Wind River Security Alert for GHOST gethostbyname heap overflow in glibc/eglibc (CVE-2015-0235)
This alert confirms that the following Wind River Linux releases are susceptible to the ghost gethostbyname heap overflow in glibc/eglibc (CVE-2015-0235).
Description:
===========
The vulnerabilities affect the glibc versions < 2.18, so Wind River Linux 2.0.x/3.0.x/4.3.0.x/5.0.1.x/6.0.x are affected by this vulnerability.
The details of the vulnerability can be found at http://www.openwall.com/lists/oss-security/2015/01/27/9
Note:
===========
WRLinux 7.0 and above are not susceptible to the ghost gethostbyname heap overflow in glibc/eglibc because they use glibc version 2.18 or higher.
WRLinux 6.0.x ships (in source form) both glibc 2.17 and 2.18. The default used in WRL 6 is 2.18. It will be affected if a project meets the following criteria:
1) --enable-unsupported-toolchain=openembedded-core is set when configuring the project.
2) PREFERRED_VERSION_eglibc = "2.17" is added to .conf file, to explicitly instruct the building system that glibc 2.17 is wanted.
Disable the above options.
Plan:
===========
We will ship the fix in WRLinux4.3.0.29/WRLinux5.0.1.24/WRLinux6.0.0.18.
Temp fixes:
===========
WRL4.3.0.28
$cd productdir/wrlinux-4/layers/updates/RCPL-4.3-WRL.0028/wrll-toolchain-4.4a-457/common/tools/glibc/patches
$cp cve-2015-0235-wr4.patch .
$echo cve-2015-0235-wr4.patch >> patches.list
$configure the project with --with-template=feature/build_libc
$make fs
WRL5.0.1.16
$configure a new project with --enable-build-libc and without --with-sstate-dir option to ensure the patch can be applied successfully.
$make bbs
$bitbake wrl-glibc-rebuild -c patch
$pushd ../build/wrl-glibc-rebuild-*
$cd glibc-*
$patch -Np1 < cve-2015-0235-wr5.patch
$popd
$exit
$make fs
The 2.0.x/3.0.x are End of Life (EOL). Contact Wind River Support at +1-800-872-4977 or your local Wind River representative for the Wind River Linux 2.0.x/3.0.x fix.
