Hi, I was wondering if openssl a vector of exploitation of Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname ? reference and test code here http://www.openwall.com/lists/oss-security/2015/01/27/9 Here my quick study gethostbyname can be found only in b_sock.c used by struct hostent *BIO_gethostbyname(const char *name). so i guess using BIO_gethostbyname is a possible vector of use of this vulnerability. i searched for usages of BIO_gethostbyname in openssl code too. I reviewed BIO_get_host_ip(const char *str, unsigned char *ip) since even if it can call BIO_gethostbyname t won't do it if it is already detected as an ip, what is one of the requirements of the vulnerability. BIO_get_host_ip itself can be called by BIO_get_accept_socket when using BIO_do_accept(sock) on accept sockets, but since getaddrinfo is defined ( in glibc , could be wrong in some specific cases ? ) and then EAI_FAMILY, this BIO_get_host_ip won't in fact be called. So it look like only direct use of BIO_gethostbyname can cause issues and openssl does not rely on obsolete gethostbyname if it can use alternate getaddrinfo. I would be happy to receive any comment on that. Regards, Philippe Lhardy
