Root access vulnerability in glibc library impacts many Linux distros
Root access vulnerability in glibc library impacts many Linux distros
Qualys researchers discovered a root access flaw, tracked as CVE-2023-6246, in GNU Library C (glibc) affecting multiple Linux distributions.
For your convenience:
The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these [syslog] logging functions [in apps that allow the user to feed crafted data to those functions].
This is a privilege escalation.
"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "
This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.
That's not the main part of the article, just a footnote, for anyone wondering.
The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.
The vulnerability was introduced in glibc 2.37 in August 2022.
C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.
According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?
You don't necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it's not transitive.
Security-critical C and memory safety bugs. Name a more iconic duo...
I'd have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn't always easily possible. Could we at least have a coordinated disclosure time each month? That'd be great.
Public disclosure is typically done 90 days after Deva are privately notified. That should be enough time for security-critical bugs.
They did follow that. You can read their disclosure timeline in their report.
Problem is that the devs of glibc aren't the only people interested in getting glibc patched but us distro maintainers too.
What I would have preferred would be an early private disclosure to the upstream maintainers and then a public but intentionally unspecific disclosure with just the severity to give us distro people some time to prepare a swift rollout when the full disclosure happens and the patch becomes public.
Alternatively, what would be even better would have been to actually ship the patch in a release but not disclose its severity (or even try to hide it by making it seem like a refactor or non-security relevant bugfix) until a week or two later; ensuring that any half-decent distro release process and user upgrade cycle will have the patch before its severity is disclosed. That's how the Linux kernel does it AFAIK and it's the most reasonable approach I've seen.
Maybe,
Early disclosure is meant to get private interests to take a vulnerability seriously?
glibc is great, but holy shit the source code is obscured into oblivion, so hard to understand, with hardcoded optimizations, and compiler optimizations. I understand how difficult is to find vulnerabilities. A bit sad that the only C lib truely free software is so hard to actually read its code or even contribute to it.
For what it's worth, glibc is very much performance-critical, so this shouldn't be a surprise. Any possible optimization is worth it.
There are a ton of free software libc implementations outside of glibc. I think most implementations of libc are free software at this point. There's Bionic, the BSD libcs, musl, the Haiku libc, the OpenSolaris/OpenIndiana libc, Newlib, relibc, the ToaruOS libc, the SerenityOS libc and a bunch more. Pretty sure Wine/ReactOS also have free implementations of the Windows libc.
Glibc has extensions that fragment compatibility. If Glibc is replaced by another libc, some apps prints an error, or don't work. I noticed that on Alpine.
Eventually it’ll be easier to create a compatible drop-in replacement than maintain the decades old code, if it isn’t already
Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.
Patch time
https://security-tracker.debian.org/tracker/CVE-2023-6246
Don't know if Fedora has any similar easy way of tracking vulnerabilities
12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up.
Imagine all the vulnerabilities that privative and low reviewed code has...
Let's go Musl!
The vulnerability is on logs, and that has nothing related to the library. Even less with the language...
The vulnerability is in the library's logging function, which is coded in the C language. musl is also C (afaik), it's just a more modern, safer rewrite of libc.
I'm not sure what you mean by a "vulnerability in the logs". In a logger or parser, sure, but did you think text data at rest was able to reach out and attack your system?
Yikes.
I'd switch to musl on all of my boxes if it weren't that nearly all precompiled software (closed source, games mainly) are compiled against glibc.
Just use flatpak and podman, in a punch you can proot into a different system / zfs data set / btrfs sublime
So this means you need either Alpine repos or compile everything yourself?
Void offers musl too. Unless they've discontinued it.
But
compile everything yourself?
I do (almost) exactly that. I run Gentoo almost everywhere. The 'almost' is because Gentoo now offers an official bin repository too, so I can mix compiled and pre-compiled software. (Although you've always had the option to set up your own binary host).
Don't forget Chimera Linux ( not to be confused with Chimeraos)!
That's why you need to rock and roll
(Arch btw.)
Try having
unattended-upgradeswith a rolling distro.Man, I do this all the time. snapper and grub-btrfs has enabled all kinds of amazing things. I'm so close to just doing:
$ sudo crontab -l * * 3 * * pacman -Syu --no-confirmI've got separate offline backups and rescue disks, but I'm pretty confident that grub-btrfs will let me recover pretty quickly.
I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.
If you wanna know wether or not you’re affected,
apt list libc
will show your version and the one you want is 2.36-9+deb12u4
If you don’t have that,
apt update && apt upgrade
will straighten you out
13(testing, trixie) has 2.37, but it’s not fixed yet.
E: Edited to use apt list instead of apt show.
RedHat and related: https://access.redhat.com/security/cve/CVE-2023-6246
Not affected
Not affected
Not affected
etc.
Ubuntu 22.04 LTS, Linux Mint etc as well. also this is a local one, so not many people care.
Local attacker
Important detail
as i said on reddit
Glad I only run Alpine
"GNU Library C?"
I'd just like to interject for a moment. What you call "GNU Library C" is actually GNU with Linux library C and some C++ for those nifty templates, or as we like to call it "GNU/Linux Library C/C++". Which, to be honest, it's more like "GNU/Linux Library C/C-with-Classes" the way they're teaching it at school, oh well.
Carry on.
GNU C Library(glibc) as apposed to C Library (libc).
Who calls it "GNU Library C" though?
