uClib vulnerability affects Omnia?

Reading https://www.nozominetworks.com/blog/nozomi-networks-discovers-unpatched-DNS-bug-in-popular-c-standard-library-putting-iot-at-risk/ I’ve seen the uclibxx library is already included in the omnia os:

 -----------------------------------------------------
 TurrisOS 5.3.8, Turris Omnia
 -----------------------------------------------------
root@turris:~# opkg list | grep -i uclib
uclibcxx - 0.2.5-3
root@turris:~# opkg files uclibcxx
Package uclibcxx (0.2.5-3) is installed on root and has the following files:
/usr/lib/libuClibc++.so.0
/usr/lib/libuClibc++-0.2.5.so
root@turris:~# opkg depends uclibcxx
uclibcxx depends on:
	libc
root@turris:~# opkg whatdepends uclibcxx
Root set:
  uclibcxx
What depends on root set
	iperf 2.0.13-1	depends on uclibcxx

Are we affected?

I didn’t dig into what uses uclibcxx (C++), but for libc (C) musl is used, not uclibc.

1 Like

OK, I looked a bit more. This is about predictability of transaction ID in DNS messages.

  • as the field in the protocol is 16-bit, it’s always been very weak security-wise
  • for DNS we use a local resolver (by default), not OS libc stub asking WAN
    (Knot Resolver typically, or Unbound in Turris 1.x)

This library does not implement any DNS functionality. However, this library is removed in future OpenWrt releases, like 22.03. Reasons to remove it were that the development is not active and some bugs are not fixed.

No, we are not affected neither OpenWrt. Take a look at this response:
https://lists.openwrt.org/pipermail/openwrt-devel/2022-May/038586.html

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.