LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 02-16-2016, 10:26 AM   #1
ReaperX7
LQ Guru
 
Registered: Jul 2011
Location: California
Distribution: Slackware64-Current
Posts: 6,446
Blog Entries: 15

Rep: Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016Reputation: 2016
Exclamation glibc security patch cve-2015-7547


https://sourceware.org/ml/libc-alpha.../msg00416.html

Not sure if this affects Slackware, but I figured I'd share anyways.
 
Old 02-16-2016, 11:11 AM   #2
GazL
Senior Member
 
Registered: May 2008
Posts: 4,964
Blog Entries: 15

Rep: Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570
Yep, was just reading about this one. Patch hasn't made it into glibc.git yet as far as I can tell, but hopefully it won't be too long. Remote code injection via dns responses is definitely right up there in the "brown-trousers" category.
 
Old 02-16-2016, 06:14 PM   #3
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 3,972

Rep: Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231
nice reading material: http://arstechnica.com/security/2016...es-vulnerable/
 
Old 02-16-2016, 07:04 PM   #4
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 301

Rep: Reputation: 279Reputation: 279Reputation: 279
This is terrifying on a number of levels.
 
1 members found this post helpful.
Old 02-16-2016, 07:12 PM   #5
GazL
Senior Member
 
Registered: May 2008
Posts: 4,964
Blog Entries: 15

Rep: Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570
Quote:
Maintainers of glibc, as the open source library is called, released an update that patches the vulnerability
So where's the release? All I see is what looks like a patch submitted to the mailing list for review. Still no commits on git master or release/2.22/master for this. Am I missing something, or have ARS jumped the gun on announcing availability of an update.
 
Old 02-16-2016, 08:45 PM   #6
CTM
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 301

Rep: Reputation: 279Reputation: 279Reputation: 279
Quote:
Originally Posted by GazL View Post
So where's the release? All I see is what looks like a patch submitted to the mailing list for review. Still no commits on git master or release/2.22/master for this. Am I missing something, or have ARS jumped the gun on announcing availability of an update.
Ars confused a patch with a release: the developers don't think an immediate fix for this is important, given that the next stable release (which will address CVE-2015-7547) is planned to take place in a couple of days anyway.

edit: I hear that some vendors (Red Hat, Debian) have now released their own custom builds that include this patch.

Last edited by CTM; 02-16-2016 at 10:37 PM.
 
2 members found this post helpful.
Old 02-16-2016, 10:58 PM   #7
willysr
Senior Member
 
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 3,972

Rep: Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231Reputation: 1231
it has been pushed to master
https://sourceware.org/ml/libc-alpha.../msg00425.html
 
1 members found this post helpful.
Old 02-17-2016, 04:41 AM   #8
GazL
Senior Member
 
Registered: May 2008
Posts: 4,964
Blog Entries: 15

Rep: Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570
Hold the phone!...

https://sourceware.org/ml/libc-alpha.../msg00416.html:
Quote:
The buffer overflow occurs in the function send_dg (UDP) and send_vc
(TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with
AF_UNSPEC family and in some cases also with AF_INET6 before the fix in
commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).

The use of AF_UNSPEC triggers the low-level resolver code to send out
two parallel queries for A and AAAA. A mismanagement of the buffers used
for those queries could result in the response writing beyond the alloca
allocated buffer created by __res_nquery.
source/l/glibc/glibc-2.10-dns-no-gethostbyname4.diff.gz:
Code:
The gethostbyname4() lookup method is problematic since it fires out both
the A and AAAA DNS queries in parallel and over the same socket. This
should work in theory, but it turns out that many cheap DSL modems and
similar devices have buggy DNS servers - if the AAAA query arrives too
quickly after the A query, the server will generate only a single reply
with the A query id but returning an error for the AAAA query; we get
stuck waiting for the second reply.

For gethostbyname4() users affected, disabling IPv6 in the system might
work around the issue, unfortunately it only helps with applications
using AI_ADDRCONFIG (e.g. Firefox); some (notably e.g. Pidgin) neglect
to do that.

Real fix should be using separate ports for the A and AAAA queries.

--- resolv/Versions     2008-08-02 10:26:09.000000000 +0200
+++ resolv/Versions     2008-12-08 12:51:53.000000000 +0100
@@ -102,7 +102,7 @@ libnss_dns {
     _nss_dns_gethostbyname_r; _nss_dns_getnetbyaddr_r;
     _nss_dns_getnetbyname_r; _nss_dns_getcanonname_r;
     _nss_dns_gethostbyaddr2_r;
-    _nss_dns_gethostbyname4_r;
+#    _nss_dns_gethostbyname4_r;
   }
 }
Am I right in thinking that our patch is disabling these troublesome parallel queries anyway?

edit: To answer my own question; No, I don't think it is. It might mitigate for that second case they mentioned, but I think getaddrinfo() is still a concern. Though I freely admit all this library versioning stuff is a little over my head. Still, interesting to note the comments in that 8 year old patch and how this parallel lookup issue has come back to bite us.

edit2: Actually, strike that. I'm still not sure one way or the other.

Last edited by GazL; 02-17-2016 at 11:57 AM.
 
5 members found this post helpful.
Old 02-17-2016, 10:35 AM   #9
hitest
Guru
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 5,728

Rep: Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845Reputation: 1845
Quote:
Originally Posted by ReaperX7 View Post
https://sourceware.org/ml/libc-alpha.../msg00416.html

Not sure if this affects Slackware, but I figured I'd share anyways.
Thanks about the heads-up, mate. Yes. I just read about that on the interwebz.
 
Old 02-17-2016, 05:16 PM   #10
Altiris
Member
 
Registered: Mar 2013
Posts: 556

Rep: Reputation: Disabled
So, will a patch be issued for Slackware? Or is it somehow not vulnerable? To my knowledge all glibc versions from a certain release and up are vulnerable .
 
Old 02-17-2016, 06:11 PM   #11
volkerdi
Slackware Maintainer
 
Registered: Dec 2002
Location: Minnesota
Distribution: Slackware! :-)
Posts: 1,695

Rep: Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236Reputation: 5236
Quote:
Originally Posted by Altiris View Post
So, will a patch be issued for Slackware? Or is it somehow not vulnerable? To my knowledge all glibc versions from a certain release and up are vulnerable .
While I'm still investigating this, it's looking like we're somehow not vulnerable because of the patch mentioned by GazL. The proof of concept exploit does not work on any version of Slackware unless that patch (glibc-2.10-dns-no-gethostbyname4.diff.gz) is removed and glibc is recompiled. The patch came from openSUSE long ago, and was also used by Debian at one time, but we seem to be the only ones who still apply it. I've had two requests in email to remove the patch since glibc had supposedly fixed the issue that prompted it, but left it in place anyway. Maybe luck, maybe slack.

I do have patches for CVE-2015-7547 that I'll apply to -current anyway, although the exploit doesn't work there either. I attempted a few backports and have a finished one for 14.1, but the code in question has been a moving target over the years so if we got lucky and aren't vulnerable I'd say it's safer to issue no patches for stable versions.

Here's the PoC exploit code for anyone who is interested. You need to run the Python "nameserver" and point resolv.conf at it. Then the client test (or almost anything else that does a DNS lookup via glibc) should segfault.

https://github.com/fjserna/CVE-2015-7547

Further testing is appreciated.
 
18 members found this post helpful.
Old 02-18-2016, 03:26 AM   #12
haary
Member
 
Registered: Apr 2015
Posts: 49

Rep: Reputation: Disabled
Confirmed: PoC does not work with 14.1 and -current (32 bit). It worked with an unpatched Debian 7 and CentOS 6.
 
3 members found this post helpful.
Old 02-18-2016, 05:20 AM   #13
GazL
Senior Member
 
Registered: May 2008
Posts: 4,964
Blog Entries: 15

Rep: Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570
While I could see early on that we weren't exporting the symbol for the function necessary to exploit this vulnerability it took me a while to figure out how all this was working (glibc seems to be a bit of a maze of twisty tunnels all alike! ) which is why I may have seemed a little uncertain in my posting above: basically, I was!

Turns out that the posix version of getaddrinfo.c essentially does this:
Code:
fct4 = __nss_lookup_function (nip, "gethostbyname4_r");
if (fct4 != NULL)
 // stuff to use gethostbyname4_r
else
 // stuff to use gethostbyname3_r
So, mystery solved.


IMO Pat is right to patch current as the underlying overflows are still present and alternative vectors for exploiting them might show up in the future, but Pat's "slackness" with regard to removing the dns patch does seem to have resulted in us dodging a pretty nasty bullet!

Three cheers for His Slackness... Hip Hip!
 
10 members found this post helpful.
Old 02-18-2016, 06:00 AM   #14
GazL
Senior Member
 
Registered: May 2008
Posts: 4,964
Blog Entries: 15

Rep: Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570Reputation: 2570
BTW, as for the existing dns patch going forward. Might be worth keeping it until they fix this:
https://sourceware.org/bugzilla/show_bug.cgi?id=19646

Yes, they've just opened a bug report for the issue the comments in our 8 year old patch are referring to.
The mind boggles.
 
2 members found this post helpful.
Old 02-18-2016, 03:05 PM   #15
qweasd
Member
 
Registered: May 2010
Posts: 613

Rep: Reputation: Disabled
Quote:
Originally Posted by GazL View Post
IMO Pat is right to patch current as the underlying overflows are still present and alternative vectors for exploiting them might show up in the future, but Pat's "slackness" with regard to removing the dns patch does seem to have resulted in us dodging a pretty nasty bullet!

Three cheers for His Slackness... Hip Hip!
Oh absolutely. There are basically just two approaches to a simple and stable OS: the Slackware way and... Sorry, I am too lazy to finish this thought, but you get the idea.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Has anyone patched for CVE-2015-5477 rdegrad Linux - Networking 0 08-07-2015 12:45 AM
Patch testing - glibc with the posted patch in security thread hua Slackware 2 01-28-2015 03:29 PM
[SECURITY NOTICE!] Bash 4.3 (shellshock, CVE-2014-6271 and CVE-2014-7169) ReaperX7 Linux From Scratch 2 09-28-2014 06:47 AM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 02:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration