libc6 flaw worry

**utu** · 02-23-2016, 01:06 AM

.
I expressed my concern about the following news item to Klaus K:
http://www.eweek.com/security/linux-...libc-flaw.html

His comment on this was the following:

Me too, since all glibc >= 2.9 versions till today are affected, with
the glibc on Knoppix being no exception.

For exploiting the vulnerability, the attacker must own the directly
queried DNS server (i.e. the users access point, or the ISPs DNS server)
and send manipulated DNS replies from there, or be able to hijack TCP
connections, and in most cases, programs will just crash on the
getaddrinfo() library call, but code injection on the stack may be
possible. Though an attack isn't really easy, it's a real possibility.

The easy commandline method (for USB flash disk users) for fixing the
problem, thanks to debian's quick reaction in the unstable branch, would be:

sudo apt-get update ; sudo apt-get install -t unstable libc6
which also updates libc6 dependencies.

I did this on my Knoppix 7.6.1 LiveUSB, and it updated my libc6 to 2.21.0,
and didn't take up much space on my reiserfs persistence.

IMO, it may be wise to make this interim correction, since updating the
whole 4Gb Knoppix iso might not happen right away.