New 'Looney Tunables' Linux bug gives root on major distros
New 'Looney Tunables' Linux bug gives root on major distros
From BeepingComputer.
A new Linux vulnerability known as 'Looney Tunables' enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library's ld.so dynamic loader.
It’s always memory management
It’s always memory management
No wonder everyone's crazy about Rust.
It's certainly why it is being used to build browsers and OSs now. Those are places were memory management problems are a huge problem. It probably doesn't make sense for every match 3 game to be made in Rust, but when errors cause massive breaches or death, it's a lot safer than C++, taking human faulability into account.
Didn't Microsoft do a study on security vulnerabilities and found that the overwhelmingly number of bugs was due to memory management?
I think you're referring to this: https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/
I think it was actually that the overwhelmingly number of bugs was due to
memoryMicrosoft management
See? All code sucks.
It says "sysadmins should prioritise patching", but... has it been patched yet?
Just like…make a patch. It’s not that hard lol /j
To show you the power of Flex Tape, I sawed this library in half!
Yes, most of the major distributions have package updates with the fix. A few people have mentioned updates for Arch, Debian, and RedHat already.
Ubuntu released an update yesterday as well:
https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.4
Ubuntu derivatives such as Pop!_OS should have also received this update, along with the X11 patches.
I wonder if this could be used to root previously unrootable Android based devices.
Android doesn't use glibc, but Bionic, a C standard library developed by Google. So I don't think this vulnerability affects Android.
Think Android uses Bionic instead of glibc (where the vulnerability is being exploited).
Just got some glibc updates in Arch yesterday. I wonder if they contain fixes for this.
Makes me wonder. LMDE got a glibc update too and Mint is very much not leading edge when it comes to non-critical updates.
Case in point, at roughly the same time as the glibc update, we (LMDE users) were upgraded to the latest Thunderbird, 115.3.1, four or five days after that sub-version came out. That's the sort of lag we generally see. (115.x was a bit of a surprise too as we've been on 102.x, but that's not strictly relevant here.)
Ran nala after seeing this post and got a libc update on Debian myself
Wonder if musl is fine. If so,Void people are certainly having fun now.
Sometimes I wonder if vulnerability research teams do more harm than good. This vulnerability became possible due to a commit in 2021, but no one has seen it exploited before. But, now that it's been widely announced, it "creates" a new surface vector for malicious actors to attack that previously wouldn't have been known to exist.
That being said, I know that more sophisticated attackers have entire arsenals of vulnerabilities not yet publicly discovered that they keep close to their chest, and this could've been one of them. Cybersecurity is an exhausting field.
Distro developers were notified a month ago. At least Redhat and Debian have have published fixed versions. This is common procedure.
Security through obscurity is never good.
It's better that vulnerabilities be discussed openly. In general, people knowing the truth allows them to make better decisions.
It's not only the good guys that find vulnerabilities. There're many states and companies (selling to those governments) as well as regular criminal organizations paying people for vulnerabilities and exploits.
If the issue wasn't reported, it is likely that it would have been found by someone else at some point. It might even be known already, but just not reported.