≡ Menu

How to Fix and Patch New glibc Vulnerability CVE-2015-7547 in Linux

CERT has issued an vulnerability alert VU#457759 for glibc.

If you have glibc installed on your system, during the DNS resolver, it may be vulnerable to stack buffer overflow.

This article explains how to fix this glibc vulenrability on your server.

This issue is documented here: CVE-2015-7547

Versions affected: All glibc from 2.9 to 2.22 are affected by this vulnerability.

For example, on CentOS 6, I had the following glibc-2.12 version, which was vulnerable to this exploit.

# rpm -qa | grep -i glibc
glibc-2.12-1.149.el6_6.5.x86_64
glibc-headers-2.12-1.149.el6_6.5.x86_64
glibc-common-2.12-1.149.el6_6.5.x86_64
glibc-devel-2.12-1.149.el6_6.5.x86_64

This vulnerability has been there since glibc 2.9 which was originally released on Nov 2008. Now that this has become uncovered, you should patch your system immediately.

For CentOS/RedHat, only version 6 and 7 are affected. CentOS 5 (RedHat 5) and older versions are not affected by this. Here are the details from RedHat (CVE-2015-5229)

CentOS 6 (RedHat 6)

On CentOS (or RedHat, or other RHEL based system), when you do yum info glibc, you’ll see the following new version with this vulnerability fixed in the “updates” repository.

# yum info glibc
Name        : glibc
Arch        : x86_64
Version     : 2.12
Release     : 1.166.el6_7.7
Size        : 3.8 M
Repo        : updates
Summary     : The GNU libc libraries

To fix the problem, just do the following.

This will update the main glibc package, and the dependent glibc-common, glibc-devel and glibc-header to the latest version with the issue fixed.

# yum -y update glibc
..
Updated: glibc.x86_64 0:2.12-1.166.el6_7.7

Dependency Updated:
  glibc-common.x86_64 0:2.12-1.166.el6_7.7
  glibc-devel.x86_64 0:2.12-1.166.el6_7.7
  glibc-headers.x86_64 0:2.12-1.166.el6_7.7

Note: If you see that it is not showing the above new version, probably your yum cache should be updated. In that case, do the following and then try the yum update again.

yum clean all

yum -y update glibc

CentOS 7 (RedHat 7)

On CentOS 7, I had the following version, which was affected by this vulnerability.

# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 

# rpm -qa | grep -i glibc
glibc-2.17-106.el7_2.1.x86_64
glibc-devel-2.17-106.el7_2.1.x86_64
glibc-common-2.17-106.el7_2.1.x86_64
glibc-headers-2.17-106.el7_2.1.x86_64

Do the following to fix the problem on CentOS 7.

yum clean all

yum -y update glibc

The above will install the following version, where this vulnerability is fixed:

# rpm -qa | grep glibc
glibc-common-2.17-106.el7_2.4.x86_64
glibc-2.17-106.el7_2.4.x86_64
glibc-headers-2.17-106.el7_2.4.x86_64
glibc-devel-2.17-106.el7_2.4.x86_64

Note: If your system is not connected to internet, or if you are not using the live update by connecting to a repository, then login to Red Hat support, click on Downloads, “RPM Search”, and seach for the new glibc version, and download those rpm packages manually and install it on your system.

For example, download the following RPM package for CentOS/RedHat 6 from RedHat support site, and using rpm command to install it as shown below.

# ls -1
glibc-2.12-1.166.el6_7.7.x86_64.rpm
glibc-common-2.12-1.166.el6_7.7.x86_64.rpm
glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm
glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm

# rpm -Uvh glibc-* 
Preparing...          ################# [100%]
   1:glibc-common     ################# [ 25%]
   2:glibc            ################# [ 50%]
   3:glibc-headers    ################# [ 75%]
   4:glibc-devel      ################# [100%]

Debian and Ubuntu

On debian based systems, use apt-get command, and either upgrade only glibc, or use this opportunity to upgrade all the packages including system as shown below:

sudo apt-get -u install glibc

sudo apt-get -u upgrade

For debian, look at CVE-2015-0235 (link below) from debian security tracker, which shows the exact version of glibc or eglibc where this issue is fixed. Also, check this Debian security advisor DSA-3142 (link below) more for details.

Additional Information

For those who are interested, here are some random additional information to read about this vulnerability:

  • From Debian DSA-3142: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
  • From Debian Security Tracker: Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument. This could be used by an attacker to execute arbitrary code in processes which called the affected functions.
  • From Sourceware Bugzilla – Bug 18665 By Robert: A condition occurs when the recvfrom function receives data using a newly created buffer but does not use the newly created buffer size then the buffer is accessed and causes the program to crash.
  • Google online security blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
  • [PATCH] CVE-2015-7547 — glibc getaddrinfo() stack-based buffer overflow By Carlos O’Donell: A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 11 comments… add one }

  • Matt February 19, 2016, 12:03 pm

    I don’t see you mention a reboot, but since the kernel loads this library, it’s probably a wise idea to reboot after the update.

  • unknown February 22, 2016, 3:00 am

    How about info on Linux Mint thing…

    My mom did not learn me that!

  • Ejaygigo February 22, 2016, 3:02 am

    You can check the glibc version you running by using this command: “ldd –version”

  • Pacman February 24, 2016, 4:23 am

    hi,

    I prefer not to run apt-upgrade so I tried sudo apt-get -u install glibc instead on Debian.

    However, I get a message that GLIBC cannot be found. My system says that I have version 2.13 though.

    What would you recommend doing?

    Thanks!

  • MT February 24, 2016, 7:55 pm

    I also tried using the sudo apt-get -u install glibc command with a similar error – does a repository need to be added first?

  • Rinshad February 25, 2016, 9:41 pm

    Hi,

    >>> The above will install the following version, where this vulnerability is fixed:

    # rpm -qa | grep glibc
    glibc-common-2.17-106.el7_2.4.x86_64
    glibc-2.17-106.el7_2.4.x86_64
    glibc-headers-2.17-106.el7_2.4.x86_64
    glibc-devel-2.17-106.el7_2.4.x86_64

    but you have mentioned
    Versions affected: All glibc from 2.9 to 2.22 are affected by this vulnerability. So I bilieve the yum update didn’t help here. Could you double check?

  • Daniel Beatoq February 27, 2016, 10:09 am

    The Ubuntu update for this package should be: sudo apt-get -u install libc6

    http://www.ubuntu.com/usn/usn-2900-1/

  • Pacman February 29, 2016, 9:32 am

    Hi Daniel,

    Does the Ubuntu update apply to Debian 7 (Wheezy) as well?

    Thanks for your support.

  • Daniel Beato February 29, 2016, 9:40 am

    Yes, the update applies to Debian.

  • choudhry February 29, 2016, 4:39 pm

    oh, man this the best and very helpful i love it.

  • choudhry February 29, 2016, 5:20 pm

    oh, man this the best and very helpful i love it. can you help me to install glibc vulnerability package on centos 6.

Leave a Comment