Blog: How Tos

glibc stack-based buffer overflow. What you need to know: UPDATE

Pedro Venda 24 Feb 2016

If you’re responsible for maintaining any type of Linux hosts, surely you’ve heard of the recent glibc bug and critical vulnerability CVE-2015-7547 (my colleague Andrew wrote about it earlier).

This is Google’s write-up: https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

So, you’ve patched and rebooted everything, right?

If not, go do it now and follow the cheat sheet below to make things easier:

Distribution Package Patched version Advisory
Red Hat glibc Too many variations to list – see advisory and corresponding errata document https://access.redhat.com/security/cve/cve-2015-7547
Ubuntu 12.04 LTS libc6 2.15-0ubuntu10.13 http://www.ubuntu.com/usn/usn-2900-1/
Ubuntu 14.04 LTS libc6 2.19-0ubuntu6.7 http://www.ubuntu.com/usn/usn-2900-1/
Ubuntu 15.10 libc6 2.21-0ubuntu4.1 http://www.ubuntu.com/usn/usn-2900-1/
Debian 6 (squeeze) eglibc 2.11.3-4+deb6u11 https://security-tracker.debian.org/tracker/CVE-2015-7547
Debian 7 (wheezy) eglibc 2.13-38+deb7u10 https://security-tracker.debian.org/tracker/CVE-2015-7547
Debian 8 (jessie) glibc 2.19-18+deb8u3 https://security-tracker.debian.org/tracker/CVE-2015-7547
SuSE (SLES 11 or later) glibc Too many variations to list – see advisory https://www.suse.com/security/cve/CVE-2015-7547.html
Gentoo sys-libs/glibc 2.21-r2 https://security.gentoo.org/glsa/201602-02

 

Do keep in mind that glibc is just about the single most fundamental and core C library of your system – it all packages link to it statically (less likely) or dynamically (more likely). A patch like this would have low to no impact in the system but there is no safety net!

Any distribution maintained package should be OK with this kind of upgrade (that’s what a package management system exists for) but any custom developed software might need more careful consideration.

If you forget everything else in this post, remember this: “Go patch glibc now!”