glibc vulnerability in newer versions.

8 respostas [Última entrada]
Other_Cody
Desconectado
Joined: 12/20/2023

https://forums.hyperbola.info/viewtopic.php?id=1018
shows newer versions of glibc may have vulnerability problems.

Hyperbola uses 2.30, I think and Trisquel uses, as seen from apt-get 2.35-0ubuntu3.6+11.0trisquel1 I think.

This issue affects glibc 2.37 and newer.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6779
https://nvd.nist.gov/vuln/detail/CVE-2023-6779

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6780
https://nvd.nist.gov/vuln/detail/CVE-2023-6780

Also

https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog

shows in part.

For the first vulnerability (CVE-2023-6246), a significant security flaw has been identified in the GNU C Library’s __vsyslog_internal() function, affecting syslog() and vsyslog(). This heap-based buffer overflow vulnerability was inadvertently introduced in glibc 2.37 (August 2022) and subsequently backported to glibc 2.36 while addressing a different, less severe vulnerability (CVE-2022-39046). Major Linux distributions like Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39) are confirmed to be vulnerable. This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access, as demonstrated in Fedora 38.

Other_Cody
Desconectado
Joined: 12/20/2023
Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Why do you file a bug to the Trisquel project (and also create a thread here) while knowing no version of Trisquel is affected? You wrote it: the "issue affects glibc 2.37 and newer" and "Trisquel uses, as seen from apt-get 2.35-0ubuntu3.6+11.0trisquel1".

andyprough
Desconectado
Joined: 02/12/2015

@Illusionist Banana - >"You wrote it: the "issue affects glibc 2.37 and newer" and "Trisquel uses, as seen from apt-get 2.35-0ubuntu3.6+11.0trisquel1".

To be fair, 2.35+3.6+11.0+1 = 17.95, which is higher than 2.37. So, I think other-other-cody has a point.

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Lol.

Other_Cody
Desconectado
Joined: 12/20/2023

Also lol.

I did not know if anyone at Trisquel heard about this yet, but I know "Upstream" Debian and Ubuntu may be confirmed to be vulnerable.

As Trisquel may get some code from Ubuntu and Ubuntu I think gets code from Debian, I did not know if I could somehow help by reporting it, if it was not already known.

And the form post was in-case a discussion about how to handle this was better to be done here instead of or also with a issue report, so anyone with a forum account could also give suggestions and/or help about how this can be handled, before any LTS got near an end.

As reporting sooner than later could help more people look at the code to try and help fix any problem.

In software development, Linus's law is the assertion that "given enough eyeballs, all bugs are shallow". The law was formulated by Eric S. Raymond in his essay and book The Cathedral and the Bazaar (1999), and was named in honor of Linus Torvalds.[1][2]

A more formal statement is: "Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone." Presenting the code to multiple developers with the purpose of reaching consensus about its acceptance is a simple form of software reviewing. Researchers and practitioners have repeatedly shown the effectiveness of reviewing processes in finding bugs and security issues.[3]

https://en.wikipedia.org/wiki/Linus's_law

Also I could add "given enough hands, all bugs may be patched faster, in ways more people may like, and less typing for the main developers".

Maybe this is like the

https://trisquel.info/en/forum/how-willdoes-trisquel-handle-non-free-things-upstream

as I did not know what was the best way Trisquel could or does handle any problems upstream.

Ark74

I am a member!

I am a translator!

Desconectado
Joined: 07/15/2009

> I did not know if anyone at Trisquel heard about this yet, but I know "Upstream" Debian and Ubuntu may be confirmed to be vulnerable.

Please when talking about security vulnerabilities don't leave things to speculation, use quotes, and above all use security tracker information from Debian/Ubuntu as that relates directly to our case.

Using some other distro information may drastically change from Trisquel's case, and you can have a clear view of the status.

Regards

Magic Banana

I am a member!

I am a translator!

Desconectado
Joined: 07/24/2010

Just to be clear. The status is: the bug in the GNU C Library was fixed a month ago and no version of Ubuntu suffers from it anymore.

Other_Cody
Desconectado
Joined: 12/20/2023

Possible fixes or at least documentation about this is at

Commit 6cdc44214253a74e7140d75a7ebfc900820a5fa8

in the git repository of

https://sourceware.org/git/glibc.git

as it shows what may be fixes to CVE-2023-6246, CVE-2023-6779, and CVE-2023-6780.

I think the fixes are the 3 commits before that commit.

Thank you all for helping me find more information about the bugs and fixes.

I did not check that code yet, so I do not yet know how those were fixed.