gethostbyname

These programs are generally safe, because the hostname passed to gethostbyname() has normally been pre-validated by DNS software:.

Tell this to your code, which uses char* host_name; gethostbyname() and friends, Windows and other legacy systems.

Edit: Both the reentrant version (gethostbyname_r) and non-reentrant one (gethostbyname) are affected (the non-reentrant one uses a fixed buffer length).

However, gethostbyname() and gethostbyaddr() are still very commonly used, and won't be gone soon.

Does this mean if I have an app, Java, PHP or whatever, which eventually calls glibc's gethostbyname gethostbyaddr, my machine is owned?

But why would this malicious PTR record be fed into gethostbyname() again?

As far as I can tell, sshd has always used getaddrinfo() which is not vulnerable (rather than gethostbyname() which is).

On the other hand, if you can make your target call gethostbyname() on an arbitrary string, you don't need to control a DNS server.

The main reason gethostbyname is deprecated is that it doesn't support IPv6.

The implementation of getaddrinfo uses gethostbyname, so you're using it either way.

Even if it used gethostbyname(), I fail to understand how one would supply an invalid IP address to an sshd program?

However, every version of ssh that I could test (going back to Ubuntu 8.04) uses getaddrinfo() rather than gethostbyname() and is therefore safe.

It looks like what's going on is that gethostbyname() calls __nss_hostname_digits_dots() which checks to see if the string you passed it was an IPv4 or IPv6 address rather than a name, and in that case it functions like inet_aton/inet_pton and converts the IP address string to a binary IP address as though the "name" 1.2.3.4 resolved to IP address 1.2.3.4.