Glibc Patch for getaddrinfo() vulnerability

glibcSecurity

I have been seeing a lot about the newly discovered vulnerability in the glibc library which can be exploited (albeit with difficulty) by attackers.

Here is a (fire and brimstone) article on the subject:
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/

I understand the nature of the vulnerability, but I have to admit I get a bit lost when reading the patch solution. It seems that several steps need to be taken on the machine, but it says a "patch" is attached to the email.

Where is the patch exactly?

https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

I apologize, but I am not a Linux system engineer (aptitude and yum are my homeboys).

Unfortunately, I manage a few sites for clients mostly on Amazon linux which I have read may be susceptible as well – let's assume they are.

I just want to make sure I secure the boxes, I am probably capable of applying the patch, but I think i get confused by the glibc mail archive.

Can anyone shed some light on it – ie put it in a language us lowly front-end web devs can understand?

I know this is new/evolving I'm sure better docs will be available in the coming days.

Thanks in advance.

Best Answer

If you're using any reasonably well-supported distribution, you don't need the original patch itself. Most distributions would have updated libc by now, and pushed it to their repositories, and all you need to do is use the package manager to upgrade libc. (If they haven't done so by now, seriously consider switching distributions.) And this is indeed the case with Amazon Linux. From their security bulletins:

[C]ustomers using Amazon EC2 who’ve modified their configurations to use non-AWS DNS infrastructure should update their Linux environments immediately following directions provided by their Linux distribution. EC2 customers using the AWS DNS infrastructure are unaffected and don’t need to take any action.

For Amazon EC2 customers using Amazon Linux and who’ve modified their configuration to use non-AWS DNS infrastructure:

A fix for CVE-2015-7547 has been pushed to the Amazon Linux AMI repositories, with a severity rating of Critical. Instances launched with the default Amazon Linux configuration on or after 2016/02/16 will automatically include the required fix for this CVE.

The patch if you want to look at it, is the part that begins with diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c in the email:

CVE-2015-7547

2016-02-15  Carlos O'Donell  

    [BZ #18665]
    * resolv/nss_dns/dns-host.c (gaih_getanswer_slice): Always set
    *herrno_p.
    (gaih_getanswer): Document functional behviour. Return tryagain
    if any result is tryagain.
    * resolv/res_query.c (__libc_res_nsearch): Set buffer size to zero
    when freed.
    * resolv/res_send.c: Add copyright text.
    (__libc_res_nsend): Document that MAXPACKET is expected.
    (send_vc): Document. Remove buffer reuse.
    (send_dg): Document. Remove buffer reuse. Set *thisanssizp to set the
    size of the buffer. Add Dprint for truncated UDP buffer.

diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index a255d5e..47cfe27 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -1031,7 +1031,10 @@ gaih_getanswer_slice (const querybuf *answer, int anslen, const char *qname,
   int h_namelen = 0;

   if (ancount == 0)
-    return NSS_STATUS_NOTFOUND;
+    {
+      *h_errnop = HOST_NOT_FOUND;
+      return NSS_STATUS_NOTFOUND;
+    }

...
Related Question