Page 1 of 1

glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 4:11 pm
by tomxi
There are now reports on a vulnerability in glibc. For example
http://arstechnica.com/security/2016/02 ... ulnerable/

Does raspbian have that vulnerability? Do we as end users need to do something, apart from installing updates?

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 4:27 pm
by ShiftPlusOne
Any time there's a vulnerability picked up by the news, people ask this sort of thing.

Here's how you find out:

1) Determine the version you have installed
2.19-18+deb8u3

2) Find the CVE identifier.
In this case, it's CVE-2015-7547.

3) Check the debian security tracker.
https://security-tracker.debian.org/tra ... -2015-7547
jessie (security) 2.19-18+deb8u3 fixed

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 4:38 pm
by rpdom
Do an update. You should be ok then.

libc6 version 2.19-18+deb8u2 is vulnerable.
libc6 version 2.19-18+deb8u3 is fixed.

The second one is available in Raspbian jessie now.

https://security-tracker.debian.org/tra ... -2015-7547

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 4:48 pm
by buja
The obvious next questions are:

- How do you determine which version you have installed?
- How to solve it when you have an old version? (this one is easy)

EDIT: with rpdom's reply it is now clear to me I should look for package libc6. This is not very obvious, since the article mentions glibc.

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 4:55 pm
by topguy
buja wrote:The obvious next questions are:

- How do you determine which version you have installed?

Code: Select all

dpkg -l | grep libc6

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 5:09 pm
by buja
topguy wrote:
buja wrote:The obvious next questions are:

- How do you determine which version you have installed?

Code: Select all

dpkg -l | grep libc6
Thanks!
I found

Code: Select all

apt-cache showpkg libc6
However, this gives a (very) long list of software that uses libc6, with the version information itself on the bottom of that list.
This gives an indication of how much software is affected by this bug: just about everything! But of course, not every program uses the domain lookup function that contained the bug.

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 5:25 pm
by rpdom
A better command is apt-cache policy libc6

Code: Select all

[email protected] ~ $ apt-cache policy libc6
libc6:
  Installed: 2.19-18+deb8u2
  Candidate: 2.19-18+deb8u3
  Version table:
     2.19-18+deb8u3 0
        500 http://mirrordirector.raspbian.org/raspbian/ jessie/main armhf Packages
 *** 2.19-18+deb8u2 0
        100 /var/lib/dpkg/status
That is after an "apt-get update", but not "apt-get upgrade" yet. It shows that the old version is installed and the new one is a candidate for installing.

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 5:56 pm
by hirah
I have a small issue. This is on a Wheezy raspbian.

I have version 2.13-38+rpi2+deb7u8 installed, which is vulnerable.

I do

Code: Select all

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
but it is not updated.

Code: Select all

$  apt-cache policy libc6
libc6:
  Installed: 2.13-38+rpi2+deb7u8
  Candidate: 2.13-38+rpi2+deb7u8
Any ideas?

Sources:

Code: Select all

$ cat /etc/apt/sources.list
#deb http://mirrordirector.raspbian.org/raspbian/ wheezy main contrib non-free rpi
deb http://archive.raspbian.org/raspbian wheezy main contrib non-free
deb-src http://archive.raspbian.org/raspbian wheezy main contrib non-free

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 7:18 pm
by rpdom
Raspbian wheezy may get updates later, but the main focus is on the current jessie release.

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 7:20 pm
by psergiu
Same here. Patiently waiting for 2.13-38+deb7u10 to get built for raspbian wheezy.

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 10:37 pm
by tomxi
Thank you for these replies people!

I am on Wheezy and also have version 2.13-38+rpi2+deb7u8 after apt-get upgrade . I guess I'll try again tomorrow and see if there is a newer package then.

Re: glibc vulnerability - is raspbian affected?

Posted: Wed Feb 17, 2016 11:34 pm
by plugwash
Because the eglibc source package in raspbian wheezy has raspbian-specific modifications it doesn't get updated through the normal "automatic updates" process.

We have a tool called the "autoforwardporter" for this but it's only semi-automated. I've just kicked things off and hopefully we will have an update soon.

Re: glibc vulnerability - is raspbian affected?

Posted: Thu Feb 18, 2016 11:45 am
by plugwash
Version 2.13-38+rpi2+deb7u10 should now be available.

Re: glibc vulnerability - is raspbian affected?

Posted: Thu Feb 18, 2016 2:27 pm
by psergiu
Thank you *VERY* *MUCH* !

Code: Select all

Preparing to replace libc6:armhf 2.13-38+rpi2+deb7u8 (using .../libc6_2.13-38+rpi2+deb7u10_armhf.deb) ...
Unpacking replacement libc6:armhf ...
Setting up libc6:armhf (2.13-38+rpi2+deb7u10) ...

Re: glibc vulnerability - is raspbian affected?

Posted: Thu Feb 18, 2016 2:50 pm
by tomxi
@plugwash, great. I've installed it now.

The first reply on this thread offered a more general action plan for how users can react to vulnerabilities
1) Determine the version [of the package] you have installed
2) Find the CVE identifier.
3) Check the debian security tracker [for the CVE identifier]
https://security-tracker.debian.org/
Later replies made clear the name in raspbian of the vulnerable package, libc6, and the command too look up what version of that package is installed

Code: Select all

dpkg -l | grep libc6
Let me add a few questions here.
1 If tech news sites mention a particularly serious vulnerability and in this case use the term glibc , how does one find out the names of the raspbian packages that are related to glibc?
2 Is there a good way to get automatic alerts about such serious vulnerabilities that affect raspbian? I have a raspi that acts as a headless playback device of various web radio streams. I control the radio with a web interface and ssh into the device only seldomly, about once a month and only while I'm there do I run the update & upgrade commands.
3 is it smarter to, instead of trying to be alerted by particular vulnerabilities, in some way schedule the raspi device to run update & upgrade every day? If yes then what is a reliable way to do that? A cronjob?

Perhaps my device is not very likely to get in trouble since it only contacts the same list of web radio streams. But it would still be interesting to read answers to these questions.

Re: glibc vulnerability - is raspbian affected?

Posted: Thu Feb 18, 2016 3:25 pm
by NickT
plugwash wrote:Version 2.13-38+rpi2+deb7u10 should now be available.
Yes, that version has been installed on my first revision 1 Pi, which is running Wheezy.

Re: glibc vulnerability - is raspbian affected?

Posted: Thu Feb 18, 2016 6:33 pm
by psergiu
tomxi wrote: 2 Is there a good way to get automatic alerts about such serious vulnerabilities that affect raspbian?
Subscribe to Debian-Security-Announce mailing list - https://lists.debian.org/debian-security-announce/
Raspbian is 99% Debian, so all debian bugs (unless x86-specific) will also be in raspbian.

While updating packages, services will be automatically restarted - and this might affect your radio stream playback. Also (based on my 18 year history of using Debian) there's a ~2% chance a update will fail (package dependencies, new package version chocking on old config files, disk space issues ...). While you can schedule automatic updates (with cron), my personal advice is to run them manually about once a week unless a serious vulnerability like this one pops-up.

Re: glibc vulnerability - is raspbian affected?

Posted: Fri Feb 19, 2016 11:41 pm
by tomxi
psergiu wrote:Subscribe to Debian-Security-Announce mailing list - https://lists.debian.org/debian-security-announce/
Raspbian is 99% Debian, so all debian bugs (unless x86-specific) will also be in raspbian.
I browsed the items so far for 2016 on that link and I think it is too advanced for me to regularly parse. What I'd like is an alert that warns only of the "worst of the worst" vulnerabilities where it is unwise to not wait for a scheduled weekly update to run automatically (below).
psergiu wrote: While updating packages, services will be automatically restarted - and this might affect your radio stream playback.
Well I could always set it to autoupdate during the night when the radio is off and then auto reboot. After some thinking I think I'll go ahead and take the risk of something breaking through autoupdate. I have backup copies of the scripts I run on the raspi so can always format and recreate the system if some upgrade messes it up completely.

Searching for autoupdate information I found this (from 2013, but some answers are from 2015)
http://raspberrypi.stackexchange.com/qu ... up-to-date
One of the replies there describes how to crontab schedule a bash script that does the upgrade steps. I reused that and added a reboot step. Does this following look ok?

I open crontab with

Code: Select all

sudo crontab -e
and add this

Code: Select all

# auto upgrade every sunday at 2 am
0 2 * * Sun bash cd /home/pi/ && /home/pi/upgrade.sh
and I save this as the file /home/pi/upgrade.sh

Code: Select all

apt-get update
apt-get upgrade -yes
apt-get clean
sleep 3
reboot

Re: glibc vulnerability - is raspbian affected?

Posted: Sat Feb 20, 2016 2:27 am
by psergiu
You might want to do some checking, not rebooting blindly. (this assumes you have a working email service configured on your RPi with proper settings on your internet egress )

Code: Select all

#!/bin/sh
apt-get update > /tmp/upgradelog.txt 2>&1
apt-get upgrade -yes >> /tmp/upgradelog.txt 2>&1
EXITCODE=?$
if [ $EXITCODE -ne 0] 
 then
  cat /tmp/upgradelog.txt | mailx -s "upgrade error $EXITCODE" [email protected]
  exit
 else
  apt-get clean
  sync;sync;sync
  sleep 3
  reboot
 fi


Re: glibc vulnerability - is raspbian affected?

Posted: Sat Feb 20, 2016 9:12 am
by fsr
No need to reinvent the wheel. Debian (and hence Ubuntu/Mint/Raspbian) has always had the ability to automatically upgrade.
Have a look at the 'unattended-upgrades' package. You have a high degree of control over what it does (i.e. security updates only etc)
https://wiki.debian.org/UnattendedUpgrades

personally I go for the 'Nag' option - 'apticron' - it mails me a list of packages that are upgradable with a summary of the changes at whatever interval I like. weekly is usually good enough.

Re: glibc vulnerability - is raspbian affected?

Posted: Sat Feb 20, 2016 11:06 am
by tomxi
psergiu wrote:You might want to do some checking, not rebooting blindly.
Thanks. Though for the time being I am content rebooting blindly. But at some later time I'll read up on configuring email and then I'll revisit your notification script here.
fsr wrote:Have a look at the 'unattended-upgrades' package
Ok that may well be a better long term solution. But it also looked more complex to learn and set up so I'll stay with the cron solution for now.