This week's Linux vulnerbility: GHOST

  • 2.1 < glibc < 2.18 affected.

    Lines 85-86 compute the size_needed to store three (3) distinct entities in buffer: host_addr, h_addr_ptrs, and name (the hostname). Lines 88-117 make sure the buffer is large enough: lines 88-97 correspond to the reentrant case, lines 98-117 to the non-reentrant case.

    Lines 121-125 prepare pointers to store four (4) distinct entities in
    buffer: host_addr, h_addr_ptrs, h_alias_ptr, and hostname. The sizeof
    (*h_alias_ptr) -- the size of a char pointer -- is missing from the
    computation of size_needed.

    Source code to compile presented to test your system included if you're so inclined.

  • Already updated all my Centoses. Seems serious, but much less panic surrounding this one than the other recent ones.


    $ apt-cache show libc6 | grep Provides
    Provides: glibc-2.19-1
    Provides: glibc-2.19-1
    Provides: glibc-2.19-1
    $ cat /etc/lsb-release
    DISTRIB_DESCRIPTION="Linux Mint 17.1 Rebecca"

    By extension, Ubuntu 14.10 should be fine at least. Need to check if any of my Debian machines don't have testing repos enabled (damned PostgreSQL, need 9.2+ but stable repos only have 9.1 still), they might be behind.

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.