kung foo man
27th January 2015, 23:48
Hey all, a new bug in Linux, yey (thanks to php for pointing me to it).
A small collection of stuff:
https://news.ycombinator.com/item?id=8953545
Updating libc6 (I had to update like 200 MB for 32-bit and 21 MB for 64-bit):
apt-get update
apt-get install libc6
apt-get install libc6-amd64
Now here comes the issue: even after updating the 64-bit libs, the CVE-source was still showing "vulnerable". I figured out WHY, and saw that the libc6.so.6 link was pointing to 2.14, BUT 2.13 is the newest version:
# /lib/x86_64-linux-gnu/libc-2.13.so = THE NEW ONE
# /lib/x86_64-linux-gnu/libc-2.14.so = THE OLD ONE, even it's higher version...
ln -sf /lib/x86_64-linux-gnu/libc-2.13.so /lib/x86_64-linux-gnu/libc.so.6
Another way is to rename libc-2.14.so to IGNORE_libc-2.14.so (as backup) and call:
ldconfig
It will automatically update the lib6.so.6 link to the "latest" .so-file.
Check version 32-bit:
# /lib32/libc.so.6
GNU C Library (Debian EGLIBC 2.13-38+deb7u7) stable release version 2.13, by Roland McGrath et al.
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.4.7.
Compiled on a Linux 3.2.65 system on 2015-01-26.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.debian.org/Bugs/>.
Check version 64-bit:
# ldd CVE-2015-0235
linux-vdso.so.1 => (0x00007fff28dff000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f380bade000)
/lib64/ld-linux-x86-64.so.2 (0x00007f380be74000)
# /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Debian EGLIBC 2.13-38+deb7u7) stable release version 2.13, by Roland McGrath et al.
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.4.7.
Compiled on a Linux 3.2.65 system on 2015-01-26.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.debian.org/Bugs/>.
After update: restart whole server or at least every public service (email, webserver, mysql...) like:
/etc/init.d/apache2 restart
/etc/init.d/mongodb restart
/etc/init.d/lighttpd restart
/etc/init.d/mysql restart
/etc/init.d/postfix restart
/etc/init.d/couchdb restart
/etc/init.d/proftpd restart
/etc/init.d/ssh restart
Source for testing (64-bit):
wget https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c
gcc gistfile1.c -o CVE-2015-0235
./CVE-2015-0235
not vulnerable
32-bit:
# gcc gistfile1.c -o CVE-2015-0235 -m32
# ./CVE-2015-0235
not vulnerable
Collection of all info is welcome.
A small collection of stuff:
https://news.ycombinator.com/item?id=8953545
Updating libc6 (I had to update like 200 MB for 32-bit and 21 MB for 64-bit):
apt-get update
apt-get install libc6
apt-get install libc6-amd64
Now here comes the issue: even after updating the 64-bit libs, the CVE-source was still showing "vulnerable". I figured out WHY, and saw that the libc6.so.6 link was pointing to 2.14, BUT 2.13 is the newest version:
# /lib/x86_64-linux-gnu/libc-2.13.so = THE NEW ONE
# /lib/x86_64-linux-gnu/libc-2.14.so = THE OLD ONE, even it's higher version...
ln -sf /lib/x86_64-linux-gnu/libc-2.13.so /lib/x86_64-linux-gnu/libc.so.6
Another way is to rename libc-2.14.so to IGNORE_libc-2.14.so (as backup) and call:
ldconfig
It will automatically update the lib6.so.6 link to the "latest" .so-file.
Check version 32-bit:
# /lib32/libc.so.6
GNU C Library (Debian EGLIBC 2.13-38+deb7u7) stable release version 2.13, by Roland McGrath et al.
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.4.7.
Compiled on a Linux 3.2.65 system on 2015-01-26.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.debian.org/Bugs/>.
Check version 64-bit:
# ldd CVE-2015-0235
linux-vdso.so.1 => (0x00007fff28dff000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f380bade000)
/lib64/ld-linux-x86-64.so.2 (0x00007f380be74000)
# /lib/x86_64-linux-gnu/libc.so.6
GNU C Library (Debian EGLIBC 2.13-38+deb7u7) stable release version 2.13, by Roland McGrath et al.
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Compiled by GNU CC version 4.4.7.
Compiled on a Linux 3.2.65 system on 2015-01-26.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
For bug reporting instructions, please see:
<http://www.debian.org/Bugs/>.
After update: restart whole server or at least every public service (email, webserver, mysql...) like:
/etc/init.d/apache2 restart
/etc/init.d/mongodb restart
/etc/init.d/lighttpd restart
/etc/init.d/mysql restart
/etc/init.d/postfix restart
/etc/init.d/couchdb restart
/etc/init.d/proftpd restart
/etc/init.d/ssh restart
Source for testing (64-bit):
wget https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c
gcc gistfile1.c -o CVE-2015-0235
./CVE-2015-0235
not vulnerable
32-bit:
# gcc gistfile1.c -o CVE-2015-0235 -m32
# ./CVE-2015-0235
not vulnerable
Collection of all info is welcome.