Google Unveils Glibc DNS Client Vulnerability, Bitcoin Implementations Affected

[cyberpinoy]

Google Unveils Glibc DNS Client Vulnerability, Many Bitcoin Implementations Affected

Posted on February 16, 2016 by Bingo Boingo   

Today Google's online security blog unveiled a buffer overflow in the Gnu C library's DNS client (archived). The vulnerability allows the getaddrinfo function to overflow opening the doors to all manner of malice. This vulnerability affects all Bitcoin implementations compiled against the GNU C library which invoke DNS. This includes Bitcoin Core and the clients programmed to eventually fork into altcoins including the "Bitcoin" XT and "Bitcoin" "Classic" network clients. The reference Bitcoin implementation maintained by the Bitcoin Foundation is unaffected as DNS was excised from that client,1 and scripts are available for building the reference implementation against the musl C library.2 It is strongly recommended that Bitcoin users patch their preferred client3 to remove DNS or move to a client maintained by a team that cares about security and eliminating unnecessary attack surfaces in advance.

1    The reference Client also had upnp excised before critical vulnerabilities in that code were publically exposed.

2    Most Flagship nodes running the reference client are built against musl rather than glibc.

3    You may have to do this yourself.

[cyberpinoy]

Another Article on this.

Published by Slashdot on Tue, 16 Feb 2016

An anonymous reader writes:

 Today Google's online security team publicly disclosed a severe vulnerability in the Gnu C Library's DNS client. Due to the ubiquity of Glibc, this affects an astounding number of machines and software running on the internet, and raises questions about whether Glibc ought to still be the preferred C library when alternatives like musl are gaining maturity. As one example of the range of software affected, nearly every Bitcoin implementation is affected.Reader msm1267 adds some information about the vulnerability, discovered independently by security researchers at Red Hat as well as at


Google, which has since been patched:

  The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function is used, Google said today in its advisory. "A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches," Red Hat said in an advisory. It's likely that all Linux servers and web frameworks such as Rails, PHP and Python are affected, as well as Android apps running glibc. Read more of this story at Slashdot.

[achow101]

Not true, modern Bitcoin Core forks and Bitcoin Core itself is not affected by this vulnerability. Those articles are simply spreading fud.

[Lauda]

Those articles are simply spreading fud.

Actually the point of these articles is to promote this "Bitcoin Foundation". This is the second one that I've noticed. I would not touch this through 5 VM's.