Notes on regreSSHion on musl
submited by
Style Pass
Today, Qualys' Threat Research Unit published another stellar paper: RCE in OpenSSH's server, on glibc-based Linux systems, nicknamed regreSSHion, aka CVE-2024-6387. Since I'm running Alpine Linux, which is using the musl libc, I was curious about the impact there. Fortunately, it boils down to a deadlock at worse:
This is because we do not use localtime in log timestamps and do not use dynamic allocation (because it could fail under memory pressure) for printf formatting.
While the sshd bug is UB (AS-unsafe syslog call from signal context), very deliberate decisions we made for other good reasons reduced the potential impact to deadlock taking a lock.
Read more dustri.org/b...
