X2Go Bug report logs - #778
affected by CVE 2015-0235: Stop using gethosbyname()

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Sun, 1 Feb 2015 07:05:02 UTC

Severity: important

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, owner@bugs.x2go.org:
Bug#778; Package src:nx-libs. (Sun, 01 Feb 2015 07:05:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to owner@bugs.x2go.org. (Sun, 01 Feb 2015 07:05:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: affected by CVE 2015-0235: Stop using gethosbyname()
Date: Sun, 01 Feb 2015 08:04:41 +0100
Package: src:nx-libs
Severity: important

The NX source code uses gethostbyname() at several locations and is potentially affected by CVE 2015-0235 (GHOST security issue in glibc).

We should move towards using getaddrinfo() asap.

Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976148

GnuPG Key ID 0x25771B13
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de




Bug reassigned from package 'src:nx-libs' to 'nx-libs'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sun, 01 Feb 2015 10:35:01 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#778; Package nx-libs. (Sun, 01 Feb 2015 12:45:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nable <nable.maininbox@googlemail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 01 Feb 2015 12:45:01 GMT) Full text and rfc822 format available.

Message #12 received at 778@bugs.x2go.org (full text, mbox):

From: Nable <nable.maininbox@googlemail.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 778@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#778: affected by CVE 2015-0235: Stop using gethosbyname()
Date: Sun, 1 Feb 2015 16:40:59 +0400
Hi, Mike!

I'm looking at this and previous bug (#777) and can't stop wondering
whether applications should really contain workarounds for bugs in
system libraries. Isn't it better to just depend on newer version
of library (that has fixes for currently known bugs)?

There are a lot of older bugs in glibc (that are fixed in current
version), does it mean that applications should be bloated with
workarounds for such bugs just in order to work more safely on machines
where users don't pay enough attention to updates?


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#778; Package nx-libs. (Sun, 01 Feb 2015 21:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 01 Feb 2015 21:35:02 GMT) Full text and rfc822 format available.

Message #17 received at 778@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Nable <nable.maininbox@googlemail.com>
Cc: 778@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#778: affected by CVE 2015-0235: Stop using gethosbyname()
Date: Sun, 01 Feb 2015 21:34:40 +0000
[Message part 1 (text/plain, inline)]
On  So 01 Feb 2015 13:40:59 CET, Nable wrote:

> Hi, Mike!
>
> I'm looking at this and previous bug (#777) and can't stop wondering
> whether applications should really contain workarounds for bugs in
> system libraries. Isn't it better to just depend on newer version
> of library (that has fixes for currently known bugs)?
>
> There are a lot of older bugs in glibc (that are fixed in current
> version), does it mean that applications should be bloated with
> workarounds for such bugs just in order to work more safely on machines
> where users don't pay enough attention to updates?

That is a true way of reasoning...

However, gethostbyname is deprecated in glibc and not really IPv4/IPv6  
compliant [1].

Mike

[1] http://beej.us/guide/bgnet/output/html/multipage/syscalls.html#getaddrinfo

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Dec 13 20:08:00 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.