X2Go Bug report logs - #778
affected by CVE 2015-0235: Stop using gethosbyname()

Package: nx-libs; Maintainer for nx-libs is X2Go Developers <x2go-dev@lists.x2go.org>;

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Sun, 1 Feb 2015 07:05:02 UTC

Severity: important

Full log


Message #17 received at 778@bugs.x2go.org (full text, mbox, reply):

Received: (at 778) by bugs.x2go.org; 1 Feb 2015 21:34:43 +0000
From mike.gabriel@das-netzwerkteam.de  Sun Feb  1 22:34:41 2015
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id BCBA55E030
	for <778@bugs.x2go.org>; Sun,  1 Feb 2015 22:34:41 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 3DD81B63;
	Sun,  1 Feb 2015 22:34:41 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id F3DD43C051;
	Sun,  1 Feb 2015 22:34:40 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id x9eYVPj0Tfz1; Sun,  1 Feb 2015 22:34:40 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id A812E3B994;
	Sun,  1 Feb 2015 22:34:40 +0100 (CET)
Received: from p5B3B8F07.dip0.t-ipconnect.de (p5B3B8F07.dip0.t-ipconnect.de
 [91.59.143.7]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sun,
 01 Feb 2015 21:34:40 +0000
Date: Sun, 01 Feb 2015 21:34:40 +0000
Message-ID: <20150201213440.Horde.1rG47LN-OXvFq60u1NEL7Q5@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Nable <nable.maininbox@googlemail.com>
Cc: 778@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#778: affected by CVE 2015-0235: Stop using
 gethosbyname()
References: <1422774281.1428.5.camel@Nokia-N900>
 <CALxOYEaUfq4rCifweufEwXSyxBtiKTaU20SpCdV3Co10BQ=tzQ@mail.gmail.com>
In-Reply-To: <CALxOYEaUfq4rCifweufEwXSyxBtiKTaU20SpCdV3Co10BQ=tzQ@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 91.59.143.7
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101
 Firefox/32.0 Iceweasel/32.0
Content-Type: multipart/signed; boundary="=_nR1IeqU-fNHgqWIYEO6oPg8";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
On  So 01 Feb 2015 13:40:59 CET, Nable wrote:

> Hi, Mike!
>
> I'm looking at this and previous bug (#777) and can't stop wondering
> whether applications should really contain workarounds for bugs in
> system libraries. Isn't it better to just depend on newer version
> of library (that has fixes for currently known bugs)?
>
> There are a lot of older bugs in glibc (that are fixed in current
> version), does it mean that applications should be bloated with
> workarounds for such bugs just in order to work more safely on machines
> where users don't pay enough attention to updates?

That is a true way of reasoning...

However, gethostbyname is deprecated in glibc and not really IPv4/IPv6  
compliant [1].

Mike

[1] http://beej.us/guide/bgnet/output/html/multipage/syscalls.html#getaddrinfo

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Wed Feb 1 21:26:39 2023; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.