356

Root access vulnerability in glibc library impacts many Linux distros (securityaffairs.com)

submitted 8 months ago by joojmachine@lemmy.ml to c/linux@lemmy.ml

68 comments fedilink hide all child comments

top 50 comments

sorted by: hot top controversial new old

[-] henfredemars@infosec.pub 156 points 8 months ago

For your convenience:

The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these [syslog] logging functions [in apps that allow the user to feed crafted data to those functions].

This is a privilege escalation.

[-] db2@lemmy.world 52 points 8 months ago

The hero we need."; DROP TABLE "users";

[-] acockworkorange@mander.xyz 7 points 8 months ago

If it isn't little Bobby Tables again.

[-] atzanteol@sh.itjust.works 4 points 8 months ago

This may be difficult to exploit in practice - I don't think most user applications use syslog.

[-] Tja@programming.dev 3 points 8 months ago

Unless you have user access to a system with gcc on it.

[-] Markaos@lemmy.one 9 points 8 months ago

You still need some privileged process to exploit. Glibc code doesn't get any higher privileges than the rest of the process. From kernel's point of view, it's just a part of the program like any other code.

So if triggering the bug in your own process was enough for privilege escalation, it would also be a critical security vulnerability in the kernel - it can't allow you to execute a magic sequence of instructions in your process and become a root, that completely destroys any semblance of process / user isolation.

[-] shadowintheday2@lemmy.world 97 points 8 months ago

"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "

This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.

[-] PlexSheep@feddit.de 66 points 8 months ago* (last edited 8 months ago)

That's not the main part of the article, just a footnote, for anyone wondering.

The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.

The vulnerability was introduced in glibc 2.37 in August 2022.

[-] i18nde@lemmy.ml 9 points 8 months ago

So, it must be with the BSDs too?

load more comments (2 replies)

[-] MonkderZweite@feddit.ch 3 points 8 months ago

Wait, why has a compiler system log functionlity?

[-] StefanT@lemmy.world 22 points 8 months ago

glibc is a library, gcc is the compiler.

[-] PlexSheep@feddit.de 5 points 8 months ago

You are probably confusing the glibc with gcc and g++. Glibc is an implementation of the C standard library, made by GNU (thats where the g in the name comes from).

If you were to look into it, it uses the syscalls to tell the underlying computer system what to do when you call functions, such as printf.

If you want to read more, see here

[-] xlash123@sh.itjust.works 34 points 8 months ago

C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.

[-] kaputt@sh.itjust.works 6 points 8 months ago

According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?

[-] Giooschi@lemmy.world 4 points 8 months ago

You don't necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it's not transitive.

[-] Atemu@lemmy.ml 59 points 8 months ago

Security-critical C and memory safety bugs. Name a more iconic duo...

I'd have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn't always easily possible. Could we at least have a coordinated disclosure time each month? That'd be great.

[-] mariusafa@lemmy.sdf.org 33 points 8 months ago

glibc is great, but holy shit the source code is obscured into oblivion, so hard to understand, with hardcoded optimizations, and compiler optimizations. I understand how difficult is to find vulnerabilities. A bit sad that the only C lib truely free software is so hard to actually read its code or even contribute to it.

[-] leopold@lemmy.kde.social 23 points 8 months ago* (last edited 8 months ago)

For what it's worth, glibc is very much performance-critical, so this shouldn't be a surprise. Any possible optimization is worth it.

There are a ton of free software libc implementations outside of glibc. I think most implementations of libc are free software at this point. There's Bionic, the BSD libcs, musl, the Haiku libc, the OpenSolaris/OpenIndiana libc, Newlib, relibc, the ToaruOS libc, the SerenityOS libc and a bunch more. Pretty sure Wine/ReactOS also have free implementations of the Windows libc.

load more comments (1 replies)

[-] azvasKvklenko@sh.itjust.works 7 points 8 months ago* (last edited 8 months ago)

Eventually it’ll be easier to create a compatible drop-in replacement than maintain the decades old code, if it isn’t already

[-] FooBarrington@lemmy.world 11 points 8 months ago

Unlikely, unless you drop backwards compatibility for undefined behaviour. Unless you write a complete specification on it, you'll end up either breaking old stuff, or slowly rebuilding the same problems.

[-] Octopus1348@lemy.lol 3 points 8 months ago

Like what's happening to X. Wayland is replacing it.

[-] deadcream@sopuli.xyz 3 points 8 months ago

Wayland is not a drop-in replacement tho. It's like if glibc developers declared it obsolete and presented a "replacement" that has a completely different API and has 1/100 of glibc functionality and a plugin interface. And then all the dozens of Linux distros have to write all the plugins from scratch to add back missing functionality and do it together in perfect cooperation so that they remain compatible with each other.

[-] tsonfeir@lemm.ee 30 points 8 months ago

Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.

[-] possiblylinux127@lemmy.zip 13 points 8 months ago

Patch time

[-] gayhitler420@lemm.ee 4 points 8 months ago

12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up.

[-] fhein@lemmy.world 4 points 8 months ago* (last edited 8 months ago)

https://security-tracker.debian.org/tracker/CVE-2023-6246

Don't know if Fedora has any similar easy way of tracking vulnerabilities

[-] mariusafa@lemmy.sdf.org 23 points 8 months ago

Imagine all the vulnerabilities that privative and low reviewed code has...

[-] melroy@kbin.melroy.org 22 points 8 months ago

Let's go Musl!

[-] unreachable@lemmy.world 15 points 8 months ago

meanwhile rust

load more comments (1 replies)

[-] mariusafa@lemmy.sdf.org 5 points 8 months ago

Yeah Musl is pretty good to learn C libs but the main red flag is the MIT Licence

load more comments (8 replies)

load more comments (7 replies)

[-] Zucca@sopuli.xyz 18 points 8 months ago

Yikes.

I'd switch to musl on all of my boxes if it weren't that nearly all precompiled software (closed source, games mainly) are compiled against glibc.

[-] Falcon@lemmy.world 4 points 8 months ago

Just use flatpak and podman, in a punch you can proot into a different system / zfs data set / btrfs sublime

load more comments (3 replies)

[-] corsicanguppy@lemmy.ca 11 points 8 months ago

Not affected

etc.

[-] Unyieldingly@lemmy.world 3 points 8 months ago

Ubuntu 22.04 LTS, Linux Mint etc as well. also this is a local one, so not many people care.

[-] gayhitler420@lemm.ee 11 points 8 months ago* (last edited 8 months ago)

I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.

If you wanna know wether or not you’re affected,

apt list libc

will show your version and the one you want is 2.36-9+deb12u4

If you don’t have that,

apt update && apt upgrade

will straighten you out

13(testing, trixie) has 2.37, but it’s not fixed yet.

E: Edited to use apt list instead of apt show.

[-] const_void@lemmy.ml 5 points 8 months ago

Glad I only run Alpine

load more comments

this post was submitted on 31 Jan 2024

356 points (100.0% liked)

Linux

47865 readers

1159 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz