical errors that can lead to serious vulnerabilities". You'll notice CERT tags their vulnerability announcements with references to the CWE when applicable.

Most are language-independent.... no surprise to see CWE-89 (SQL injection) and CWE-78 (command line injection) in there, as well as the slough of crypto/authN/authZ-related stuff. But where are the language-dependent bugs coming from? If you drill down on the code examples for CWE-120, -131, -134, and -676, you'll see C and C++ are a re-occurring theme.

You contradict yourself at the end of the paragraph and try to come up with a reasonable substitute.

No contradictions... knowing how stuff work is a training/educational goal (for programmers and those who teach them). Not having to know how stuff works is a design goal (for language creators, API writers, and designers in general). The former gives you insight, the latter gives you leverage.

Re:Open source code is open for everyone

[phantomfive]

Most are language-independent.... no surprise to see CWE-89 (SQL injection) and CWE-78 (command line injection) in there, as well as the slough of crypto/authN/authZ-related stuff. But where are the language-dependent bugs coming from? If you drill down on the code examples for CWE-120, -131, -134, and -676, you'll see C and C++ are a re-occurring theme.

Good then we're agreed, buffer overflows are not the most common security vuln.

All we need now is for you to realize that, if someone thinks the language means they don't need to worry about security, then their code will be much more vulnerable, even if they write in Java. Once you realize that, then we will be completely agreed.

Re:Open source code is open for everyone

[david_thornley]

Managed languages eliminate C/C++'s largest (and most critical) attack surface.

In the cases you cite, you can get the same safety in C++, and you really should.

First, you use some discipline with pointers. Owning pointers are either unique_ptr or shared_ptr, which eliminates most memory leaks (not those in a circular structure, though), and makes sure that memory is neither double-freed nor used after it is freed.

Second, you never use C-style arrays. Use string and vector instead, and you've eliminated buffer overflows. Use .at() instead of [] (or make your own vector type that makes [] range-checked, as Stroustrup suggests), and you've eliminated wayward memory accesses.

This does require some discipline, but it's mechanical discipline. It doesn't require creativity, and it's easily checked in a code review because it's clear, mechanical, and messing up that discipline requires screwing up on an individual line of code in an obvious way.

More information

[squiggleslash]

There's lots more information at my site http://dsfnjsaxshnc-lmachine7.... ...

Re:More information

[squiggleslash]

Aw crap, Slashdot killed the joke. There was supposed to be an embedded "nc" command in that hostname.

Switch back to original Linux libc?

[BaronM]

The libc -> glibc switch was so much fun, that I think we should do it again in reverse!

Re:Switch back to original Linux libc?

Yep. glibc can't static link- nss always breaks that.

Heartbleed

[ArchieBunker]

How many years was Heartbleed around before anyone noticed? Apparently "many eyes" were not reading that bit of code.

Re:Heartbleed

How many years have various bugs been in proprietary software that no one has noticed (and most don't have a chance to notice)? This is just illogical thinking.

Yes, we get it. Software is made by humans. Mistakes will be made, whether it's free/open source or not. The point is, FOSS provides more security by allowing more eyes to see the code and the ability to get anyone to publicly audit the code. Sometimes big vulnerabilities won't be discovered for a long time, but that applies even more to proprietary software; don't forget that.

Re:Heartbleed

That's great in theory, but no one likes reading lines and lines of old code looking for a potential error. Know what? Even fewer people do it for free. At least in proprietary software, people are paid to do it.

Re:Heartbleed

[serviscope_minor]

Apparently "many eyes" were not reading that bit of code.

Will you please actually read the quote rather than quoting an inorrect interpretation. The quote is:

"given enough eyeballs, all bugs are shallow"

It means that once a bug is found, it is shallow, i.e. quick and easy to solve for someone. It doesn't and never did mean that all bugs will be found.

Re:Heartbleed

Even fewer people do it for free.

No one has any evidence on that, one way or the other.
What we do know is, it's illegal to fix proprietary software.

Re:Heartbleed

[grcumb]

Will you please actually read the quote rather than quoting an inorrect interpretation. The quote is:

"given enough eyeballs, all bugs are shallow"

It means that once a bug is found, it is shallow, i.e. quick and easy to solve for someone. It doesn't and never did mean that all bugs will be found.

Actually, it's unfortunate, but I think he did mean that:

Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone.

That's his longer version of the same slogan - literally the next sentence in the essay.

It's possible to read that as meaning that every problem —once it's been found— will be fixed quickly and relatively easily, but Occam's razor says that we should understand discovery of the problem to be implicit in this statement.

But... you are right to say that FOSS is far better at fixing known bugs than proprietary software. By the late '90s, I was so sick of having my professional reputation as a systems software developer tarnished by bugs, poor quality and stupid release cycles that I stopped supporting Windows entirely. Dropped the entire proprietary ecosystem and moved to Linux and FOSS. I can't say it's been perfect, but I've slept way better since then.

Re:Heartbleed

At least in proprietary software, people are paid to do it.

Oh, so people don't get paid for open-source software, apparently. I guess we're just ignoring that nearly all work on Linux is paid for. No, I'm not even counting companies like Google or Microsoft that contribute code to Linux (albeit, usually for their own benefit). They pay their own developers.

Re:Heartbleed

[myowntrueself]

That's great in theory, but no one likes reading lines and lines of old code looking for a potential error. Know what? Even fewer people do it for free. At least in proprietary software, people are paid to do it.

In proprietary software and free alike many people are paid to do it.

They do it so their masters can then exploit the bugs they find and pry into your private life, hack your bank accounts and generally fuck with you.

Re:Heartbleed

[myowntrueself]

Apparently "many eyes" were not reading that bit of code.

Will you please actually read the quote rather than quoting an inorrect interpretation. The quote is:

"given enough eyeballs, all bugs are shallow"

It means that once a bug is found, it is shallow, i.e. quick and easy to solve for someone. It doesn't and never did mean that all bugs will be found.

'many eyes' weren't reading that bit of code.

But you can fucking bet that 5 eyes were reading that bit of code!

Re:Heartbleed

it's illegal to fix proprietary software

No, it's illegal to disseminate the source code of proprietary software. Issuing a binary patch to be applied to an existing binary is 100% legal. Difficult, but legal.

If you can find a bug in proprietary software using just a debugger, and can determine why that bug occurs and provide a binary patch, you're 1) a damned good programmer and 2) not breaking the law.

Re:Heartbleed

It's been a long time since I installed any proprietary applications, but IIRC most of their EULAs require you to agree not to use a debugger on them.

Re:Heartbleed

it's illegal to fix proprietary software

No, it's illegal to disseminate the source code of proprietary software. Issuing a binary patch to be applied to an existing binary is 100% legal. Difficult, but legal.

If you can find a bug in proprietary software using just a debugger, and can determine why that bug occurs and provide a binary patch, you're 1) a damned good programmer and 2) not breaking the law.

Agreed on point 1. On point 2, you could easily be stumbling into a legal minefield. I'd hope for a finding of fair use, but that is decided on a case-by-case basis. I doubt the courts would distinguish between publishing a derived work and publishing detailed instructions for transforming a work ("a binary patch"), since the end result is the same.

Re:Heartbleed

At least in proprietary software, people are paid to do it.

Are you serious?
No-one is going to look at that code. If someone finds the exploit by accident the response will be "It haven't harmed anyone yet, spend your time on something worthwhile."
If it gets exploited the response will be to estimate what the cost will be for fixing it contra the cost of bad publicity and/or dissatisfied customers.

No-one is paid to fix anything preemptively in proprietary software.

Re:Heartbleed

[dissy]

How many years was Heartbleed around before anyone noticed? Apparently "many eyes" were not reading that bit of code.

Even you admit heartbleed *WAS* around (not *IS* around) and thus was found and fixed.
Clearly at least two eyes reviewed the code, found the bug, and it is now fixed as a result.

That is two more eyes than is searching through closed source code.
Two is still greater than zero so it is still a net positive.

Re:Heartbleed

The point is, FOSS provides more security by allowing more eyes to see the code and the ability to get anyone to publicly audit the code.

That is just wrong. If you want to dispute that then prove to me for example that any particular open source C standard library is better than any particular proprietary C standard library.

Re:Heartbleed

[MyLittleAnus]

Some people do look at lines and lines of code looking for potential errors, even for free. Furthermore, with free software, you can pay people to audit the code, so pretending that people only get paid with proprietary software is nonsense. In addition, we already know how malicious and exploit-ridden proprietary software usually is, so apparently paying code monkeys to write software isn't going to produce even mediocre code.

Re:Heartbleed

FOSS is more secure because there are more eyes peering at the source code, and anyone can publicly audit it. Many people are paid to do just that. With proprietary software, you're never going to know how many exploits there are exactly (although we know there are many), or what malicious 'features' it contains. Furthermore, getting independent audits of the code is very difficult. All of these reasons makes me think that FOSS has better security than proprietary software. Since very few people can actually see proprietary software code, it would be difficult to compare a specific piece of free software and a specific piece of proprietary software.

That is just wrong.

Why do you say it is wrong? You ask me to provide proof, but you don't provide any proof that it is wrong. You should have just told me to provide proof.

Re:Heartbleed

[Curunir_wolf]

At least in proprietary software, people are paid to do it.

If you really believe that is true, I suggest you provide a list of all the companies advertising on Dice looking for "source code vulnerability auditors." Can't find any? That's because companies pushing out commercial software don't give a crap. It's hard enough just getting the get-the-features-out-focused managers to get why you're spending time writing tests, much less doing code reviews to look for vulnerabilities. I've even heard them say things like "It's not necessary because I found this free tool on the Internet that scans all your code for that, so we don't need to do manual work like that."

Re:Heartbleed

[ConceptJunkie]

Yeah, like anyone can actually read and understand OpenSSL. Perhaps it would get studied more if someone entered it into next year's IOCCC.

Re:Heartbleed

[grcumb]

Troll-rated? Really? That's kind of the opposite of a troll post.

Re:Heartbleed

[Aighearach]

If eyes didn't see it, it actually tells us nothing about the theory of what happens when many eyes do look at it.

The theory was never, "if you open source it everybody will read it." The theory was, things that are closed source can't be read by the public, and things that are open source are sometimes read. When they are read by more people, there are more chances to see the bugs.

If you didn't know even the basics of what you were talking about... why talk?

Re:Heartbleed

[MTEK]

Because rumor has it that he who peered upon OpenSSL's codebase would want to gouge out one's eyes.

Re:Heartbleed

FOSS is more secure because there are more eyes peering at the source code, and anyone can publicly audit it. Many people are paid to do just that.

With proprietary software, you're never going to know how many exploits there are exactly (although we know there are many), or what malicious 'features' it contains. Furthermore, getting independent audits of the code is very difficult.

All of these reasons makes me think that FOSS has better security than proprietary software. Since very few people can actually see proprietary software code, it would be difficult to compare a specific piece of free software and a specific piece of proprietary software.

That is just wrong.

Why do you say it is wrong? You ask me to provide proof, but you don't provide any proof that it is wrong. You should have just told me to provide proof.

On the flip side it could be argued that without source code they're taking guesses as to ways to try and find vulnerabilities in the code, and perhaps having to reverse engineer (disassemble/decompile) code to find ways in which a particular vulnerability can be used (without the source how do you know there's a buffer overrun, for example - you can overrun it remotely say and 'crash' the software, but without source it's a lot more work to figure out how to actually *utilize* that flaw for something other than just crashing things). While, of course, FOSS not having 'security through obscurity' because the source is available means flaws can be found and just not reported - and utilized. And since the source is worked on by many people 'fixes/updates' can be submitted that, if well crafted to obfuscate, can introduce new holes (openSSL?) that may not be found for years after even though the source is open for all to see.

Re:Heartbleed

Apparently "many eyes" were not reading that bit of code.

Will you please actually read the quote rather than quoting an inorrect interpretation. The quote is:

"given enough eyeballs, all bugs are shallow"

It means that once a bug is found, it is shallow, i.e. quick and easy to solve for someone. It doesn't and never did mean that all bugs will be found.

10,000 blind men have a lot of eyeballs, but chances are won't be solving the bug anytime soon.

Re:Heartbleed

[DamnOregonian]

A +2 Troll, even...

Keep modding that troll up!

Re:Heartbleed

[jabuzz]

And in large parts of the world that is an unfair contract term and unenforceable. It is also in large parts of the world a protected right in law.

Re:Heartbleed

Proprietary software companies have QA departments. Does FOSS?

Re:Heartbleed

I'm sure you'll find it next too all the listings from companies looking for people to audit FOSS code for money.

Re:Heartbleed

Flaws are often found in proprietary software and not reported. The problem is that users have basically zero control over anything. That depends on how the code is maintained and what kind of code is being accepted, and with free software, if you don't like how it's being handled, you could fork it. Proprietary software offers no such options. With free/open source software, independent and public code audits are possibly, so I think the potential issues you listed aren't too much of a hurdle.

Re:Heartbleed

[hackwrench]

http://www.bing.com/search?q=r...

Re:Heartbleed

I'm sure you'll find it next too all the listings from companies looking for people to audit FOSS code for money.

I guess you missed what this article is about - there was this guy from a FOSS company being paid to audit FOSS code for vulnerabilities.

Re:Heartbleed

It's about time. FOSS is buggy as hell lately.

Re:Heartbleed

>QA is a substantial area of focus for Red Hat, with a team based out of Beijing in what's known as the Raycom office. That team works on Red Hat Enterprise Linux, KVM and OpenShift testing.

Oh, RedHat's QA team and FOSS' primary source of QA is based in China. I see no problem with that what so ever, and would never have any concerns about China stomping any and all back doors they rigorously search for, particularly in 10 year old code.

Re:Heartbleed

I would bet more people actually review proprietary software than FOSS software. Why?

1. Proprietary software companies have dedicated QA departments.
2. FOSS software review is optional and: I don't do that shit, it's boring. Some other guy does it. (recursive)

My point is just because FOSS is open source which means that more people can potentially review the code, doesn't mean that it happens. Proprietary software companies have actual departments with actual paid professionals whose sole job is to look for defects.

It's the difference between hiring an amateur and a professional. A professional covers all the bases, amateurs only do what is fun.

FOSS' reputation of bugs being found faster than proprietary software is a total bullshit myth.

Re: Heartbleed

[WebCowboy]

You are wrong. It is illegal to fix most proprietary software yourself. The EULA for most closed softwats, including all Microsoft's propritary software, prohibits all reverse engineering by end users. You could issue a binary patch if you wanted perhaps, but creating that patch would violate license agreements and be illegal under copyright law.

These long standing flaws in free software are not there because of the development model, they were eventually found because of it--people eventually looked hard enough for them. Closed software in widespread use may...no DOES... contain flaws of this magnitude. It is just that the POTENTIAL number of eyes is limited in closed software, and most if not all of those eyes belong to people who have a disincentive to reveal bugs.

Re:Heartbleed

[MachineShedFred]

This one has been around since 2000. 15 years, just getting around to auditing the main C library used by EVERYTHING now, I suppose...

It's a horseshit argument, and always has been. Just because someone CAN audit something, doesn't mean they DO. Or that they are competently doing it if they do.

Re:Heartbleed

Yeah, you aren't going to find postings for "source code vulnerability auditors" because it's expected of professional developers to peer review the code during a proper code review and audit their own shit.

Some guy sending a commit to GitHub isn't necessarily under the same inspection.

Re:Heartbleed

Thanks for letting us know that there are exactly zero code reviews going on anywhere within software companies that don't publish their source. Very informative.

Re: Heartbleed

[beav007]

You are wrong. The EULA is usually uninforcable, and thus meaningless.

Re: Heartbleed

[david_thornley]

First, there have been different court rulings and laws affecting EULAs, so while your "usually unenforceable" may be true, you can't rely on it.

Second, it's real easy to get into trouble in an unclear legal situation, and winning the suit against you may be almost as bad as losing. (The only winning move is not to play.) Many people aren't going to risk that.

Windows 8.1 is not affected by this.

[NemoinSpace]

Microsoft never developed the integrated "on error - SHIP IT" compiler options.

From TFA

[Cola+Junkee]

" - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. "

So it's actually already been fixed. All that's needed here is for some distributions to push the fix out.

Re:From TFA

[OzPeter]

So it's actually already been fixed. All that's needed here is for some distributions to push the fix out.

But .. but now it has a CVE number and everything - so it must be scary

Re:From TFA

[VGPowerlord]

Ubuntu has a newer LTS release, 14.04, which uses glibc 2.19.

Unfortunately, the rest of them all use older GLIBC versions in their current stable, even the ones whose current stable was released in the middle of last year.

Re:From TFA

[XXeR]

But .. but now it has a CVE number and everything - so it must be scary

Written by somebody who clearly neither manages a large amount of hosts exposed to the Internet nor manages multiple environments in which there are some new hosts that are luckily patched along side other older hosts that have to run *slightly* older releases of distro's for one reason or another.

This IS a big deal.

Re:From TFA

[msobkow]

I just installed glibc updates for Debian, so I presume the fix has been pushed.

Re:From TFA

[phantomfive]

Here's a better explanation of the flaw. It's actually a fairly limited vulnerability:

At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit machines, and 8 bytes on 64-bit machines). Bytes can be overwritten only with digits ('0'...'9'), dots ('.'), and a terminating null character ('\0').

With only being able to overwrite 4 bytes max, you would think not much could be done, and indeed, mostly they were only able to make things crash. Most servers don't do dns lookup of a remotely supplied address, but mail-servers can, to verify the sender is correct.

Astonishingly, even without being able to write assembly shell-code, they were able to get the Exim mail server to execute arbitrary remote commands. That is the only vulnerability found so far.

Re:From TFA

Most servers don't do dns lookup of a remotely supplied address, but mail-servers can, to verify the sender is correct.

Don't they now? Web, ssh, FTP, IRC, plenty of servers call gethostby functions as part of standard operation. How about things running as root? I haven't had time to read up on the scope of this yet, but it sounds fairly bad.

Re:From TFA

[phantomfive]

Don't they now? Web, ssh, FTP, IRC, plenty of servers call gethostby functions as part of standard operation.

You read incorrectly, I'll quote it again: "Most servers don't do a dns lookup of a remotely supplied address.

One of the examples they used was ping. Of course ping does a DNS lookup of the address supplied by the user, but unless you have inetd in a really weird configuration it won't be started remotely. If ping crashes, or even executes arbitrary commands because of a specially crafted command-line, it's not a security vulnerability.

Re:From TFA

[phantomfive]

Also, please note, it's not enough to call gethostby functions for this bug to be a vulnerability. For it to be a vulnerability, you need several things:

1) A (more or less) specific sequence of function calls. Merely calling gethostby* itself won't do it.
2) The eventual call to gethostby on a string supplied by a hostile user.
3) Have another buffer hostile users to fill (not overflow).
4) A weakness of your program structure that allows four bytes to reference the other buffer.
5) Include a service that runs things on the command line.

Exim allowed all of those. You might be able to get away without number 5 present, but the program would need some other weakness to make it exploitable.

Re:From TFA

Security fixes are backported to all supported LTS releases in Ubuntu, just as they are for supported Debian stable releases. Look for updated packages with new distro-specific internal patch numbers.

(philip.paradis posting as AC for the moment, as I don't log in from this location)

Re:From TFA

No, its scary cause they gave it a nickname and a graphic

Re:From TFA

[blincoln]

If ping crashes, or even executes arbitrary commands because of a specially crafted command-line, it's not a security vulnerability.

That's a pretty sweeping statement to make. Most interesting security vulnerabilities (IMO) are the results of multiple smaller issues and/or design decisions that can be chained together.

For example, a lot (most?) of the Linux distributions I see have ping's SUID bit set, and it is owned by root. So, yes, ping executing arbitrary commands absolutely *can* be a security vulnerability, because I can potentially use it for local privilege escalation from non-privileged user to root.

Re:From TFA

[phantomfive]

I just checked my version of Unix, /sbin/ping is owned by root, but SUID bit is not set. I'm guessing SUID isn't very common for ping anymore (of course, not long ago, people were still writing shell scripts with SUID).

Classic Unix problem

Here's some rope, be careful lest you hang yourself.

Not all code is vulnerable - getaddrinfo() is fine

[tlhIngan]

The affected call is gethostbyname() and friends, which have been deprecated by the more protocol-transparent getaddrinfo()/getnameinfo() set of APIs. If you use IPv6, getaddrinfo() is the only way (gethostbyname() and friends are AF_INET (IPv4) functions only), but they're protocol transparent ways to do DNS lookups (they can return AF_INET, AF_INET6 and any other valid address supported by the system and DNS).

Deep down, if you look closely, they mention that code using getaddrinfo() is not vulnerable to the bug.

Shortly after learning about getaddrinfo() I stuck to using it - far easier to use than gethostbyname() and less messy in the end. The only complication is having to call freeaddrinfo() when you're done.

Re:Not all code is vulnerable - getaddrinfo() is f

[BlueBlade]

However, it's not like gethostbyname() is a rare call. I suspect that well over 99% of net-aware applications are still using it. This affects just about everything that's talking over the internet.

Think you're immune from attacks?

[Rinikusu]

Don't be so glib, see?

I'll be here all night folks. Tip your servers. Make sure they're bolted in, though.

Re:Think you're immune from attacks?

[grcumb]

Don't be so glib, see?

I'll be here all night folks. Tip your servers. Make sure they're bolted in, though.

Don't blow your stack if nobody applauds. It's just that we're overflowing with bad puns, and the funny bits get flipped around, and in the end all we see is some stupid zero on the stage who's only in it for the cache anyway.

Re:Think you're immune from attacks?

[dissy]

and the funny bits get flipped around

chmod 101 /dev/joke

Accidental bugs?

[Nightlight3]

I don't think so. There are just too many of these buffer overflow security holes in commercial and open source software to be a chance. In over two decades of programming in every language and platform that came along, from Z8, x86 assembly, then FORTRAN, C, Pascal,... Java, Javascript, Python, awk, objective C, ... from embedded coding on routers, switches and misc. controllers, to numerous versions of MS DOS, Windows, Linux and iPhones, I have yet to have one such buffer overflow bug in my code. It's the most basic rule to check for buffer boundaries that even beginner programmer learns it quickly.

There must be agencies seeding these projects, commercial and open source, with toxic contributors injected there to deliberately contaminate the code with such bugs. The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.

Re:Accidental bugs?

[ScentCone]

There must be agencies seeding these projects, commercial and open source, with toxic contributors injected there to deliberately contaminate the code with such bugs. The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.

Or, you are yourself a toxic seed planted by The Man in order to foment FUD and make good people not want to be part of these projects. Or something like that. Give it a rest with the absurd conspiracy crap.

Re: Accidental bugs?

[lazybeam]

Never attribute to malice that which is adequately explained by stupidity.

There are too many stupid people in the world. Stupidity isn't necessarily a permanent thing: it could be caused by time constraints, personal problems or even lack of/too much caffeine. Or just because one doesn't think of the problem from start to finish.

But then this could be what "they" want you to believe :)

Re:Accidental bugs?

[CajunArson]

" I have yet to have one such buffer overflow bug in my code."

Can't decide: Satirical troll post or somebody that's actually that egomaniacal (and in need of a pink slip if his employer is rational).

Re:Accidental bugs?

[quantaman]

I have yet to have one such buffer overflow bug in my code.

That you know of. Besides, I'm sure you've had many that you've caught during the standard code -> compile -> run -> segfault -> debug cycle, but the more subtle ones are harder to trigger.

It's the most basic rule to check for buffer boundaries that even beginner programmer learns it quickly.

Depending on what the code is doing and what kind of legacy cruft you're dealing with it's not always trivial.

There must be agencies seeding these projects, commercial and open source, with toxic contributors injected there to deliberately contaminate the code with such bugs. The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.

More likely the other devs feel like it's bad form to drag the names of past contributors through the mud in public. Particularly when the reviewers missed the bug as well.

Re:Accidental bugs?

The further fact that one never sees responsible persons identified, removed and blacklisted suggests that contamination is top down.

It does not work like that. Even if there was "top-down contamination", you still could dig in the project history and look yourself for who wrote the code, who signed it off, who released it. Just this is pointless so most of the time nobody does it. But sometimes they do as a by-product of bissecting the code to find the bug. The one who has power needs not to care about secrecy.

As usual, this conspiracy theory fails the basic checks. It's overly complicated, expensive and VISIBLE to pay lead developers, code reviewers and release managers of so many thousands of FOSS and proprietary projects. The world is a large place, there are too many thousands of people regular people in so many countries and cultures for this kind of business to remain secret for long.

Also, if an agency had so many billions to waste and so much influence on the whole world, it would just be easier to manage to have the a bill approved that mandates backdoors everywhere. If they have the kind of power you are talking about, that's all what they need. Who cares about secrecy if they have power?

Re:Accidental bugs?

So, by your logic, the NSA would have no reason to purchase black-market vulnerabilities for their exploit and exfiltration systems... but that is what they do.

The fact is that I too write very secure code. Provably secure, in fact. Computers are finite thus every boundary can be tested, every function call fuzzed and every code branch verified to fail-safely any incorrect / unexpected inputs. We have code coverage tools, unit testing, fuzz testing, (and automated test stub generation to ensure functions don't get "forgotten"). However, this is expensive. There's really no excuse other than lack of resources, that and the maintainer labels "stable" that which has not ever been tested...

People do NOT value their security. They say they do, but they do not value security enough to pay for what secure code authoring entails. The consumers accept rushed unfinished code as a valid purchasable item, with the expectation that the mistakes made in the code will be patched periodically. The code is so buggy that when the patches stop, the user is forced to upgrade to newer supported codebases -- This would not be the case if the code were secure. Can you now see that planned obsolescence and forced migration could be incentive for publishers of software to NOT make the code secure?

Since end users accept the shite state of computer security they do not allocate resources so that programmers can allocate time to the task of securing systems. A routine unit test test would have caught this bug, let alone an input fuzzing test (which is what everyone should be doing, since that's what crackers use against code to suss out exploit vectors); However, the code was allowed into the codebase without proper testing. You don't have to trust the coder if you can show that the code is secure against said tests.

I blame the maintainers, but primarily the public for accepting this state of affairs. If you are not willing to pay (CPU) time and/or money for security, you will simply not have it.

Re:Accidental bugs?

That's impressive. Unfortunately my employer doesn't give me enough time to put checks around every addition, subtraction, and multiplication operation to make sure they don't overflow. At least they let me check for potential divide by zero errors. My personal projects all use languages where such bugs are impossible, but that's not always a choice each programmer has.

The further fact that one never sees responsible persons identified

This is false. Glibc is open source. Go download the source code and look at the commit history to see who committed the bug. We generally don't shame peers for easy to make mistakes.

Do you really believe people can't make off by one errors by accident?

Re:Accidental bugs?

[Cramer]

Either you write very little code, very simple code, or no one is closely inspecting your code. People make mistakes - period.

This glibc error was a simple mistake... count 3 things, put 4 in there. But yes, if their code weren't in such a f'ing complicated mess (have these fools never head of stuct) this mistake would be harder to make.

Re:Accidental bugs?

Maybe the crackers doing the input fuzzing will work for cheaper than their software developers? If the bug tracking system can only predicatively rank bug-fix priority, vs. treating end-users as beta-testers(with crackers as a criminal enterprise temp agency that ranks bug-fixes reactively according to proven need) that seems pretty efficient to me!

Unlike internal resources that come with an opportunity cost: crowd-sourcing has the benefit of converting the immediate capital/liquidity problems in to an expected value proposition where the costs are externalized and contingent on the software becoming successful enough to attract unwanted attention. Now we're wrestling with the time-value of money and the idea of minimum viable product.

If the project's monetization strategy is a failure: premature optimization and investments in defensive programming would have been wasted as the project was never successful enough to amortize out the investments in development cost.

Re:Accidental bugs?

[Nightlight3]

Of course my code, like any other, has bugs. For example, most of the time if I add several pages of new code, it won't even compile, let alone run correctly right away. I just never have buffer overflows. It's somehow ingrained to check for boundaries (either on the run, or when efficiency matters by algorithmic certainty) as the algorithm advances through the data. Among my bugs, mostly it is a wrong variable being used, or used before it was initialized as expected or after it has 'expired', or variable/function which evolved since the initial code was written and now it works differently, breaking some other code that relied on it, ... sometimes there are even algorithmic errors.

But overflowing buffers is a kind of elemental mistake one doesn't do beyond first few weeks of learning to program. There are just too many of these in the presumably professional grade code (IE has had one uncovered almost monthly since 1995 it seems), and as luck would have that kind of bug is the most suitable for injecting external code into the program. It's too much of a coincidence for my credulity.

Re:Accidental bugs?

[spitzak]

I have yet to have one such buffer overflow bug in my code

Yea, right. You know the authors of this function probably thought that too. They had no counter examples until now, just like you and your code.

Re:Accidental bugs?

By your logic, I could write the crappiest, most bug-ridden code ever, but as long as I lock it up in a safe and never use it, it's secure code, because nobody has ever found a buffer overflow in it. I could leave it there for ten years, and nobody would ever find any bugs in it, because it would be locked away. Meanwhile, some high security system in active use would have hundreds of bugs found in it in a decade and I could say "You know what, your code has loads of bugs; mine hasn't had a single bug in ten years. Let's use mine." Because, obviously, it's finding the bugs that makes the code insecure, not writing them in the first place. And then, if anybody is stupid enough to use it, my code will get ripped apart by malign entities in fairly short order, because it's the crappiest, most bug-ridden code ever.

Re:Accidental bugs?

[Cesare+Ferrari]

Well, everyone who's ever called gethostbyname() has an overflow bug in their code, so my guess is he doesn't know what he's talking about.

Re:Accidental bugs?

have these fools never head of stuct

Neither have I.

Shallow bug doesn't mean non-existent. Fix obvious

[raymorris]

In case you're unaware, "bugs are shallow" doesn't mean they don't exist.

ESRs complete sentence is:

"given enough eyeballs, all bugs are shallow; or more formally: Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix will be obvious to someone."

In other words, someone will quickly quote Adam Savage and say "THERE'S your problem!". :)

The difference between a deep bug and a shallow bug is is what happens after you notice a problem. A shallow bug is right there, at the surface. Function foo() is supposed to return x, but instead it returns x -1, and there is the line of the code that's the problem.

A deep bug is one where you look at function foo(), which creates an instance of class Bar, which is subclassed from IEParser, which calls friend class HTML4Lexer, which has function TagAtrribute() - but TagAtrribute() returns the correct value, so how the heck is it wrong in Bar? Then when you found out WHY it's wrong, you can't come up with any way of fixing it without rewriting the HTML specification.

Heartbleed is actually a great example. Many people looked at it right away and within an hour or so there was a patch available. Those may people discussed the three or four proposed long-term solutions and in about 24 hours we agreed on that Florian's solution was best. Florian was one of the many eyes, and the bug was shallow to him - "he fix will be obvious to someone", and that someone was Florian.

Many mitigating factors, not THAT dangerous

[raymorris]

The article lists a long string of mitigating factors tat make it not as dangerous as it might first appear. Someone else already mentioned that it doesn't effect applications that are IPv6-ready; both IPv4 and IPv6 addresses are resolved with the same (safe) function in most software that's IPv6-capable.

Also, at 4 bytes can be overwritten on 32-bit, 8 bytes 64-bit, and they can only be overwritten with ascii digits 0-9, dots, and must have a terminating null. (So really three bytes on 32 bit, 7 bytes on 64 - not enough for a pointer).

There are several other mitigating factors. You should update glibc, but there's no need for panic.

Re:Many mitigating factors, not THAT dangerous

[Cramer]

... until their metasploit code is published and everyone can see how to use this error. All it takes is one example; ONE person figures out how to trigger shellcode, and it's game over. No matter how complex the situation, an exploit is an exploit. It doesn't matter if it takes 87 steps to set off a nuke, if you know those steps and complete them - *boom*.

Re:Many mitigating factors, not THAT dangerous

Not too short for a pointer, the pointer just needs to have a zero as the last byte (as viewed from a string point of view).

On big endian (Sparc), you'd be able to point to any address dividable by 256. Finding anything useful on such an address may not be easy, though.

On little endian (Intel), you'd be able to point to any address below 16 MB (32 bit) or below 65536 TB (64 bit).

Awwwww crap

[angst_ridden_hipster]

This has me more concerned than some of the other recent bugs, primarily because it's so easy to exploit by script kiddies.

Plus, there are huge, vast, barely conceivable numbers of network-attached embedded devices that use the gethostbyname() call. What percentage of these are remotely update-able? What percentage of these will have their firmware re-flashed?

This one seems like it gives black-hats the ideal way to get a swarm army of (relatively) weak and/or dumb devices. Yet even these weak, dumb devices should be sufficient to set up warrens of ssh tunnels, nodes for DDoS attacks, etc.

Yuck.

Re:Awwwww crap

[admin7665]

One more reason to block malicious trafic at the ISP level.

Re:Awwwww crap

[K.+S.+Kyosuke]

And do such devices actually use glibc anymore? I thought that stuff like uClibc or musl has become common in that area. Plus like a few other people here, I'm surprised that gethostbyname is still being used. I concluded that its use was dangerous even in principle something like seven years ago.

Why not strncpy or strlcpy

[Sesostris+III]

According to the second link, the buffer overflow occurs when using a strcpy;

resbuf->h_name = strcpy (hostname, name);

In my (admittedly limited) recent c coding I've used strlcpy rather than strcpy. Is there a good reason not to use this (or strncpy) in place of strcpy?

resbuf->h_name = strlcpy (hostname, name, sizeof(hostname));

(OK, you may get an error due to a truncated copy, but isn't that is easier to spot and deal with than a potential buffer overflow?)

Re:Why not strncpy or strlcpy

strncpy() with a size bigger that the buffer you gave it will still overflow the undersized buffer. The problem is that very long hostnames can be given that exceed the size of the buffer you'd like to put them in. Lazy coding by non using heap allocated buffers is the main problem. Variable length buffers on the heap get overflowed? So what, it's not pissing on your stack. "b-but, muh performance." Fools, there's no difference between a stack and heap page of memory, and the OS GC doesn't HAVE to make a kernel call to malloc() and free() if those pools are managed as staticstubs included with the binary on compilation: A stub of code in your binary checks the pool for available memory to return before performing the kernel call, thus you've likely already got memory pool optimization (I know BSD does anyway).

So, "muh performance" once again is to blame for security failures. You typically trade performance and/or convenience for security. In this case we undervalued the latter over the former two, and got what we deserved.

Re:Why not strncpy or strlcpy

Buffers overflowing the heap most certainly is not a "so what" situation. It's very exploitable, just like buffers overflowing the stack.

Re:Why not strncpy or strlcpy

[CrashNBrn]

Back in the olden days, that was one of the first things we did to a Diku-Mud code-base: add reusable memory pools (plus debugging output for failed in-game scripts - which eventually was replaced with a more robust scripting language - for in-game events/actions, that didn't rely on void pointers for everything).

The stability difference was like night and day.

Re:Why not strncpy or strlcpy

[geantvert]

Actually, the most logical choice would have been to used mempcy because they already called strlen(name) earlier.
Basically, they are doing the following:
  - compute the size required to store 2 pointers (THAT SHOULD BE 3) followed by strlen(name)+1 characters
  - check that the buffer is large enough and reallocate it if needed
  - store 3 pointers followed by name in the buffer.

In that case, the obvious value for the additionnal size argument passed to memcpy, strlcpy or strncpy is strlen(name)+1 which would not prevent the overflow.

Re:Why not strncpy or strlcpy

[Cramer]

a) sizeof(some pointer) will not tell you the size of what it points to
b) the error here is allocating space for 3 things and putting 4 in it. It doesn't matter what function you call if you tell it to copy sizeof(void *) too much.

The error is a simple mistake due to unnecessarily complex code.

Re:Why not strncpy or strlcpy

[spitzak]

strncpy will not overflow the buffer provided you pass the size of the buffer (if you don't pass the size of the buffer, *none* of the safer functions are going to help). It's problem is that it will not write a nul at the end of the buffer, thus reading will read right off the end. It also wastes a huge amount of time filling the unused part of the buffer with nul.

strlcpy is far, far better and does pretty much what is wanted.

However in this case they really did try to figure out if the buffer would overflow, so neither strlcpy or strncpy should be needed. They did the calculation wrong, claiming it needed 4-8 bytes less than it really did.

Re:Not all code is vulnerable - getaddrinfo() is f

I suspect that well over 99% of net-aware applications are still using it. This affects just about everything that's talking over the internet.

I suspect that you are an idiot. Only the Linux crap has this vulnerability. Enlightened OSes that avoid glibc like the plague that it is don't have this vulnerability. I'm pretty sure "not Linux" has more than one percent market share.

Glibc is the number one reason I don't use Linux.

What about 90 days disclosure limit?

Was it released prematurely?

Raspbian vulnerable

[redelm]

According to directions side-thread, glibc versions prior to 2.19 are vulnerable. Checking my machines, Slackware-current and Lubuntu-14.10 are fine. Only my poor tiny Raspberry Pis are vulnerable (2.13). But they run slowly enough I can watch the gethostbyname() lookups myself :)

Re:Raspbian vulnerable

Prior to 2.18.

Re:Raspbian vulnerable

[TheGratefulNet]

this IS a bummer. upgrading libc is not usually an easy and simple thing; its too central and everything touches it.

so, this means that the pi is not really safe to be on a public net, now, is it?

wonder when raspian will upgrade this pkg. hope they do it soon.

Re:Raspbian vulnerable

why wait on raspbian/pidora update cycles? Install Arch instead for rolling updates.

Re:Raspbian vulnerable

Only network equipment (eg routers) should be considered "safe" on a public net. At least you KNOW you have to harden those things

Don't Worry. Fix Already Released

The fix has already released

Re:Don't Worry. Fix Already Released

Yeah unless you're running libc in compat ;)

Re:Not all code is vulnerable - getaddrinfo() is f

[tlhIngan]

However, it's not like gethostbyname() is a rare call. I suspect that well over 99% of net-aware applications are still using it. This affects just about everything that's talking over the internet.

True, but gethostbyname() is ancient and if the program wants to support IPv6, you can't use gethostbyname(). So I think the number of programs actually vulnerable is far lower. Remember, gethostbyname() only works with AF_INET - while getaddrinfo() works with AF_INET, AF_INET6 and any other protocol that uses sockets (since it returns

struct sockaddr*

making life really easy).

So a lot of older code is vulnerable, newer code less so. it's been around about 15 years or so.

NSA

One person does an analysis, finds serious bug.

Now think about the NSA budget and how many people they can hire to look through code 24/7, and you'll understand that literally everything has already been hacked at this point. Tor also has been broken 10 times over. Every now and then us regular folks, like the guy from this article, find a problem.

Re:NSA

[ledow]

Your assumption is only one person did an analysis.

Do you have any idea how many people have combed over glibc and either reported or exploited issues found?

Hell, read the article - THE PROBLEM WAS PATCHED before he found it. What we're talking about is some old distros are still distributing that code unpatched, and that's the real problem.

We can all jump to conclusions but, personally, I doubt the NSA have anywhere near the capabilities they (and you) suggest. These people are in the art of deception. They don't need to crack something, they just need to make you think they have.

In the grand scheme of things, any secure system is out of their reach anyway, whether it uses this code or not. The systems they're interested in are likely running under much more strict scrutiny and a single attempt to exploit such things would raise alarms and even accusations of initiating cyber-wars.

To be honest, I'll put my trust in a planet full of people checking open code casually than a select group of "experts" hunting out these flaws.

People are being paid, worldwide, to find and fix these flaws in major commercial companies and just as security researchers, in universities or for their own personal reputation.

Next, we'll be in the "acres of supercomputers" and "boxes in every ISP" bollocks. You know what? If I were the NSA, that's EXACTLY what I'd want you to think.

They're either incompetent (fucking up Elliptic Curves in public forums and being spotted instantly), or they're not (in which case you can't believe anything they say and likely won't know what the REAL trick is).

Cue the RMSDSers

RMSDS - Richard M Stallman Derangement Syndrome - A mental illness suffered by many on slashdot, who take it out on anyone else who has anything positive to say about the genius and amazingly successful RMS. You guys are fucking idiots. Stallman's creations and accomplishments will be celebrated for centuries to come, but you were never known and the pizza guy has already forgotten you.

Windows 8.1 is not affected by this.

#pragma warning( disable: XXXX) // The compiler was just kidding, but it won't compile unless we ignore its jokes.

And here's the patch

[billstewart]

void *strcpy() { printf("Don't use strcpy, idiot! We told you that years ago!\n"}; exit(-37); }

void *strcmp() { printf("Don't use strcmp either, idiot! We told you that years ago too!\n"}; exit(-37); }

Also, according to the articles I've read about this, the somewhat more official patch came out in 2013, but wasn't marked as a "security" patch so it only made it into the newer OS versions, but wasn't retrofitted into the older ones. So it'd be fixed in Ubuntu 14.04, but not in the 12.04 LTS version.

Re:And here's the patch

There's nothing wrong with strcmp(), and its return type is int, not void*.

And btw, I hate when programmers decide to spam the /user/ with their pet peeves. And to add insult to injury, are using stdout instead of stderr.

Re:And here's the patch

[billstewart]

Yeah, I probably should have blamed a different one of the non-length-limited strXXXX() functions, but strcmp() will still do Bad Things if you hand it one or two non-null-terminated pointers.

And yes, stderr would have been the better choice, but the important thing is to replace the implementations of dangerous functions with something that fails safely, and if you can't do it at compile or link time, it's still safer to do it at run time than to run the unsafe version.

Get rid of C already

There is not way this has to do with the fact we are still using millions of lines of C.
 

Re:Get rid of C already

Someone made a mistake in code that was written in a certain language, so let's kick the language out of the window and replace it with a different language that has othershortcomings?

Re:Shallow bug doesn't mean non-existent. Fix obvi

In case you're unaware, "bugs are shallow" doesn't mean they don't exist.

Everyone's aware of that. Nice strawman, though. The issue is that FOSS advocates constantly promote the idea that FOSS has fewer bugs due to those "many eyes", neglecting the fact that many of those eyes aren't looking and can't see very well. It's nothing more than propaganda.

somewhat true.

[raymorris]

That's somewhat true, their exploit will show how to exploit EXIM if that's installed and open via the firewall on vulnerable systems. Most other software using glibc isn't vulnerable for the reason I listed above.

Also,with 3-7 bytes they can overwrite, less than the size of a pointer, their exploit may be very, very limited. Specifically, it can't specify a memory address to jump to where the main exploit is found, because there's not enough room for a pointer to a memory location. We'll see what they come out with, but it may well be very, very limited.

Vulnerable

CentOS 4,5,6 == Vulnerable (Upgrade to CentOS 7)
Legacy EC2 Linux instances == Vulnerable (Upgrade to CentOS 7)

Latest Astaro Firewall (http://www.astaro.com/node/11351) == Vulnerable
Latest QNAP embedded appliance (totally unmaintained port) == Vulnerable

Compiling glibc is not a joke, this ain't your easy bash SHELLSHOCK binary build.

It normally involves re-installing the entire server, plus all its customization,
assuming you can still get SysVInit rc.d boot script to port such customization...

This is a complete nightmare...

Plus most providers have no binaries available.

They better not release the metasploit until everyone has working patches, including legacy boxes!

WTF, Slashdot

For every other topic, you use custom icons for the stories. Horrible custom icons most of them, but still....

Yet for GNU stories.... oh nooooo.... you insist on using the original artwork for that... that....THING. Not sure what they call it.... that smiling..... THING.

Why, Slashdot, why?

only like 12 -13 yars late solar!

Once again, the pr horny whitehats ar4e a decade late. This bug discovered over 12 years ago frmo a eggdrop process that ektp crashing while doing processig on a speciific reply in their dns resolver. somewEre bewween eggdrop 1.1.5 and 1.6.x i COould say, i forget. point is. i see your GHOST and raise you my ghostintheshell.c. if you need to verify this i'm sure the eggdrop lackey who leaked the info to thde v tea, he got fmor hanging out with actual programmers can confirm.

you ppl have no clue how blissfully ignorant you all are. good thing we still have a fe wo these decade ++ old ones left but this is getting annoying :)

Solar Designer: you should fucking know better. You should

why do you seek the limelight so hard whitehats? IT'S ONLY TEMPORARY AND THE LONG run does not favour any of us.

that does not matter. i am happy for you to have allt the spolt ight. it is dangerous.. just wait.
and here i thought we showed you morons in 2009 how amateur you are when our courier walked in and took your awards *using tha remote kenrel exploit everyone sayd couldnt be done remember?)leaving you your inboxes in print. i think a certain someone still owz 2 session cookies, or did we hallucinate that

defcon/blackhat event?!

So from the bottom of my heart to to the en of a hammer: fuck you fore ver thinking you can kep up with us.

__awkward

[Tablizer]

That's what they get for using double underscores in function names.

openbsd

when will people learn? if you actually want software from devs that give a crap about security use openbsd. for anyone that's actually looked behind the curtain of gnu software: it's a total horror show.

Re:Not all code is vulnerable - getaddrinfo() is f

[spitzak]

As pointed out in the article, the program must use gethostbyname() on a name supplied by the attacker.

A much more mitigating factor is that the bug is only exercised if the name looks like a numerical id, and according to their search most software first checks this using inet_aton() and only calls gethostbyname() if this fails, thus avoiding the bug.

Read further

[guruevi]

In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18).
Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

Re:Read further

[ruir]

No they are not, I upgraded my Debian 7 yesterday, the date of this article.

Woo!

Go open sores! Many eyes! Shallow bugs! Woo! open sores!

Explaining Overflow Examples

Must be late or too tired because I can't make sense of this. In the test program, he does:

        size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
That makes sense to get around the size check and using the hostname of length len (without null) to overflow temp_buffer because of the omission of the alias pointer in the calculation. However, in the clockdiff example, he further subtracts the size of the pointer: /usr/sbin/clockdiff `python -c "print '0' * $((0x20000-16*1-2*4-1-4))"`

Wondering where the -4 comes in? If he does that, wouldn't the resulting string in fact fit inside the temp buffer?

I don't have a system with old enough glibc to run his examples at the moment. :(

Re:Shallow bug doesn't mean non-existent. Fix obvi

You just reminded me why I don't like C++.

Re:Shallow bug doesn't mean non-existent. Fix obvi

How exactly do you wish people to measure the number of bugs that didn't happen? This statement is reminiscent of discussions about the number of rapes or molestations that go unreported to police without realizing that "unreported" means that they're not reported and can't be counted accurately at all. Bugs are even more complicated because they are not one-shot events, they're errors that have a specific lifetime. If I 'git commit' a broken version of the software while I'm working on a large portion of it, then commit the remainder of the work that fixes it, was the broken version really "buggy?" Does it only count if it makes it to a numbered release? What about bugs that are in the code for weeks but included in no numbered releases? And how do you propose to gather accurate statistics on the number of bugs that exist but have not been found yet?

good point, but ONLY pointer

[raymorris]

That's true, you could point to certain addresses. You're just left with no room to jump to that address or do anything else with it - the pointer takes up all of the space.

Also of course the other bytes of the pointer are restricted to eleven values each. I have no doubt they'll be some exploit, it's just likely to be rather limited.

look up straw man. YOURS is the straw man

[raymorris]

A straw man is a position invented during an argument in order to strike it down. If I pretended Obama had proposed executing anyone who gets a promotion, then shown why that proposal is bad, that would be a strawman.

Pointing out what the original claim was isn't a straw man, that's the opposite of a straw man. Let me give you two more examples of straw man:

Bob: The water is shallow.
Sally: You're wrong, I can prove the water is wet!

Bob: The bug is shallow.
Sally: You're wrong, I can prove the bug exists!

Is Tor affected?

Nothing on tor project website?

when is systemd scheduled to take over glibc

I'm sure if we wait long enough systemd will take over this function and we won't have to worry about it anymore. (There will stil be problems, they will just be labeled "won't fix", so fretting over it will be pointless). There should be a godwin's law variation for systemd.

Re:when is systemd scheduled to take over glibc

I'm sure if we wait long enough systemd will take over this function and we won't have to worry about it anymore. (There will stil be problems, they will just be labeled "won't fix", so fretting over it will be pointless). There should be a godwin's law variation for systemd.

Mr Poettering says: http://lists.freedesktop.org/archives/systemd-devel/2013-March/010062.html

Beware. Here Be Dragons.

[luis_a_espinal]

Smart pointers are helpful though. Might've prevented this particular exploit.

Depends on what type of smart pointer we are talking about (as many people have shot themselves in the foot with them). There is a reason why std::auto_ptr is deprecated.

One really, but really has to understand a smart pointer lifecycle before using it to solve problems that can typically solved with careful programming practices, tests and liberal usage of tools like valgrind.

Re:Beware. Here Be Dragons.

[david_thornley]

auto_ptr actually does what it's supposed to do, in terms of memory management. It doesn't play well with other parts of the language. It's deprecated because unique_ptr is at least as good in all ways, and better in some.

You don't really need to understand smart pointer lifecycles in detail; you have to know how to use them and stick to it. Raw pointers never own, so you never create an object using a raw pointer and you never delete a raw pointer. Raw pointers may be passed from function to function, but should never be stored anywhere with a longer lifetime than the function that stores it. To show individual ownership, you use unique_ptr. For shared ownership, use shared_ptr. (If you feel the need to store a raw pointer in some more persistent way, go back and change it to a shared_ptr.)

Finally, use the container template classes when you can, since they handle memory management well.

Do that, and your biggest problem with memory will be leaks when you have circular references.

Re:Beware. Here Be Dragons.

[luis_a_espinal]

You don't really need to understand smart pointer lifecycles in detail; you have to know how to use them and stick to it.

Knowing how to use smart pointers implies understanding their lifecycles. Same with raw pointers (which pretty much do not have a lifecycle.)

Is it Serious ovrflw problem or potential problem?

[lsatenstein]

A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls.

In all legal ways to use the function, recognizing PATH_MAX == 256, is there a problem? So, it is a potential problem.

So, some library code was found that does not check for potential overrun. By broadcasting the routine name, hackers or ganifs will attempt to break into the system.

Why not just say, a new glibc has been released and fixes some serious bugs.

Ubuntu 12.04 64bit has now patched the bug

[Pelam]

Late comer, but in case someone is looking for this bit of information.

Just got latest updates. Before the updates I tested with this tool and result was vulnerable.
After the updates it reports "not vulnerable".

There was some messup with libc dev packages. I had to force uninstall some dev packages and do "apt-get -f install" a couple of times, until the problem cleared. This is most likely just my machine...

I should still reboot to make sure the old libc is not loaded in some processes...