CVE-2015-7547 is a critical vulnerability in GNU C Library (glibc) thst has been reported by the Google Security Team and Red Hat.
Description of the vulnerability from Red Hat:
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libr esolv to crash or, potentially, execute code with the permissions of the user running the library.
NOTE: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547)
It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229)
Impact:
This flaw could be exploited in a variety of ways, basically any services/processes doing DNS requests could be a potential target and lead to remote code execution or full system control.
Impacted Linux distributions:
Resolution:
1. Verify the current glibc version on CentOS and Red Hat Enterprise Linux:
Run:
yum list glibc
The version will be listed under the "Installed Packages" section on Ubuntu and Debian:
Run:
ldd --version
The first line in the output will mention the version.
Here is the list of patched versions:
2. Updating glibc and rebooting
On CentOS and Red Hat Enterprise Linux:
Run:
yum clean all
yum update glibc
reboot
On Ubuntu (12.04 LTS, 14.04 LTS and 15.10):
Run:
sudo apt-get update
sudo apt-get install libc6
reboot
On Debian 6 (squeeze) and Debian 7 (wheezy):
Run:
sudo apt-get update
sudo apt-get install libc6
reboot
On Debian 8 (jessie):
Run:
sudo apt-get update
sudo apt-get install libc6
reboot
References: