tomxi
Posts: 10
Joined: Mon Jun 01, 2015 12:58 pm

glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 4:11 pm

There are now reports on a vulnerability in glibc. For example
http://arstechnica.com/security/2016/02 ... ulnerable/

Does raspbian have that vulnerability? Do we as end users need to do something, apart from installing updates?

ShiftPlusOne
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 6023
Joined: Fri Jul 29, 2011 5:36 pm
Location: The unfashionable end of the western spiral arm of the Galaxy

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 4:27 pm

Any time there's a vulnerability picked up by the news, people ask this sort of thing.

Here's how you find out:

1) Determine the version you have installed
2.19-18+deb8u3

2) Find the CVE identifier.
In this case, it's CVE-2015-7547.

3) Check the debian security tracker.
https://security-tracker.debian.org/tra ... -2015-7547
jessie (security) 2.19-18+deb8u3 fixed

User avatar
rpdom
Posts: 15362
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 4:38 pm

Do an update. You should be ok then.

libc6 version 2.19-18+deb8u2 is vulnerable.
libc6 version 2.19-18+deb8u3 is fixed.

The second one is available in Raspbian jessie now.

https://security-tracker.debian.org/tra ... -2015-7547

User avatar
buja
Posts: 504
Joined: Wed Dec 31, 2014 8:21 am
Location: Netherlands

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 4:48 pm

The obvious next questions are:

- How do you determine which version you have installed?
- How to solve it when you have an old version? (this one is easy)

EDIT: with rpdom's reply it is now clear to me I should look for package libc6. This is not very obvious, since the article mentions glibc.

User avatar
topguy
Posts: 5885
Joined: Tue Oct 09, 2012 11:46 am
Location: Trondheim, Norway

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 4:55 pm

buja wrote:The obvious next questions are:

- How do you determine which version you have installed?

Code: Select all

dpkg -l | grep libc6

User avatar
buja
Posts: 504
Joined: Wed Dec 31, 2014 8:21 am
Location: Netherlands

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 5:09 pm

topguy wrote:
buja wrote:The obvious next questions are:

- How do you determine which version you have installed?

Code: Select all

dpkg -l | grep libc6
Thanks!
I found

Code: Select all

apt-cache showpkg libc6
However, this gives a (very) long list of software that uses libc6, with the version information itself on the bottom of that list.
This gives an indication of how much software is affected by this bug: just about everything! But of course, not every program uses the domain lookup function that contained the bug.

User avatar
rpdom
Posts: 15362
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 5:25 pm

A better command is apt-cache policy libc6

Code: Select all

[email protected] ~ $ apt-cache policy libc6
libc6:
  Installed: 2.19-18+deb8u2
  Candidate: 2.19-18+deb8u3
  Version table:
     2.19-18+deb8u3 0
        500 http://mirrordirector.raspbian.org/raspbian/ jessie/main armhf Packages
 *** 2.19-18+deb8u2 0
        100 /var/lib/dpkg/status
That is after an "apt-get update", but not "apt-get upgrade" yet. It shows that the old version is installed and the new one is a candidate for installing.

hirah
Posts: 1
Joined: Wed Feb 17, 2016 5:51 pm

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 5:56 pm

I have a small issue. This is on a Wheezy raspbian.

I have version 2.13-38+rpi2+deb7u8 installed, which is vulnerable.

I do

Code: Select all

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
but it is not updated.

Code: Select all

$  apt-cache policy libc6
libc6:
  Installed: 2.13-38+rpi2+deb7u8
  Candidate: 2.13-38+rpi2+deb7u8
Any ideas?

Sources:

Code: Select all

$ cat /etc/apt/sources.list
#deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi
deb http://archive.raspbian.org/raspbian wheezy main contrib non-free
deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free

User avatar
rpdom
Posts: 15362
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 7:18 pm

Raspbian wheezy may get updates later, but the main focus is on the current jessie release.

User avatar
psergiu
Posts: 223
Joined: Mon Nov 07, 2011 8:36 am
Location: TX, U.S.A. (was: RO, E.U.)
Contact: Website

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 7:20 pm

Same here. Patiently waiting for 2.13-38+deb7u10 to get built for raspbian wheezy.

tomxi
Posts: 10
Joined: Mon Jun 01, 2015 12:58 pm

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 10:37 pm

Thank you for these replies people!

I am on Wheezy and also have version 2.13-38+rpi2+deb7u8 after apt-get upgrade . I guess I'll try again tomorrow and see if there is a newer package then.

plugwash
Forum Moderator
Forum Moderator
Posts: 3462
Joined: Wed Dec 28, 2011 11:45 pm

Re: glibc vulnerability - is raspbian affected?

Wed Feb 17, 2016 11:34 pm

Because the eglibc source package in raspbian wheezy has raspbian-specific modifications it doesn't get updated through the normal "automatic updates" process.

We have a tool called the "autoforwardporter" for this but it's only semi-automated. I've just kicked things off and hopefully we will have an update soon.

plugwash
Forum Moderator
Forum Moderator
Posts: 3462
Joined: Wed Dec 28, 2011 11:45 pm

Re: glibc vulnerability - is raspbian affected?

Thu Feb 18, 2016 11:45 am

Version 2.13-38+rpi2+deb7u10 should now be available.

User avatar
psergiu
Posts: 223
Joined: Mon Nov 07, 2011 8:36 am
Location: TX, U.S.A. (was: RO, E.U.)
Contact: Website

Re: glibc vulnerability - is raspbian affected?

Thu Feb 18, 2016 2:27 pm

Thank you *VERY* *MUCH* !

Code: Select all

Preparing to replace libc6:armhf 2.13-38+rpi2+deb7u8 (using .../libc6_2.13-38+rpi2+deb7u10_armhf.deb) ...
Unpacking replacement libc6:armhf ...
Setting up libc6:armhf (2.13-38+rpi2+deb7u10) ...

tomxi
Posts: 10
Joined: Mon Jun 01, 2015 12:58 pm

Re: glibc vulnerability - is raspbian affected?

Thu Feb 18, 2016 2:50 pm

@plugwash, great. I've installed it now.

The first reply on this thread offered a more general action plan for how users can react to vulnerabilities
1) Determine the version [of the package] you have installed
2) Find the CVE identifier.
3) Check the debian security tracker [for the CVE identifier]
https://security-tracker.debian.org/
Later replies made clear the name in raspbian of the vulnerable package, libc6, and the command too look up what version of that package is installed

Code: Select all

dpkg -l | grep libc6
Let me add a few questions here.
1 If tech news sites mention a particularly serious vulnerability and in this case use the term glibc , how does one find out the names of the raspbian packages that are related to glibc?
2 Is there a good way to get automatic alerts about such serious vulnerabilities that affect raspbian? I have a raspi that acts as a headless playback device of various web radio streams. I control the radio with a web interface and ssh into the device only seldomly, about once a month and only while I'm there do I run the update & upgrade commands.
3 is it smarter to, instead of trying to be alerted by particular vulnerabilities, in some way schedule the raspi device to run update & upgrade every day? If yes then what is a reliable way to do that? A cronjob?

Perhaps my device is not very likely to get in trouble since it only contacts the same list of web radio streams. But it would still be interesting to read answers to these questions.

User avatar
NickT
Posts: 271
Joined: Mon May 21, 2012 10:43 am
Location: UK

Re: glibc vulnerability - is raspbian affected?

Thu Feb 18, 2016 3:25 pm

plugwash wrote:Version 2.13-38+rpi2+deb7u10 should now be available.
Yes, that version has been installed on my first revision 1 Pi, which is running Wheezy.

User avatar
psergiu
Posts: 223
Joined: Mon Nov 07, 2011 8:36 am
Location: TX, U.S.A. (was: RO, E.U.)
Contact: Website

Re: glibc vulnerability - is raspbian affected?

Thu Feb 18, 2016 6:33 pm

tomxi wrote: 2 Is there a good way to get automatic alerts about such serious vulnerabilities that affect raspbian?
Subscribe to Debian-Security-Announce mailing list - https://lists.debian.org/debian-security-announce/
Raspbian is 99% Debian, so all debian bugs (unless x86-specific) will also be in raspbian.

While updating packages, services will be automatically restarted - and this might affect your radio stream playback. Also (based on my 18 year history of using Debian) there's a ~2% chance a update will fail (package dependencies, new package version chocking on old config files, disk space issues ...). While you can schedule automatic updates (with cron), my personal advice is to run them manually about once a week unless a serious vulnerability like this one pops-up.

tomxi
Posts: 10
Joined: Mon Jun 01, 2015 12:58 pm

Re: glibc vulnerability - is raspbian affected?

Fri Feb 19, 2016 11:41 pm

psergiu wrote:Subscribe to Debian-Security-Announce mailing list - https://lists.debian.org/debian-security-announce/
Raspbian is 99% Debian, so all debian bugs (unless x86-specific) will also be in raspbian.
I browsed the items so far for 2016 on that link and I think it is too advanced for me to regularly parse. What I'd like is an alert that warns only of the "worst of the worst" vulnerabilities where it is unwise to not wait for a scheduled weekly update to run automatically (below).
psergiu wrote: While updating packages, services will be automatically restarted - and this might affect your radio stream playback.
Well I could always set it to autoupdate during the night when the radio is off and then auto reboot. After some thinking I think I'll go ahead and take the risk of something breaking through autoupdate. I have backup copies of the scripts I run on the raspi so can always format and recreate the system if some upgrade messes it up completely.

Searching for autoupdate information I found this (from 2013, but some answers are from 2015)
http://raspberrypi.stackexchange.com/qu ... up-to-date
One of the replies there describes how to crontab schedule a bash script that does the upgrade steps. I reused that and added a reboot step. Does this following look ok?

I open crontab with

Code: Select all

sudo crontab -e
and add this

Code: Select all

# auto upgrade every sunday at 2 am
0 2 * * Sun bash cd /home/pi/ && /home/pi/upgrade.sh
and I save this as the file /home/pi/upgrade.sh

Code: Select all

apt-get update
apt-get upgrade -yes
apt-get clean
sleep 3
reboot

User avatar
psergiu
Posts: 223
Joined: Mon Nov 07, 2011 8:36 am
Location: TX, U.S.A. (was: RO, E.U.)
Contact: Website

Re: glibc vulnerability - is raspbian affected?

Sat Feb 20, 2016 2:27 am

You might want to do some checking, not rebooting blindly. (this assumes you have a working email service configured on your RPi with proper settings on your internet egress )

Code: Select all

#!/bin/sh
apt-get update > /tmp/upgradelog.txt 2>&1
apt-get upgrade -yes >> /tmp/upgradelog.txt 2>&1
EXITCODE=?$
if [ $EXITCODE -ne 0] 
 then
  cat /tmp/upgradelog.txt | mailx -s "upgrade error $EXITCODE" [email protected]
  exit
 else
  apt-get clean
  sync;sync;sync
  sleep 3
  reboot
 fi


fsr
Posts: 88
Joined: Wed Jan 13, 2016 2:29 am

Re: glibc vulnerability - is raspbian affected?

Sat Feb 20, 2016 9:12 am

No need to reinvent the wheel. Debian (and hence Ubuntu/Mint/Raspbian) has always had the ability to automatically upgrade.
Have a look at the 'unattended-upgrades' package. You have a high degree of control over what it does (i.e. security updates only etc)
https://wiki.debian.org/UnattendedUpgrades

personally I go for the 'Nag' option - 'apticron' - it mails me a list of packages that are upgradable with a summary of the changes at whatever interval I like. weekly is usually good enough.

tomxi
Posts: 10
Joined: Mon Jun 01, 2015 12:58 pm

Re: glibc vulnerability - is raspbian affected?

Sat Feb 20, 2016 11:06 am

psergiu wrote:You might want to do some checking, not rebooting blindly.
Thanks. Though for the time being I am content rebooting blindly. But at some later time I'll read up on configuring email and then I'll revisit your notification script here.
fsr wrote:Have a look at the 'unattended-upgrades' package
Ok that may well be a better long term solution. But it also looked more complex to learn and set up so I'll stay with the cron solution for now.

Return to “Raspbian”