[ALUG] GHOST GLIBC LIBRARY VULNERABILITY

Andreas Tauscher ta at geuka.net
Thu Jan 29 14:24:22 EAT 2015 

Am 01/28/2015 um 12:50 PM schrieb Kambey L. Kisambu via Linux:
> Hello Linux/System Admins,
> 
> If you running CentOS or RedHat based OS then kindly ASAP upgdate the
> glibc library as there is a glibc vulnerability as below:-
> 
> View in a Web Browser
> <http://app.engage.redhat.com/e/es.aspx?s=1795&e=525492&elq=b9bd25708d3b41e59e6ea64e0f71e791>
> Red Hat
> <http://app.engage.redhat.com/e/er?s=1795&lid=1265&elq=b9bd25708d3b41e59e6ea64e0f71e791>

The impact of this CVE is relative.

The bug is already 15 years old. Appeared first in glibc 2.2 it was
fixed in January 2013 [1] by a SuSE programmer. But it was not realised
to be a security thread so all over nobody back ported this patch. glibc
2.18 or later is not vulnerable.
Google patched it April last year [2] but why they did not inform the
glibc developers: Who knows....

It hits only distributions with a conservative software selection.
The major distributions affected are:
Debian 7 (Wheezy) (update available since yesterday)
Ubuntu 12.04 LTS (updated already the 24.)
Red Hat Enterprise Linux (RHEL) 6 und 7 (update available since 25.)
and CentOS 6 und 7 (should be patched already)

gethostbyname() a deprecated function.
gethostbyname() is not IPv6 capable.
gethostbyname() is not Thread-Safe
gethostbyname() is not Async-Signal-Safe
gethostbyname() is not Async-Cancel-Safe

Replacements are: getaddrinfo() and getnameinfo().

Using gethostbyname() is since many years completely nonsense.

Postfix, sendmail, Dovecot, Apache and Nginx, NodeJS, MySQL, OpenSSH,
GnuPG and Samba are reported by qualsys to be vulnerable. But is is not
clear which versions they checked.
But must be explicit compiled without IPv6 support or really stone-aged
versions.

For example from Wietse Venema:

"Postfix does not use gethostbyname() since 2002. You have to explictly
compile Postfix for pre-IPv6 systems with -DNO_IPV6 to enable the
gethostbyname() calls.

Some library function might use gethostbyname(). I have no control over
that."

Just checked dovecot. I found only one usage of gethostbyname() and this
will be only active if you use solr/lucene as index/search engine and
your set up is anyway really broken.

The advise to programmers:
* Never trust any input.
* Have warnings enabled and check them when compiling. The compiler is
not throwing them just to fill the log files.
gcc is throwing a "warning: gethostbyname is obsolescent, use
getnameinfo() instead." since at least version 4.5
* Reading the changelogs is never a bad idea. Here you get information
long time before it reaches the official documentations.

Andreas

[1]
https://sourceware.org/git/?p=glibc.git&a=commit&h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd
[2]
https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/7738d06627941a2119ba15f3472320c5cecc7be6%5E!/#F0


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.habari.co.tz/pipermail/linux/attachments/20150129/e2bf7555/attachment-0002.pgp>

More information about the Linux mailing list