PDA

View Full Version : libc6 flaw worry



utu
02-23-2016, 01:06 AM
.
I expressed my concern about the following news item to Klaus K:
http://www.eweek.com/security/linux-systems-patched-for-critical-glibc-flaw.html

His comment on this was the following:


Me too, since all glibc >= 2.9 versions till today are affected, with
the glibc on Knoppix being no exception.

For exploiting the vulnerability, the attacker must own the directly
queried DNS server (i.e. the users access point, or the ISPs DNS server)
and send manipulated DNS replies from there, or be able to hijack TCP
connections, and in most cases, programs will just crash on the
getaddrinfo() library call, but code injection on the stack may be
possible. Though an attack isn't really easy, it's a real possibility.

The easy commandline method (for USB flash disk users) for fixing the
problem, thanks to debian's quick reaction in the unstable branch, would be:

sudo apt-get update ; sudo apt-get install -t unstable libc6
which also updates libc6 dependencies.

I did this on my Knoppix 7.6.1 LiveUSB, and it updated my libc6 to 2.21.0,
and didn't take up much space on my reiserfs persistence.

IMO, it may be wise to make this interim correction, since updating the
whole 4Gb Knoppix iso might not happen right away.

utu
02-23-2016, 01:29 AM
Should read updated to libc6 2.21-9, not 2.21.0.

utu
05-13-2016, 06:02 PM
Regarding libc6...

http://www.linux-magazine.com/Issues/2016/187/Ask-Klaus

You don't need to buy the article, just see the first post here.