cURL / Mailing Lists / curl-library / Single Mail

curl-library

curl and the glibc vulnerability

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Thu, 18 Feb 2016 20:24:39 +0100 (CET)

Hi!

I've received some concerned questions about curl and the glibc issue
CVE-2015-7547 that Google among others has blogged about [1].

The issue they discovered is really within glibc's getaddrinfo() function and
makes it vulnerable to crafted DNS server responses. Like if there's a
malicious DNS server or another process snooping the network and sending
spoofed DNS server responses very well timed.

curl uses getaddrinfo() on most platforms so in that sense it is vulnerable,
but it also can't protect itself against this vulnerability since curl is not
doing anything wrong here. The best fix is to patch glibc.

A work-around can be to build against c-ares instead or switch off IPv6
abilities with configure, which would make curl use the older gethostbyname
API in glibc that isn't vulnerable.

[1] =
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrin
fo-stack.html

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-02-18