Debian lenny CVE-2015-0235 (glibc) patch

Debian lenny CVE-2015-0235 (glibc) patch

Hi,

you may have noticed CVE-2015-0235 as Glibc (GHOST) security issue these days.

Debian Wheezy (and Squeeze LTS) as well as other Linux distributions have provided security upgrades already; but maybe in case you have to patch an old Debian Lenny distribution you might find it useful, that I’ve fixed and recompiled the latest official Debian Lenny glibc v2.7 with the latest CVE-2015-0235 patch provided for Debian Wheezy and Squeeze LTS.

You may grab the binaries here: https://4ufiles.flo.sh/glibc/debian-lenny/

In order to test the vulnerability you may use the ghost tool (source file GHOST.c included).
If you did upgrade the right glibc libaries the result should look like this:
[00:06:24] root@[…]: /usr/src/ghost> ./ghost
not vulnerable

UPDATE: Binaries for a patched Debian Lenny glibc6 v2.7 on i386 and amd64 architecture are available now.

-Flo

21 thoughts on “Debian lenny CVE-2015-0235 (glibc) patch

  1. sympatiko

    Hi,

    Can you give steps to do manual patching for lenny? Im quite not familiar to manual patch because I know there are so many service using glibc.

    Thank you

    1. flo Post author

      Take a look which glibc packets you have in use, i.e. by running:
      ls -al /var/lib/dpkg/info/libc6*.list /var/lib/dpkg/info/glibc*.list /var/lib/dpkg/info/locales*.list 2>/dev/null

      Download the updated, patched packages and install the .deb files manually by using:
      dpkg -i [filename]

      I had to download an execute the following commands to secure my Debian Lenny i386 systems:
      dpkg -i libc6_2.7-18lenny8_i386.deb libc6-dev_2.7-18lenny8_i386.deb locales_2.7-18lenny8_all.deb

      Prior and after running the procedure above download and run the tiny test program “ghost”. If everything worked fine the final test result should look like this:
      [03:55:49] root@[…]: /usr/src/ghost> ./ghost
      not vulnerable

      -Flo

    1. flo Post author

      Hi Martin,

      I’ve compiled the patched debs on an i386 system, but the amd64 files should be fine I guess.
      Let me know if you run into any trouble using these files…

      -Flo

      1. Martin

        Thanks,

        i have 2.6.26-2-amd64
        but with
        dpkg –install libc6-amd64_2.7-18lenny7_i386.deb

        i get:
        Package architecture ( i386) does not match system ( amd64)

        1. flo Post author

          There are two subdirectories now; i386 and amd64 to resolve this issue.

          Patching the amd64 arch successfully may work like this for you:
          d094d0223d11:/usr/src/ghost# ./ghost
          vulnerable

          d094d0223d11:/usr/src/ghost# dpkg -i libc6-dev-i386_2.7-18lenny8_amd64.deb libc6-dev_2.7-18lenny8_amd64.deb libc6-i386_2.7-18lenny8_amd64.deb libc6_2.7-18lenny8_amd64.deb locales_2.7-18lenny8_all.deb
          (Reading database … 14322 files and directories currently installed.)
          Preparing to replace libc6-dev-i386 2.7-18lenny7 (using libc6-dev-i386_2.7-18lenny8_amd64.deb) …
          Unpacking replacement libc6-dev-i386 …
          Preparing to replace libc6-dev 2.7-18lenny7 (using libc6-dev_2.7-18lenny8_amd64.deb) …
          Unpacking replacement libc6-dev …
          Preparing to replace libc6-i386 2.7-18lenny7 (using libc6-i386_2.7-18lenny8_amd64.deb) …
          Unpacking replacement libc6-i386 …
          Preparing to replace libc6 2.7-18lenny7 (using libc6_2.7-18lenny8_amd64.deb) …
          Unpacking replacement libc6 …
          Selecting previously deselected package locales.
          Unpacking locales (from locales_2.7-18lenny8_all.deb) …
          Setting up libc6 (2.7-18lenny8) …
          Processing triggers for man-db …
          Setting up libc6-dev (2.7-18lenny8) …
          Setting up libc6-i386 (2.7-18lenny8) …
          Setting up locales (2.7-18lenny8) …
          Generating locales (this might take a while)…
          Generation complete.
          Setting up libc6-dev-i386 (2.7-18lenny8) …

          d094d0223d11:/usr/src/ghost# ./ghost
          not vulnerable

  2. Chris

    There is more than one .deb package in your repo. Can You explain how to install using dpkg on standard lenny ?

    1. flo Post author

      Hi Chris,

      depends if you have installed Debian Lenny using i386 or amd64 architecture. You may check that using the “uname -a” command.
      I had to download and install the following packets to secure my Debian Lenny i386 standard systems, but that may differ for your installation of course:
      dpkg -i libc6_2.7-18lenny8_i386.deb libc6-dev_2.7-18lenny8_i386.deb locales_2.7-18lenny8_all.deb

      -Flo

  3. Chris

    This two does not match AMD architecture.
    libc6_2.7-18lenny8_i386.deb
    libc6-dev_2.7-18lenny8_i386.deb

    also this two does not match AMD Architecture
    libc6-amd64_2.7-18lenny8_i386.deb
    libc6-dev-amd64_2.7-18lenny8_i386.deb

    Can You explain how to compile a simple package from source, pls 🙂

    1. flo Post author

      Ok, thx.
      (1)
      On Debian Lenny i386 I’ve compiled the sources using:
      apt-get source libc6
      apt-get build-dep libc6

      (2)
      Download the additional patch file cvs-gethostbyname.diff and copy it to the sub directory glibc-2.7/debian/patches/any/
      echo 'any/cvs-gethostbyname.diff -p1' >> glibc-2.7/debian/patches/series
      cat < < EOF > glibc-2.7/debian/changelog.new
      glibc (2.7-18lenny8) stable-security; urgency=high

      * Fix CVE-2015-0235 (GHOST)

      -- Chris Thu, 31 Jan 2015 09:23:48 +0100

      EOF
      cat glibc-2.7/debian/changelog >> glibc-2.7/debian/changelog.new && mv glibc-2.7/debian/changelog.new glibc-2.7/debian/changelog
      cd glibc-2.7
      dpkg-buildpackage -j4

      … ok, this step may take quite some time, now and needs at least about 2GB free disk space!
      Note: You may change the “-j4” option to the number of CPU cores you have installed to speed up compilation time.

      Would be nice if you could upload or provide me the packets compiled for the Debian Lenny amd64 architecture for download for other users affected by this issue,
      -Flo

    2. Martin

      Great!!!
      Works, how can i check which services i have to restart?
      lsof | grep libc

      some shows
      /lib/libc-2.7.so
      some
      /lib/libc-2.7.so (path inode=516114)
      is there a difference?

      1. flo Post author

        Try running to following command to find out all services relying on glibc:
        lsof | grep libc | awk '{print $1}' | sort | uniq

        Probably it’s a good idea to reboot the system at a maintenance window instead of restarting all the individual services 😉

    1. flo Post author

      As you compile the sources within a dedicated directory it is not neccessary to backup any special files.
      Just create a new directory und run all the commands in this directory i.e.
      cd /usr/src
      mkdir ghost
      cd ghost

      If anything does not work as expected you simply have to remove the directory and you’re done.

  4. Jorge

    What a great job! Thank you very much. It has been by far the best way to patch our lenny’s.

    Thank you again for sharing it!!!

    1. flo Post author

      ok, seems more users than expected are still using Debian Lenny amd64.
      As I have only used i386 in production I ran a docker lenny snapshot and recompiled the patched glibc6 v2.7 binaries for amd64.
      These are available at the amd64 subdirectory, now.

      Have fun, -Flo

  5. Blake

    Dumb question maybe… Will that install on Ubuntu 8.04 (Hardy)? It also has libc 2.7, and I think, but I’m not sure, that they can use the same deb?

    1. flo Post author

      Hi Blake,

      can you find out which libc6 version (or file versions) are currently installed on Ubuntu Hardy?
      I guess Ubuntu used the base system of Debian but I’m not sure if Ubuntu did add some fancy additional patches to their libc 2.7 package.

      In order to find out you may download a copy of the sources using apt-get source glibc and share the result with us.
      Using Debian the result looks like this:
      [02:02:58] [...]@roadrunner: /tmp/huhu> apt-get source glibc
      Reading package lists... Done
      Building dependency tree
      Reading state information... Done
      Skipping already downloaded file 'glibc_2.7-18lenny7.dsc'
      Need to get 16.1MB of source archives.
      Get:1 http://archive.debian.org lenny/main glibc 2.7-18lenny7 (tar) [15.4MB]
      Get:2 http://archive.debian.org lenny/main glibc 2.7-18lenny7 (diff) [754kB]
      Fetched 10.0MB in 2s (4661kB/s)
      gpg: Signature made Fri Jan 7 22:59:26 2011 CET using RSA key ID 02D524BE
      gpg: Can't check signature: public key not found
      dpkg-source: extracting glibc in glibc-2.7
      dpkg-source: info: unpacking glibc_2.7.orig.tar.gz
      dpkg-source: info: applying glibc_2.7-18lenny7.diff.gz
      [02:03:20] [...]@roadrunner: /tmp/huhu> md5sum *
      md5sum: glibc-2.7: Is a directory
      fc37287edcb8dd6c95196bf08a2f8c64 glibc_2.7-18lenny7.diff.gz
      08dfb8b9eed3b92d5b26fab6f66c9b94 glibc_2.7-18lenny7.dsc
      8816fbab13a072c0ccef6640c9d20833 glibc_2.7.orig.tar.gz

  6. Pingback: How to patch CVE-2015-0235 (GHOST) on Debian Lenny and Squeeze? – segmentfault

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php