Linux distrib vendors make patches available for GHOST

Linux distrib vendors make patches available for GHOST

Qualys said on Tuesday that there was a serious weakness in the Linux glibc library. During a code audit, Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. The weakness can allow attackers to remotely take control of the victim's system without any prior knowledge of system credentials. This has become known as the GHOST vulnerability, discovered by researchers at the security company Qualys, which worked closely with Linux distribution vendors.

The company also thanked Alexander Peslyak of the Openwall Project for his help with the disclosure process. (Peslyak has been professionally involved in computer and since 1997.) The Openwall Project is a source for various software. Amol Sarwate, Qualys Vulnerability Labs Director, served as the presenter in a video explaining the company's advisory. He said the weakness was serious but patches were available from Linux distributions, he added, in the Tuesday posting. What is "glibc"? This is the Gnu C library and a core part of the OS. "The vulnerability is in one of the functions of glibc," said Sarwate, where a buffer overflows.The vulnerability can be triggered locally and remotely from any of the gethostbyname*() functions.

So what's the risk? An attacker, said Sarwate, could send a malicious email to an email server and get a remote shell to the Linux machine. The good news is that most Linux vendors have released patches. "So the best way to mitigate this issue," said Sarwate, "is to apply a patch from your Linux distribution."

Gavin Millard, technical director of Tenable Network Security, told the Telegraph: "Patches are being released for the major Linux distributions and should be applied with a priority on any vulnerable systems with services that can be reached from the Internet."

Sarwate said the vulnerability is called "GHOST" because of the GetHOST functions by which the flaw can be exploited. The vulnerability has a history; it was found some years ago and it was fixed but it was not classified as a . Nonetheless, as of Tuesday, distributions have released patches, said Sarwate, "so please install patches for your servers."

Dan Goodin of Ars Technica had some words of caution: "patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come." Goodin called the "extremely critical."

The GNU C Library (glibc) is primarily designed to be a portable and high-performance C library. Any Unix-like operating system needs a C library: the library which defines the ``system calls'' and other basic facilities. The GNU C Library is used as the C library in GNU systems and most systems with the Linux kernel. It follows all relevant standards including ISO C11 and POSIX.1-2008. It is also internationalized.

Jeremy Kirk of the IDG News Service made note that this is "one of many issues found over the last year in open-source software components, including Heartbleed, Poodle and Shellshock, that have caused alarm due to the large number of systems affected."


Explore further

Apple software update protects Macs from 'Bash' bug

More information:community.qualys.com/blogs/law … -ghost-vulnerability
www.qualys.com/research/securi … ST-CVE-2015-0235.txt

© 2015 Tech Xplore

Citation: Linux distrib vendors make patches available for GHOST (2015, January 29) retrieved 22 August 2019 from https://techxplore.com/news/2015-01-linux-distrib-vendors-patches-ghost.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.
303 shares

Feedback to editors

User comments

Jan 29, 2015
I has old winblows7 system that I ignored completely apart from SP1. Then as a lark I allowed all ~200 'ctitical updated' to be applied on 10Jan2015. As a result, machine now reboots itself every 6 hours and can't shut down cleanly

Cygwin with ghost exploit was smallest problem with that machine

Jan 29, 2015
This is just wrong... You're supposed to wait months or years, after being notified about a critical bug, to fix the problem... It helps to make excuses and blames others for the problem when the bug is made public and no patch has been released.

Microsoft does things the right way and Linux companies need to learn from them and give the hackers a fighting chance.

Jan 30, 2015
You're supposed to wait months or years, after being notified about a critical bug, to fix the problem


Isn't that exactly what has happened? Notice the part where they said a fix has been available for years, yet the distributions hadn't applied it.

But way to go making tu-quoque fallacies towards Microsoft whenever Linux fails in something. That's called intellectual dishonesty. Please remove the beam in thine own eye first.

Jan 30, 2015
As a result, machine now reboots itself every 6 hours and can't shut down cleanly


And you have nobody to blame except yourself.

The updates work fine even if you restore from an old image and download them all in at once, like you'd do to a laptop with a crashed HD for example. Which I have done without any issues.

So there was probably something else wrong with the system configuration caused by your neglect to maintain it. Such as a rootkit or a botnet worm.

For a comparison, try upgrading from an older similiarily neglected build of Ubuntu. Oh. That's right - you can't, because there's no direct upgrade path, and trying to point your repositories to the latest version to force an update has a 99% chance of breaking something. The only practical option you have is wipe and reinstall.


Feb 01, 2015
@Eikka The only practical option you have is wipe and reinstall.
Winblows behaves randomly on upgrades. I reverted the disk image and reinstalled with exactly the same procedure and the second time it worked. So winblows does random things that often fuck up. Linux does not do this. If I wanted the latest patches of glibc all I need to do is email Richard Stallman. Nobody thought it was so important. Whereas there are thousands of hidden exploits lurking in winblows that would rise to the level of a national security threat if made public. Nice job trying to misplace blame

Feb 01, 2015
There are thousands of hidden exploits lurking in linux too. It's no better than windows in that regard. I strongly disagree that linux does not do strange things, both during updates and during normal operation. Have you worked professionally with linux? Luckily I did for a few years, because I have linux mint 17 on my home computer. This thing would a be a fucking cryptic shitbox from hell if I didn't already know my way around the shell. At least if you want to do anything interesting or other than using firefox.

Also, linux or other unix like operating systems run 2/3 of all public servers. That sounds like the potential for a national security threat, just like you say windows is. Even companies that use linux on servers maintained by experienced engineers and spend millions on security still get hacked. Linux and windows both have their distinct advantages and disadvantages. I don't know where people get this idea that linux is always the best choice for everything always.

Feb 02, 2015
Winblows behaves randomly on upgrades. I reverted the disk image and reinstalled with exactly the same procedure and the second time it worked. So winblows does random things that often fuck up.


Rarely. There are literally billions of people using Windows, and if it actually did fuck up as often as you claim, they'd be changing over to macs and chromebooks and linux distros by the millions.

That isn't happening.

It's impossible to predict exactly the effect of installing updates on an old system that has been ill maintained, but they do test for when you need to bring an old system image up to date.

Linux does not do this.


Yes it does.

Of course you can email Mr. Stallman and manually upgrade your glibc, but if you want any sort of automated update procedure you have to endure loads of bullshit, where in some cases simply getting the latest version of your favorite web-browser requires an whole OS reinstall because the upgrade went wrong.

Feb 02, 2015
all I need to do is email Richard Stallman.


Point being, would Richard Stallman mind answering to 20 million emails asking for the latest patch? It just can't work that way.

There are thousands of hidden exploits lurking in linux too. It's no better than windows in that regard.


It's actually worse, because the source code where these bugs and exploits are found is public knowledge, so there's a race between those who would find bugs to exploit them and those who would find bugs to fix them, and the former isn't telling the latter about what they have found.

Just because a bug is found doesn't mean it gets fixed, and any time a bug is found it is instantly made public before any fix can be distributed, making the system vulnerable.

With closed source software you at least have the option of submitting bugs to the company and getting a patch back before the criminals get a wind of it.


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more