"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "
This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.
That’s not the main part of the article, just a footnote, for anyone wondering.
The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.
The vulnerability was introduced in glibc 2.37 in August 2022.
So, it must be with the BSDs too?
Iirc bad does not use glibc, but I’m not very involved with BSD.
BSDs use libc
C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.
According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?
You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive.
Security-critical C and memory safety bugs. Name a more iconic duo…
I’d have kinda preferred for public disclosure to have happened after the fix propagated to distros. Now we get to hurry the patch to end-users which isn’t always easily possible. Could we at least have a coordinated disclosure time each month? That’d be great.
deleted by creator
I’m afraid I don’t understand what you’re trying to say.
I am not sure as well, but maybe they meant “maybe an early and public disclosure increases the urgency of the fix for the developers”?
Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39). Other distributions are probably also impacted.
https://security-tracker.debian.org/tracker/CVE-2023-6246
Don’t know if Fedora has any similar easy way of tracking vulnerabilities
12 and 13 have patches out in the security repo. Apt update && apt upgrade fixed it right up.
Yikes.
I’d switch to musl on all of my boxes if it weren’t that nearly all precompiled software (closed source, games mainly) are compiled against glibc.
Just use flatpak and podman, in a punch you can proot into a different system / zfs data set / btrfs sublime
So this means you need either Alpine repos or compile everything yourself?
Void offers musl too. Unless they’ve discontinued it.
But
compile everything yourself?
I do (almost) exactly that. I run Gentoo almost everywhere. The ‘almost’ is because Gentoo now offers an official bin repository too, so I can mix compiled and pre-compiled software. (Although you’ve always had the option to set up your own binary host).
How are you going to run steam though? Like at least alpine has wine, but there’s no way to recompile steam unfortunately.
I was never into gaming really, and while I like the progress I dont really care tbh?
Nope. I mainly get my games (curretly around 10 only) from gog.
Don’t forget Chimera Linux ( not to be confused with Chimeraos)!
That’s why you need to rock and roll
(Arch btw.)
Try having
unattended-upgradeswith a rolling distro.I don’t want unattended upgrades >:/
Just don’t upgrade for a while and you become debian
It’s not like windows forcing you to reboot every Tuesday so Edge can come back
you shouldn’t be throwing boots through your windows
Man, I do this all the time. snapper and grub-btrfs has enabled all kinds of amazing things. I’m so close to just doing:
$ sudo crontab -l * * 3 * * pacman -Syu --no-confirmI’ve got separate offline backups and rescue disks, but I’m pretty confident that grub-btrfs will let me recover pretty quickly.
grub-btrfs with timeshift didn’t helped me in my upgrade from fedora 38 to 39, when i rolled back with grub-btrfs, what loaded was weird mix of 38 and 39, that didn’t even let me browse my filesystem, got to disassemble laptop, get out ssd, use it as external, and even then half of the ssd was locked, ssd was new and chmod didn’t helped, even from live usb, had to copy files with testdisk and dd zero’s on whole disk for it to work again
Local attacker
Important detail
as i said on reddit
I replied to another comment with this, but Debian 12(stable, bookworm) and 13(testing, trixie) are affected by this but 12(stable, bookworm) has a patch out in the security repo.
If you wanna know wether or not you’re affected,
apt list libc
will show your version and the one you want is 2.36-9+deb12u4
If you don’t have that,
apt update && apt upgrade
will straighten you out
13(testing, trixie) has 2.37, but it’s not fixed yet.
E: Edited to use apt list instead of apt show.
RedHat and related: https://access.redhat.com/security/cve/CVE-2023-6246
Not affected
Not affected
Not affected
etc.
Ubuntu 22.04 LTS, Linux Mint etc as well. also this is a local one, so not many people care.
Glad I only run Alpine
“GNU Library C?”
GNU C Library(glibc) as apposed to C Library (libc).
Who calls it “GNU Library C” though?
