“A big deal”
"It's a big deal," Washington, DC-based security researcher Kenn White told Ars, referring to the vulnerability. "This is a core bedrock function across Linux. Things that do domain name lookups have a real vulnerability if the attacker can answer."
The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Using a proof-of-concept exploit released Tuesday, White was able to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. He said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and just about anything else that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.
The effect of the glibc vulnerability on Google's Android mobile operating system isn't immediately clear. At last check, Android appeared to use a glibc substitute known as Bionic.
The vulnerability, which is indexed as CVE-2015-7547, was disclosed Tuesday by researchers from Google. In a blog post, the researchers said they stumbled on the vulnerability when one of their SSH applications experienced an extremely serious error known as a segmentation fault each time it tried to contact a specific Internet address. Google engineers eventually figured out that the error was caused by a buffer overflow inside glibc that made malicious code-execution attacks possible and then notified glibc maintainers.