358

Root access vulnerability in glibc library impacts many Linux distros(securityaffairs.com)

posted
by
Avatar
joojmachine@lemmy.ml
in
Avatar
linux@lemmy.ml
89 comments
hidereport
Sort:
HotTopControversialNewOld
You are viewing a single thread.
View all comments
Avatar
shadowintheday2@lemmy.world
95 points

"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "

This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.

permalink
report
reply
Avatar
PlexSheep@feddit.de
67 points
*

That’s not the main part of the article, just a footnote, for anyone wondering.

The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.

The vulnerability was introduced in glibc 2.37 in August 2022.

permalink
report
parent
reply
Avatar
Asiaticus@lemmy.ml
9 points

So, it must be with the BSDs too?

permalink
report
parent
reply
Avatar
Rustmilian@lemmy.world
1 point

BSDs use libc

permalink
report
parent
reply
Avatar
PlexSheep@feddit.de
1 point

Iirc bad does not use glibc, but I’m not very involved with BSD.

permalink
report
parent
reply
Show more comments
Avatar
MonkderZweite@feddit.ch
-2 points

Wait, why has a compiler system log functionlity?

permalink
report
parent
reply
Avatar
StefanT@lemmy.world
22 points

glibc is a library, gcc is the compiler.

permalink
report
parent
reply
Avatar
PlexSheep@feddit.de
5 points

You are probably confusing the glibc with gcc and g++. Glibc is an implementation of the C standard library, made by GNU (thats where the g in the name comes from).

If you were to look into it, it uses the syscalls to tell the underlying computer system what to do when you call functions, such as printf.

If you want to read more, see here

permalink
report
parent
reply
Avatar
xlash123@sh.itjust.works
35 points

C is just crazy. You accidentally forget to put the bounds in a sorting function, and now you are root.

permalink
report
parent
reply
Avatar
kaputt@sh.itjust.works
6 points

According to the link in the article, the qsort() bug can only be triggered with a non-transitive cmp() function. Would such a cmp function ever be useful?

permalink
report
parent
reply
Avatar
Giooschi@lemmy.world
4 points

You don’t necessarily have to write a non-transitive cmp() function willingly, it may happen that you write one without realizing due to some edge cases where it’s not transitive.

permalink
report
parent
reply

Linux

!linux@lemmy.ml

Create post

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word “Linux” in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

  • Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
  • No misinformation
  • No NSFW content
  • No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

Community stats

  • 7.5K

    Monthly active users

  • 6.6K

    Posts

  • 180K

    Comments

Community moderators