CERT has issued an vulnerability alert VU#457759 for glibc.
If you have glibc installed on your system, during the DNS resolver, it may be vulnerable to stack buffer overflow.
This article explains how to fix this glibc vulenrability on your server.
This issue is documented here: CVE-2015-7547
Versions affected: All glibc from 2.9 to 2.22 are affected by this vulnerability.
For example, on CentOS 6, I had the following glibc-2.12 version, which was vulnerable to this exploit.
# rpm -qa | grep -i glibc glibc-2.12-1.149.el6_6.5.x86_64 glibc-headers-2.12-1.149.el6_6.5.x86_64 glibc-common-2.12-1.149.el6_6.5.x86_64 glibc-devel-2.12-1.149.el6_6.5.x86_64
This vulnerability has been there since glibc 2.9 which was originally released on Nov 2008. Now that this has become uncovered, you should patch your system immediately.
For CentOS/RedHat, only version 6 and 7 are affected. CentOS 5 (RedHat 5) and older versions are not affected by this. Here are the details from RedHat (CVE-2015-5229)
CentOS 6 (RedHat 6)
On CentOS (or RedHat, or other RHEL based system), when you do yum info glibc, you’ll see the following new version with this vulnerability fixed in the “updates” repository.
# yum info glibc Name : glibc Arch : x86_64 Version : 2.12 Release : 1.166.el6_7.7 Size : 3.8 M Repo : updates Summary : The GNU libc libraries
To fix the problem, just do the following.
This will update the main glibc package, and the dependent glibc-common, glibc-devel and glibc-header to the latest version with the issue fixed.
# yum -y update glibc .. Updated: glibc.x86_64 0:2.12-1.166.el6_7.7 Dependency Updated: glibc-common.x86_64 0:2.12-1.166.el6_7.7 glibc-devel.x86_64 0:2.12-1.166.el6_7.7 glibc-headers.x86_64 0:2.12-1.166.el6_7.7
Note: If you see that it is not showing the above new version, probably your yum cache should be updated. In that case, do the following and then try the yum update again.
yum clean all yum -y update glibc
CentOS 7 (RedHat 7)
On CentOS 7, I had the following version, which was affected by this vulnerability.
# cat /etc/redhat-release CentOS Linux release 7.2.1511 (Core) # rpm -qa | grep -i glibc glibc-2.17-106.el7_2.1.x86_64 glibc-devel-2.17-106.el7_2.1.x86_64 glibc-common-2.17-106.el7_2.1.x86_64 glibc-headers-2.17-106.el7_2.1.x86_64
Do the following to fix the problem on CentOS 7.
yum clean all yum -y update glibc
The above will install the following version, where this vulnerability is fixed:
# rpm -qa | grep glibc glibc-common-2.17-106.el7_2.4.x86_64 glibc-2.17-106.el7_2.4.x86_64 glibc-headers-2.17-106.el7_2.4.x86_64 glibc-devel-2.17-106.el7_2.4.x86_64
Note: If your system is not connected to internet, or if you are not using the live update by connecting to a repository, then login to Red Hat support, click on Downloads, “RPM Search”, and seach for the new glibc version, and download those rpm packages manually and install it on your system.
For example, download the following RPM package for CentOS/RedHat 6 from RedHat support site, and using rpm command to install it as shown below.
# ls -1 glibc-2.12-1.166.el6_7.7.x86_64.rpm glibc-common-2.12-1.166.el6_7.7.x86_64.rpm glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm # rpm -Uvh glibc-* Preparing... ################# [100%] 1:glibc-common ################# [ 25%] 2:glibc ################# [ 50%] 3:glibc-headers ################# [ 75%] 4:glibc-devel ################# [100%]
Debian and Ubuntu
On debian based systems, use apt-get command, and either upgrade only glibc, or use this opportunity to upgrade all the packages including system as shown below:
sudo apt-get -u install glibc sudo apt-get -u upgrade
For debian, look at CVE-2015-0235 (link below) from debian security tracker, which shows the exact version of glibc or eglibc where this issue is fixed. Also, check this Debian security advisor DSA-3142 (link below) more for details.
For those who are interested, here are some random additional information to read about this vulnerability:
- From Debian DSA-3142: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
- From Debian Security Tracker: Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument. This could be used by an attacker to execute arbitrary code in processes which called the affected functions.
- From Sourceware Bugzilla – Bug 18665 By Robert: A condition occurs when the recvfrom function receives data using a newly created buffer but does not use the newly created buffer size then the buffer is accessed and causes the program to crash.
- Google online security blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
- [PATCH] CVE-2015-7547 — glibc getaddrinfo() stack-based buffer overflow By Carlos O’Donell: A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.
Comments on this entry are closed.
I don’t see you mention a reboot, but since the kernel loads this library, it’s probably a wise idea to reboot after the update.
How about info on Linux Mint thing…
My mom did not learn me that!
You can check the glibc version you running by using this command: “ldd –version”
I prefer not to run apt-upgrade so I tried sudo apt-get -u install glibc instead on Debian.
However, I get a message that GLIBC cannot be found. My system says that I have version 2.13 though.
What would you recommend doing?
I also tried using the sudo apt-get -u install glibc command with a similar error – does a repository need to be added first?
>>> The above will install the following version, where this vulnerability is fixed:
# rpm -qa | grep glibc
but you have mentioned
Versions affected: All glibc from 2.9 to 2.22 are affected by this vulnerability. So I bilieve the yum update didn’t help here. Could you double check?
The Ubuntu update for this package should be: sudo apt-get -u install libc6
Does the Ubuntu update apply to Debian 7 (Wheezy) as well?
Thanks for your support.
Yes, the update applies to Debian.
oh, man this the best and very helpful i love it.
oh, man this the best and very helpful i love it. can you help me to install glibc vulnerability package on centos 6.