So you may have read on the BBC and others of a vulnerability in the glibc library used by most Linux installatinos. glibc is the runtime library that implements the standard set of functions available in the C and C++ programming languages. There other versions of the libc than the GNU version. Android, OS X and Microsoft Windows all use other implementations, the GNU variant glibc is however the most prevalent and the defect is in all the versions currently released. I initially wanted to provide a method of determining your libc version (ls /lib*/*libc* /lib/*/llibc* or ldd –version) but in reality all versions from 2.9 include the defect and it is only fixed in the yet to be release 2.23 so all UNIX versions currently out there have the defect.
The defect in getaddrinfo() which attempts to copy with larger than normal DNS responses by loading the response into an allocated space on the heap in stead of the more usual space on the stack used for responses of less than 2K. Unfortunately it then proceeds to reference the wrong address when loading the data into memory causing a stack overflow situation allowing a malicious DNS server to respond with a larger message which can in specific circumstances cause maliciously provided code to be executed.
There is a patch available which is built into glibc 2.23 as well as a workaround which prevents use of AF_UNSPEC. This would prevent longer responses from being processed by forcing the caller to specify if they are requesting an IPv4 or IPv6 response. For most of us it will however, be a matter of waiting for platform specific patches to be released, something which is not yet available, and to update through our usual update mechanism. The same goes for all the linux based devices you have from a Raspberry Pi to your router and printer, as and when manufacturers make those available. Until then a utility segmentation fault during a DNS lookup could be a response from a malicious server returning malicious code which you have just executed.