[openssl-users] Is openssl a vector of exploit for Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname ?

pl pl at artisanlogiciel.net
Fri Jan 30 21:18:19 UTC 2015


I was wondering if openssl a vector of exploitation of  Qualys Security 
Advisory CVE-2015-0235 - GHOST: glibc gethostbyname ?
reference and test code here 

Here my quick study gethostbyname can be found only in  b_sock.c used by 
struct hostent *BIO_gethostbyname(const char *name).

so i guess using BIO_gethostbyname is a possible vector of use of this 

i searched for usages of BIO_gethostbyname in openssl code too.

I reviewed BIO_get_host_ip(const char *str, unsigned char *ip) since 
even if it can call BIO_gethostbyname t won't do it if it is already 
detected as an ip, what is one of the requirements of the vulnerability.

BIO_get_host_ip itself can be called by BIO_get_accept_socket when using 
BIO_do_accept(sock) on accept sockets, but since getaddrinfo is defined 
( in glibc , could be wrong in some specific cases ? ) and then 
EAI_FAMILY, this BIO_get_host_ip won't in fact be called.

So it look like only direct use of BIO_gethostbyname can cause issues 
and openssl does not rely on obsolete gethostbyname if it can use 
alternate getaddrinfo.

I would be happy to receive any comment on that.

Philippe Lhardy

More information about the openssl-users mailing list