CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow

For the maintainers of glibc in the schmooze freepbx distro:

Do you know when you’re planning to release a patched glibc per CVE-2015-7547?

Referenced websites:


access.redhat.com/security/cve/cve-2015-7547

Packages in question that need updating:
glibc-headers-2.12-1.149.shmz65.1.1.x86_64
glibc-devel-2.12-1.149.shmz65.1.1.x86_64
glibc-common-2.12-1.149.shmz65.1.1.x86_64
glibc-2.12-1.149.shmz65.1.1.x86_64

Upgrade to the 10.13.66 track and you will get glibc right from upstream RHEL. The SHMZ one was back in older version as upstream was not patching for a older vuln fast enough so we built our own.

Tony, I’m on 10.13.66 and nothing has shown up yet via yum update. I picked up updated glibc and other packages for another machine running Centos 7 this morning.

If I look at http://mirror.centos.org/centos/6.6 it appears that it has been deprecated in favour of 6.7 and is no longer receiving updates. The readme file in that folder reads:

This directory (and version of CentOS) is deprecated.  For normal users,
you should use /6/ and not /6.6/ in your path. Please see this FAQ
concerning the CentOS release scheme:

https://wiki.centos.org/FAQ/General

If you know what you are doing, and absolutely want to remain at the 6.6
level, go to http://vault.centos.org/ for packages. 

Please keep in mind that 6.0, 6.1, 6.2, 6.3, 6.4 , 6.5 and 6.6 no longer gets any updates, nor
any security fix's.

If I understand your post then the Distro is just picking up whatever updates are in the Centos system for 6.6. If 6.6 has been deprecated then does this mean that we won’t see any more updates from Centos and that this issue will remain unpatched?

Thanks for the reply and I am currently on 10.13.66-8.

# yum clean all
Loaded plugins: fastestmirror, kmod
Cleaning repos: base extras pbx schmooze-commercial updates
Cleaning up Everything
Cleaning up list of fastest mirrors
# yum update glibc
Loaded plugins: fastestmirror, kmod
Setting up Update Process
Determining fastest mirrors
base                                                                                                                                    | 2.0 kB     00:00     
base/primary                                                                                                                            | 2.6 MB     00:02     
base                                                                                                                                                 6520/6520
extras                                                                                                                                  | 1.3 kB     00:00     
extras/primary                                                                                                                          |  15 kB     00:00     
extras                                                                                                                                                   38/38
pbx                                                                                                                                     | 1.3 kB     00:00     
pbx/primary                                                                                                                             | 477 kB     00:00     
pbx                                                                                                                                                  1982/1982
schmooze-commercial                                                                                                                     | 1.3 kB     00:00     
schmooze-commercial/primary                                                                                                             |  25 kB     00:00     
schmooze-commercial                                                                                                                                    165/165
updates                                                                                                                                 | 1.3 kB     00:00     
updates/primary                                                                                                                         | 1.4 MB     00:01     
updates                                                                                                                                              1305/1305
No Packages marked for Update
#

No. As we have done before we will upgrade you to 6.7 through upgrade scripts

Andrew,
Thanks for the reply. Do you have a timeframe for a 6.7 upgrade? I’d don’t like having unpatched vulnerabilities on production systems if I can help it.
Greg

We have packported the glibc updates onto our 6.6 build. yum update will show them

Tony,

Thanks for providing the updated glibc packages. My understanding is that many apps that were compiled with the vulnerable glibc versions will need to recompiled. Will those updated packages be back ported as well?

Greg

I think your understanding is wrong

In a later post, Qualys researchers enumerated apps they believed were not vulnerable. The list included Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.

Source: http://seclists.org/oss-sec/2015/q1/283

Asterisk would be unaffected as well.

Andrew,

Thanks for correcting me. My information came from this article:

Some apps that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library, a process that will take time as users wait for fixes to become available from hardware manufacturers and app developers.

The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Using a proof-of-concept exploit released Tuesday, White was able to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. He said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.

So much for reliable information!

Greg

Hi Andrew!

This is normally true if you dynamically link but I do believe you can statically link which would result in having a binary with the vulnerability.

I am no gcc/glibc guru though…

Have a nice day!

Nick

What about an update for FreePBX 6.12.65, which appears to still be supported and offered for download? The glibc package here is glibc-2.12-1.149.shmz65.1.1.x86_64. Will those of us on the 6.12.65 track receive this security update?

Thank you,
Chris