Linux Glibc Security Fix Created a Nastier Linux Bug (zdnet.com) 74
A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.
Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.
In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.
Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.
In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.
It happens... (Score:2, Interesting)
As ugly as it is. This is a workplace hazard of being a coder. Even with the best test suites, sometimes a bugs introduced that triggers in somewhere unexpected and sirens go off, and lots of unhappiness, but even god-like coders can make this happen.
Lets hope this doesnt affect too many producion deployments.
Re:It happens... (Score:5, Insightful)
Re: (Score:1, Troll)
I disagree. I think the responses are pretty much the same, it’s just that the people involved switch sides.
Re: (Score:2)
I dunno, there's an intersection of people that dislike both Microsoft and IBM (Red Hat) :)
Some would argue for alternatives to glibc such as musl or Theo's heavily audited openbsd. Rustaceans would argue it's folly to implement a C library in an unsafe language like C and suggest relibc.
But anyway, concurrency is hard.
Re: (Score:1)
Still others would argue that we should never have abandoned the scroll and quill pen, that we would be a lot happier calculating by hand.
Apologies, something in OP's style made me think of Douglas Adams
Re: (Score:1)
Re: It happens... (Score:2)
I would settle for people not complaining that languages other than C are unnecessary because it is possible to write secure code on the first try every time if you just get good.
Re: (Score:1)
Re: (Score:2)
I myself? Is still waiting on that linux kernel written in java.
Why? It wasn't designed for that.
Re: It happens... (Score:1)
Two sides of the same coin.
For the *nix geek it feels like an orgasm with every keystroke using *nix. But when he uses Windows, he feels like he's getting fucked by every mouse click.
Go figure what kind of dissonance that can spawn.
Re: (Score:1, Offtopic)
Microsoft averages about seventy new CVEs each patch Tuesday. So a little more than twice a day. Most of those are arbitrary code execution, not just a crash.
So tell me, what *exactly* do you see here twice a day, when Microsoft has new vulnerabilities?
I see there are Microsofties slithering around here with "overrated" points at hand. Same old Microsoft.
Well, got a link to the seventy new Windows CVE stat?
Re: (Score:2)
Microsoft averages about seventy new CVEs each patch Tuesday. So a little more than twice a day. Most of those are arbitrary code execution, not just a crash.
So tell me, what *exactly* do you see here twice a day, when Microsoft has new vulnerabilities?
I see there are Microsofties slithering around here with "overrated" points at hand. Same old Microsoft.
Well, got a link to the seventy new Windows CVE stat?
Same old Microsoft.
Re: (Score:2)
If you think everyone else is an ass, guess who is the ass? Turns out, OP was accurate. [redmondmag.com] And so was I, prick.
Re: (Score:2)
Check https://cve.mitre.org/ [mitre.org] for the CVE's.
Re: (Score:2)
Shrug, not seeing a distinct advantage one side or the other here.
https://cve.mitre.org/cgi-bin/... [mitre.org]
https://cve.mitre.org/cgi-bin/... [mitre.org]
There's a ton of different factors to consider, I mean lines of code? Some defect per complexity metric? It is what it is, open source security isn't magic.
Down mods might be because people are kind of tired of these tropes. It's like when as a professional Linux admin you hear "you don't need to reboot Linux"
Maybe the era of unwashed masses of Linux desktop user types shout
Re: (Score:2)
Looking over the first few on your "Linux" link, I see a bug in an Endpoint Protection product called Bitdefender, shiftfs, Idrive Remote PC ...
So you're counting commercial software that can run on a Linux system. You've found that all the software that can run on Linux (combined) has almost as many vulnerabilities as the Windows OS itself has.
Windowsupdate.com (Score:2)
> > Microsoft averages about seventy new CVEs each patch Tuesday. So a little more than twice a day. Most of those are arbitrary code execution, not just a crash.
> Well, got a link to the seventy new Windows CVE stat?
Windowsupdate.com
I've been doing a presentation every patch Tuesday for many years. The lowest number I ever remember seeing is 44. It's not too unusual to have triple digits, like 111 new vulnerabilities for the month.
Re: (Score:2)
https://support.microsoft.com/... [microsoft.com]
Umm, got a link that works?... Cheers!
Re: (Score:3)
60,000 packages and leap seconds (Score:3)
That's true if you compare Windows to Ubuntu, which seems like a reasonable thing to do, at first.
The numbers of CVE reported by Windows (the operating system itself) isn't far from the total reported by Ubuntu. Which covers all â60,000 different programs in the Ubuntu repository.
A bug in Linpac is reported as an Ubuntu bug. Linpac is a packet radio (ham) terminal program. Less than 0.01% of Ubuntu users are ham radio users who will install Linpac.
This week's Ubuntu update included "GPSd incorrectly ha
Yourself is a good source :) (Score:2)
> If we add "DoS", that number jumps to around 36% for Windows 10, and nearly 70% for the Linux kernel.
You know what DOS is, right? Denial of service. It means "the program crashes", or otherwise stops working. According to you (and it matches my experience), the Linux vulnerabilities are twice as likely to be merely the "the program stops working". (36% for Windows, 70% for Linux)
The other categories are various levels of code execution. According to your numbers, 64% of Windows CVEs are code executio
Re: (Score:3)
It seems like you want to believe a certain thing, and that's fine if so. I can't afford to believe what I want because I have to deal with the actual problems on thousands of real machines that have real impact on the actual business every day.
> Also, your dismissal of DoS is questionable and rather convenient, as DoS
If I can make the machine do whatever I want, OF COURSE I can make it not work right.
If I have Administrator/System privileges, obviously I can make it not work right.
Therefore DoS
Re: (Score:3)
Information is only newsworthy if it is out of the ordinary. A Linux patch introducing a worse bug is out of the ordinary and thus newsworthy. A fix for a Windows security hole creating one that you can move planets through is pretty much expected behaviour.
Re: (Score:2)
Redhat basically has the skillset of IBM now, which is a little scary.
Re: (Score:2)
Naa. IBM has been going down the drains for about a decade now. That "skillset" is not impressive anymore.
Re: (Score:2)
Yes, that is what I'm saying about Redhat.
Re: (Score:2)
Sorry, I misunderstood. I am completely with you on that.
Re: (Score:1)
When it happens to Microsoft, it is typically found much later and usually only if somebody actively attacks it. The joy of closed-source software. Also, Microsoft does rarely learn from mistakes. They are making the same stupid mistakes over and over and over again.
Bit of a different situation there.
Re: (Score:2)
This is probably because all their experienced people have left and have been replaced by cheaper junior people who think they should reinvent the wheel.
I tried to use the ATL wizard in VS 2017 recently, only to find it completely and utterly broken. For some reason, it looked like somebody had tried to reimplement it without understanding even the basics and clearly hadn't used it or had any kind of regression tests. VS6 worked better.
Re: (Score:2)
It does happen. However when it happens at Microsoft, the response from Microsoft is a lot different...
FTFY
I'm wondering why... (Score:5, Interesting)
Have they been churning the code with unwanted new features and dubious performance enhancements?
Re: (Score:3)
You're right, libc is a pretty hard target after all these years. To the extent that even a brand new DoS discovered by white hats instantly becomes front page tech news. Because these are few and far between. What's more, they don't last long and an army of skilled admins will be out there patching vulnerable machines.
Can't really make such boasts about Windows. In that world you just sit around and wait for reboot Tuesday. Collect your paycheck. Life of a Windows admin.
It must be SystemD (Score:1)
If it came from Red Hat. SystemD has its tentacles into everything, even glibc...
Re: (Score:1)
Because there is essentially no such thing as bug free code.
The expectation - through code maturity - is that the number approaches zero, but that doesn't mean it ever gets there.
Re: (Score:3)
Have they been churning the code with unwanted new features and dubious performance enhancements?
Unwanted by whom? Dubious according to whom? One man's bloat is another's critical feature.
When you're not talking out of your arse you may be interested to know that a lot of changes in glibc have been to implement newer and better security practices, provide support for new CPU extensions such as SSE4.1/4.2, and supporting new architectures like RISC-V.
You may be happy with your Pentium MMX from the 90s, the rest of us are not.
There is such a thing as fast enough. (Score:2)
You want speed optimization? Spin yourself a custom library and leave the rest of us out of it. As for newer and better security practices, I would be all for that, except... it doesn't seem to have worked out that way in this case.
I'm of the opinion that without built in bounds checking, a language can ne
Re: (Score:3)
Re: (Score:2)
It's a fundamental library, not a race car.
Which is precisely why it's so damn important to optimise it. Do you put diesel in your Ferrari?
Re: (Score:3)
Actually your post deserves a longer reply. You seem to be under the impression that a fundamental library is somehow meant to be slow or that optimisation is somehow at odds with stability both API and actual stability.
I'm not sure where you got that idea from but I think the technical definition for it is "horseshit". Speed optimisation has been of the upmost and fundamental importance at the most core level of every OS and library in general use. I personally think you have it completely backwards.
If you
I get the idea from... (Score:2)
It's called the real world.
Re: (Score:2)
Yes, the real world where in the past 30 years we have demonstrated the single most important part of IT has been to steadily increase its speed to cope with demand.
Your real world argument directly works against you, whether you're a kid playing games bench-marking OSes, a cloud provider attempting to edge out performance per watt (dollar) in your database or filesystems, or a financial behemoth trying to make that trade just a little bit faster.
The entire world runs on speed. Only a few edge cases case ab
On what planet? (Score:2)
Speed kills. We all know that.
Re: (Score:2)
I see security incidents all the time. I don't see speed issues, unless you count DDoS.
Speed kills. We all know that.
No. You've normalised speed issues and thus are desensitised to them. There's a difference. On a slightly related note, the world is being fucked up ecologically, please don't waste power and produce more CO2 by running shitty inefficient code.
Re: (Score:3)
Have they been churning the code with unwanted new features and dubious performance enhancements?
The primary issue is that GlibC does not conform to any standard. No, seriously, it doesn't use standard code (utilizes GCC compiler extensions), it's not POSIX compliant and has a boatload of "features" added to it.
If you want a reliable and compliant libc then you should look at musl [libc.org] which actually focuses on being small, POSIX compliant, and ensuring security.
Re: (Score:2)
Re: (Score:2)
glibc isn't part of the kernel.
Re: (Score:2)
This is not a one time deal. This happens all the time. The r
Nothing is perfect (Score:3, Insightful)
Re: (Score:2)
True, no code is perfect but glibc is a train wreck. Anyone serious about security should be using musl.
Hyperbole, it's what's for dinner (Score:2, Informative)
Okay so there is a bug in the implementation of a glibc function, mq_notify(). As far as I know, mq_notify isn't really used by that many applications. So there is some small intersection of programs that both a) use mq_notify() and b) will have a major impact on the world if they no longer were running.
More importantly, this article doesn't even mention what software might have issues with this bug, or how it impacts anything.
Flapping your head saying that EVERYTHING uses glibc isn't helpful. Sure, eve
Re:Hyperbole, it's what's for dinner (Score:4, Interesting)
Right, calling it a "libc bug" is misleading, it's a Posix message queue bug. An application using Posix message queues might be vulnerable, which s is a tiny subset of applications because Posix message queues are rather obscure, but there are so many millions of Linux servers that absolute numbers could be large. Whether this is anything more than a potential DoS or whether it can be exploited remotely remains to be analyzed.
Doesn't look particularly threatening, the main news here that fixing a hole made a new hole, however small.
Re: (Score:2)
Right, calling it a "libc bug" is misleading
No, it's not, because the bug is in the implementation of mq_notify in librt.
it's a Posix message queue bug. An application using Posix message queues might be vulnerable
Yes, which is part of libc.
If there's a bug in printf, do you also claim that it's not a bug in libc, because it only affects things that use printf?
Sure, mq_notify isn't used by a lot of shit, but the bug is absolutely in libc (librt).
mqueue is useful as IPC in lots of places. It's simpler than writing your own semaphore back message queue, works across multiple processes, doesn't need all the annoyance of dbus, and is less w
Re: (Score:2)
I agree, a quick check with /bin/ /sbin/ /lib /lib64 -type f | xargs nm -D | grep mq_notify | wc -l /usr/xyz) found zero applications on my computer.
find
(/xyz symlinked to
Re: (Score:2)
I have found one application on my system using the Posix message queues, stress-ng (https://kernel.ubuntu.com/~cking/stress-ng/)
Doesn't seem like a very critical bug.
Re: (Score:2)
A meta-application to stress test conformity of a feature is its sole usage!
Thus a bunch of obsolete code exists in the Linux kernel only so it can claim to be POSIX compatible with something they thought was useful decades ago.
Re: (Score:3)
I do not see why that would be considered a critical bug. No privilege escalation and no remote DOS. Basically, someone found a new way for programmers to crash their own code. It must be fixed of course but this is a rather mundane issue. It seems to me that Tuxcare, the company that found the second bug, is trying to make the buzz.
Re: (Score:2)
That is absolutely a critical bug.
Do not forget to patch... everything! (Score:5, Insightful)
In the good old days it would've meant a one-shot update to glibc per system, and maybe sometimes for the odd chroot-jailed application.
Nowadays, it means updating all containers too (docker, LXC, snap, flatpak), so unless they're all homemade, a hunt for online updates, hoping upstream isn't slow to react.
Just like in this other operating system we laugh at when it comes to security.
Aren't we getting somewhere nice?
Re: (Score:2)
Re: (Score:2)
One reason why containers are stupid. I expect they do not really have a long-term future, they are just a current hype that overpromises and underdelivers.
Re: (Score:2)
And just to keep things fun, that environment is developed in a RAD like way, so you couldn't keep ahead of it if you fucking wanted.
They have taken a cool functionality (that actually existed long before Docker et al, made it popular- I added container support to my HTC G1 a lifetime ago) in linux and turned into a steaming fucking pile of shit.
Re: (Score:2)
I think they fill a small niche only: They are not application packages (which, with chroot + privilege drop can be isolated pretty well and can be given their own libraries if needed or desired), and they are not quite VMs. They still have the drawbacks of VMs, namely that you need to do system maintenance and, in part at least, system administration for them. They also have the drawbacks of packages, namely they are dependent in some ways on the machine they get installed on.
Quote a bad mix, actually, whe
Re: (Score:2)
I remember thinking the technology was fucking awesome. This was back in 2009 or so, though... and I never thought they'd turn into these weird fucking living packages with their own little pseudo OS going on inside them... and the model of having some janky ass containe
Re: (Score:2)
Containers seem to be a symptom of dependency hell.
Re: (Score:2)
Yay, us.
Just fix the uninitialized memory Ala Debian ssl (Score:2)
Just fix the uninitialized memory Ala Debian ssl....
No one will notice the keyspace has drastically been reduced.... you fixed a valgrind warning so all is well.