Upgrading glibc for the GHOST Vulnerability
GHOST is a vulnerability that was announced on January 27th 2015, which affects the glibc library on Linux systems. This vulnerability affects all Linux distributions running versions of glibc older than 2.18, and exploits a buffer overflow in the __nss_hostname_digits_dots()
function. This guide will tell you how to safely upgrade your Linux distributions and secure your Linode against the GHOST vulnerability.
Affected Distributions/Versions
Patches are currently available for:
- Debian 7
- CentOS 6 & 7
- Ubuntu 12.04.
Distributions that are unaffected are as follows:
- Fedora 20 & 21
- Ubuntu 14.04 and 14.10
- Arch
- OpenSuse 13.2
Prior unsupported versions of the listed distributions may not have patches available. It is recommended to upgrade any systems still running unsupported distributions.
Checking Installed glibc version
You can check the version of glibc on your system using your package manager.
Debian and Ubuntu
To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Version:
:
# aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Multi-Arch: same
Version: 2.13-38+deb7u6
Priority: required
Section: libs
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Architecture: amd64
Uncompressed Size: 9,687 k
Depends: libc-bin (= 2.13-38+deb7u6), libgcc1
Suggests: glibc-doc, debconf | debconf-2.0, locales
Conflicts: prelink (<= 0.0.20090311-1), tzdata (< 2007k-1), tzdata-etch
Breaks: locales (< 2.13), locales-all (< 2.13), lsb-core (<= 3.2-27), nscd (< 2.13)
Replaces: libc6-amd64
Provides: glibc-2.13-1
Description: Embedded GNU C Library: Shared libraries
Contains the standard libraries that are used by nearly all programs on the system. This package includes shared versions of the standard C library and the
standard math library, as well as many others.
Homepage: http://www.eglibc.org
On Debian 7 systems, versions of glibc earlier than 2.13-38+deb7u7
are vulnerable, and on Ubuntu 12.04, versions before 2.15-0ubuntu10.10
.
CentOS 6 & 7
To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Release:
under the Installed Packages
heading:
# yum info glibc
....
Installed Packages
Name : glibc
Arch : x86_64
Version : 2.17
Release : 55.el7_0.1
Size : 13 M
Repo : installed
From repo : updates
Summary : The GNU libc libraries
URL : http://www.gnu.org/software/glibc/
License : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
Description : The glibc package contains standard libraries which are used by
: multiple programs on the system. In order to save disk space and
: memory, as well as to make upgrading easier, common system code is
: kept in one place and shared between programs. This particular package
: contains the most important sets of shared libraries: the standard C
: library and the standard math library. Without these two libraries, a
: Linux system will not function.
On CentOS 7 systems, versions of glibc before glibc-2.17-55.el7_0.5
are vulnerable, and on CentOS 6 versions before glibc-2.12-1.149.el6_6.5
.
Testing with GCC
The original security advisory for CVE-2015-0235 included the following code to test for the vulnerability. This method requires that you have gcc
installed on your system. If you don’t, you can install it from your package manager, or use the alternate check above.
-
Create a
GHOST.c
file with the following contents.- ~/GHOST.c
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
#include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> # define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '/0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); }
-
Compile the script.
gcc GHOST.c -o GHOST
-
Execute the compiled GHOST script. Your terminal should print “vulnerable” or “not vulnerable” depending on your system’s status.
./GHOST
Installing the Upgrade
Below is the relevant information for upgrading glibc and ensuring that your Linode is no longer vulnerable to the bug. Each section is designed for individual distributions. The sections are written with the assumption that you have root access or sudo privileges. If you do not, you will not be able to run these commands.
Note
You will need to reboot after completing your upgrade to ensure that the vulnerable code no longer remains in your system memory. Once you have rebooted, we would recommend re-running the script created in the Testing with GCC section to confirm that the patch has been applied
Ubuntu and Debian
To upgrade glibc on Ubuntu and Debian, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo
to each command:
Caution
If you have packages that have older dependencies, you may want to utilize apt-get with the upgrade flag, rather than dist-upgrade. This will prevent packages with older dependencies from being removed from your system. If using this method, be sure to check your command output to ensure that the patched version of glibc is actually installed.
apt-get update
apt-get dist-upgrade
CentOS and Fedora
To upgrade glibc on yum based systems such as CentOS and Fedora, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo
to each command:
yum clean all
yum update
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
- CVE-2015-0235
Join our Community
Find answers, ask questions, and help others.
This guide is published under a CC BY-ND 4.0 license.