Google Unveils Glibc DNS Client Vulnerability, Many Bitcoin Implementations Affected

Today Google's online security blog unveiled a buffer overflow in the Gnu C library's DNS client (archived). The vulnerability allows the getaddrinfo function to overflow opening the doors to all manner of malice. This vulnerability affects all Bitcoin implementations compiled against the GNU C library which invoke DNS. This includes Bitcoin Core and the clients programmed to eventually fork into altcoins including the "Bitcoin" XT and "Bitcoin" "Classic" network clients. The reference Bitcoin implementation maintained by the Bitcoin Foundation is unaffected as DNS was excised from that client,1 and scripts are available for building the reference implementation against the musl C library.2 It is strongly recommended that Bitcoin users patch their preferred client3 to remove DNS or move to a client maintained by a team that cares about security and eliminating unnecessary attack surfaces in advance.

  1. The reference Client also had upnp excised before critical vulnerabilities in that code were publically exposed.  

  2. Most Flagship nodes running the reference client are built against musl rather than glibc.  

  3. You may have to do this yourself.  

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>