Root access vulnerability in glibc library impacts many Linux distros

joojmachine@lemmy.ml · 1 year ago

Root access vulnerability in glibc library impacts many Linux distros

shadowintheday2@lemmy.world · 1 year ago

"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "

This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.

xlash123@sh.itjust.works · 1 year ago

C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.

kaputt@sh.itjust.works · 1 year ago

According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?

Giooschi@lemmy.world · 1 year ago

You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive.

Atemu@lemmy.ml · 1 year ago

Security-critical C and memory safety bugs. Name a more iconic duo…

I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.

tsonfeir@lemm.ee · 1 year ago

Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.

ffhein@lemmy.world · edit-2 1 year ago

https://security-tracker.debian.org/tracker/CVE-2023-6246

Don’t know if Fedora has any similar easy way of tracking vulnerabilities

gayhitler420@lemm.ee · 1 year ago

12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up.

UnfortunateShort@lemmy.world · 1 year ago

That’s why you need to rock and roll

(Arch btw.)

ouch@lemmy.world · 1 year ago

Try having unattended-upgrades with a rolling distro.

Ricky Rigatoni@lemm.ee · 1 year ago

I don’t want unattended upgrades >:/

shadowintheday2@lemmy.world · 1 year ago

Just don’t upgrade for a while and you become debian

It’s not like windows forcing you to reboot every Tuesday so Edge can come back

Ricky Rigatoni@lemm.ee · 1 year ago

you shouldn’t be throwing boots through your windows

gayhitler420@lemm.ee · edit-2 1 year ago

I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.

If you wanna know wether or not you’re affected,

apt list libc

will show your version and the one you want is 2.36-9+deb12u4

If you don’t have that,

apt update && apt upgrade

will straighten you out

13(testing, trixie) has 2.37, but it’s not fixed yet.

E: Edited to use apt list instead of apt show.

NGC2346@sh.itjust.works · 1 year ago

Local attacker

Important detail

as i said on reddit

const_void@lemmy.ml · 1 year ago

Glad I only run Alpine

atzanteol@sh.itjust.works · edit-2 1 year ago

“GNU Library C?”

Rustmilian@lemmy.world · 1 year ago

GNU C Library(glibc) as apposed to C Library (libc).

atzanteol@sh.itjust.works · 1 year ago

Who calls it “GNU Library C” though?