Hi,
you may have noticed CVE-2015-0235 as Glibc (GHOST) security issue these days.
Debian Wheezy (and Squeeze LTS) as well as other Linux distributions have provided security upgrades already; but maybe in case you have to patch an old Debian Lenny distribution you might find it useful, that I’ve fixed and recompiled the latest official Debian Lenny glibc v2.7 with the latest CVE-2015-0235 patch provided for Debian Wheezy and Squeeze LTS.
You may grab the binaries here: https://4ufiles.flo.sh/glibc/debian-lenny/
In order to test the vulnerability you may use the ghost tool (source file GHOST.c included).
If you did upgrade the right glibc libaries the result should look like this:
[00:06:24] root@[…]: /usr/src/ghost> ./ghost
not vulnerable
UPDATE: Binaries for a patched Debian Lenny glibc6 v2.7 on i386 and amd64 architecture are available now.
-Flo
Hi,
Can you give steps to do manual patching for lenny? Im quite not familiar to manual patch because I know there are so many service using glibc.
Thank you
Take a look which glibc packets you have in use, i.e. by running:
ls -al /var/lib/dpkg/info/libc6*.list /var/lib/dpkg/info/glibc*.list /var/lib/dpkg/info/locales*.list 2>/dev/null
Download the updated, patched packages and install the .deb files manually by using:
dpkg -i [filename]
I had to download an execute the following commands to secure my Debian Lenny i386 systems:
dpkg -i libc6_2.7-18lenny8_i386.deb libc6-dev_2.7-18lenny8_i386.deb locales_2.7-18lenny8_all.deb
Prior and after running the procedure above download and run the tiny test program “ghost”. If everything worked fine the final test result should look like this:
[03:55:49] root@[…]: /usr/src/ghost> ./ghost
not vulnerable
-Flo
thanks Sounds good.
Is there a deb for 64bit?
Hi Martin,
I’ve compiled the patched debs on an i386 system, but the amd64 files should be fine I guess.
Let me know if you run into any trouble using these files…
-Flo
Thanks,
i have 2.6.26-2-amd64
but with
dpkg –install libc6-amd64_2.7-18lenny7_i386.deb
i get:
Package architecture ( i386) does not match system ( amd64)
There are two subdirectories now; i386 and amd64 to resolve this issue.
Patching the amd64 arch successfully may work like this for you:
d094d0223d11:/usr/src/ghost# ./ghost
vulnerable
d094d0223d11:/usr/src/ghost# dpkg -i libc6-dev-i386_2.7-18lenny8_amd64.deb libc6-dev_2.7-18lenny8_amd64.deb libc6-i386_2.7-18lenny8_amd64.deb libc6_2.7-18lenny8_amd64.deb locales_2.7-18lenny8_all.deb
(Reading database … 14322 files and directories currently installed.)
Preparing to replace libc6-dev-i386 2.7-18lenny7 (using libc6-dev-i386_2.7-18lenny8_amd64.deb) …
Unpacking replacement libc6-dev-i386 …
Preparing to replace libc6-dev 2.7-18lenny7 (using libc6-dev_2.7-18lenny8_amd64.deb) …
Unpacking replacement libc6-dev …
Preparing to replace libc6-i386 2.7-18lenny7 (using libc6-i386_2.7-18lenny8_amd64.deb) …
Unpacking replacement libc6-i386 …
Preparing to replace libc6 2.7-18lenny7 (using libc6_2.7-18lenny8_amd64.deb) …
Unpacking replacement libc6 …
Selecting previously deselected package locales.
Unpacking locales (from locales_2.7-18lenny8_all.deb) …
Setting up libc6 (2.7-18lenny8) …
Processing triggers for man-db …
Setting up libc6-dev (2.7-18lenny8) …
Setting up libc6-i386 (2.7-18lenny8) …
Setting up locales (2.7-18lenny8) …
Generating locales (this might take a while)…
Generation complete.
Setting up libc6-dev-i386 (2.7-18lenny8) …
d094d0223d11:/usr/src/ghost# ./ghost
not vulnerable
There is more than one .deb package in your repo. Can You explain how to install using dpkg on standard lenny ?
Hi Chris,
depends if you have installed Debian Lenny using i386 or amd64 architecture. You may check that using the “uname -a” command.
I had to download and install the following packets to secure my Debian Lenny i386 standard systems, but that may differ for your installation of course:
dpkg -i libc6_2.7-18lenny8_i386.deb libc6-dev_2.7-18lenny8_i386.deb locales_2.7-18lenny8_all.deb
-Flo
This two does not match AMD architecture.
libc6_2.7-18lenny8_i386.deb
libc6-dev_2.7-18lenny8_i386.deb
also this two does not match AMD Architecture
libc6-amd64_2.7-18lenny8_i386.deb
libc6-dev-amd64_2.7-18lenny8_i386.deb
Can You explain how to compile a simple package from source, pls 🙂
Ok, thx.
(1)
On Debian Lenny i386 I’ve compiled the sources using:
apt-get source libc6apt-get build-dep libc6
(2)
Download the additional patch file cvs-gethostbyname.diff and copy it to the sub directory glibc-2.7/debian/patches/any/
echo 'any/cvs-gethostbyname.diff -p1' >> glibc-2.7/debian/patches/seriescat << EOF > glibc-2.7/debian/changelog.new
glibc (2.7-18lenny8) stable-security; urgency=high
* Fix CVE-2015-0235 (GHOST)
-- Chris Thu, 31 Jan 2015 09:23:48 +0100
EOF
cat glibc-2.7/debian/changelog >> glibc-2.7/debian/changelog.new && mv glibc-2.7/debian/changelog.new glibc-2.7/debian/changelog
cd glibc-2.7
dpkg-buildpackage -j4
… ok, this step may take quite some time, now and needs at least about 2GB free disk space!
Note: You may change the “-j4” option to the number of CPU cores you have installed to speed up compilation time.
Would be nice if you could upload or provide me the packets compiled for the Debian Lenny amd64 architecture for download for other users affected by this issue,
-Flo
Great!!!
Works, how can i check which services i have to restart?
lsof | grep libc
some shows
/lib/libc-2.7.so
some
/lib/libc-2.7.so (path inode=516114)
is there a difference?
Try running to following command to find out all services relying on glibc:
lsof | grep libc | awk '{print $1}' | sort | uniqProbably it’s a good idea to reboot the system at a maintenance window instead of restarting all the individual services 😉
Is it a good idea to backup some files before compilation ? What range of files should be backed up?
As you compile the sources within a dedicated directory it is not neccessary to backup any special files.
Just create a new directory und run all the commands in this directory i.e.
cd /usr/srcmkdir ghost
cd ghost
If anything does not work as expected you simply have to remove the directory and you’re done.
What a great job! Thank you very much. It has been by far the best way to patch our lenny’s.
Thank you again for sharing it!!!
this package is ONLY for i386, can someone compile it for amd64 ??’
ok, seems more users than expected are still using Debian Lenny amd64.
As I have only used i386 in production I ran a docker lenny snapshot and recompiled the patched glibc6 v2.7 binaries for amd64.
These are available at the amd64 subdirectory, now.
Have fun, -Flo
Dumb question maybe… Will that install on Ubuntu 8.04 (Hardy)? It also has libc 2.7, and I think, but I’m not sure, that they can use the same deb?
Hi Blake,
can you find out which libc6 version (or file versions) are currently installed on Ubuntu Hardy?
I guess Ubuntu used the base system of Debian but I’m not sure if Ubuntu did add some fancy additional patches to their libc 2.7 package.
In order to find out you may download a copy of the sources using apt-get source glibc and share the result with us.
Using Debian the result looks like this:
[02:02:58] [...]@roadrunner: /tmp/huhu> apt-get source glibc
Reading package lists... Done
Building dependency tree
Reading state information... Done
Skipping already downloaded file 'glibc_2.7-18lenny7.dsc'
Need to get 16.1MB of source archives.
Get:1 http://archive.debian.org lenny/main glibc 2.7-18lenny7 (tar) [15.4MB]
Get:2 http://archive.debian.org lenny/main glibc 2.7-18lenny7 (diff) [754kB]
Fetched 10.0MB in 2s (4661kB/s)
gpg: Signature made Fri Jan 7 22:59:26 2011 CET using RSA key ID 02D524BE
gpg: Can't check signature: public key not found
dpkg-source: extracting glibc in glibc-2.7
dpkg-source: info: unpacking glibc_2.7.orig.tar.gz
dpkg-source: info: applying glibc_2.7-18lenny7.diff.gz
[02:03:20] [...]@roadrunner: /tmp/huhu> md5sum *
md5sum: glibc-2.7: Is a directory
fc37287edcb8dd6c95196bf08a2f8c64 glibc_2.7-18lenny7.diff.gz
08dfb8b9eed3b92d5b26fab6f66c9b94 glibc_2.7-18lenny7.dsc
8816fbab13a072c0ccef6640c9d20833 glibc_2.7.orig.tar.gz
Hi Flo,
Excellent. Amazing job!. And thanks a lot to share it.
Have a great day!
Hugo
Pingback: How to patch CVE-2015-0235 (GHOST) on Debian Lenny and Squeeze? – segmentfault