How to Fix and Patch New glibc Vulnerability CVE-2015-7547 in Linux

CERT has issued an vulnerability alert VU#457759 for glibc.

If you have glibc installed on your system, during the DNS resolver, it may be vulnerable to stack buffer overflow.

This article explains how to fix this glibc vulenrability on your server.

This issue is documented here: CVE-2015-7547

Versions affected: All glibc from 2.9 to 2.22 are affected by this vulnerability.

For example, on CentOS 6, I had the following glibc-2.12 version, which was vulnerable to this exploit.

# rpm -qa | grep -i glibc
glibc-2.12-1.149.el6_6.5.x86_64
glibc-headers-2.12-1.149.el6_6.5.x86_64
glibc-common-2.12-1.149.el6_6.5.x86_64
glibc-devel-2.12-1.149.el6_6.5.x86_64

This vulnerability has been there since glibc 2.9 which was originally released on Nov 2008. Now that this has become uncovered, you should patch your system immediately.

For CentOS/RedHat, only version 6 and 7 are affected. CentOS 5 (RedHat 5) and older versions are not affected by this. Here are the details from RedHat (CVE-2015-5229)

CentOS 6 (RedHat 6)

On CentOS (or RedHat, or other RHEL based system), when you do yum info glibc, you’ll see the following new version with this vulnerability fixed in the “updates” repository.

# yum info glibc
Name        : glibc
Arch        : x86_64
Version     : 2.12
Release     : 1.166.el6_7.7
Size        : 3.8 M
Repo        : updates
Summary     : The GNU libc libraries

To fix the problem, just do the following.

This will update the main glibc package, and the dependent glibc-common, glibc-devel and glibc-header to the latest version with the issue fixed.

# yum -y update glibc
..
Updated: glibc.x86_64 0:2.12-1.166.el6_7.7

Dependency Updated:
  glibc-common.x86_64 0:2.12-1.166.el6_7.7
  glibc-devel.x86_64 0:2.12-1.166.el6_7.7
  glibc-headers.x86_64 0:2.12-1.166.el6_7.7

Note: If you see that it is not showing the above new version, probably your yum cache should be updated. In that case, do the following and then try the yum update again.

yum clean all

yum -y update glibc

CentOS 7 (RedHat 7)

On CentOS 7, I had the following version, which was affected by this vulnerability.

# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core) 

# rpm -qa | grep -i glibc
glibc-2.17-106.el7_2.1.x86_64
glibc-devel-2.17-106.el7_2.1.x86_64
glibc-common-2.17-106.el7_2.1.x86_64
glibc-headers-2.17-106.el7_2.1.x86_64

Do the following to fix the problem on CentOS 7.

yum clean all

yum -y update glibc

The above will install the following version, where this vulnerability is fixed:

# rpm -qa | grep glibc
glibc-common-2.17-106.el7_2.4.x86_64
glibc-2.17-106.el7_2.4.x86_64
glibc-headers-2.17-106.el7_2.4.x86_64
glibc-devel-2.17-106.el7_2.4.x86_64

Note: If your system is not connected to internet, or if you are not using the live update by connecting to a repository, then login to Red Hat support, click on Downloads, “RPM Search”, and seach for the new glibc version, and download those rpm packages manually and install it on your system.

For example, download the following RPM package for CentOS/RedHat 6 from RedHat support site, and using rpm command to install it as shown below.

# ls -1
glibc-2.12-1.166.el6_7.7.x86_64.rpm
glibc-common-2.12-1.166.el6_7.7.x86_64.rpm
glibc-devel-2.12-1.166.el6_7.7.x86_64.rpm
glibc-headers-2.12-1.166.el6_7.7.x86_64.rpm

# rpm -Uvh glibc-* 
Preparing...          ################# [100%]
   1:glibc-common     ################# [ 25%]
   2:glibc            ################# [ 50%]
   3:glibc-headers    ################# [ 75%]
   4:glibc-devel      ################# [100%]

Debian and Ubuntu

On debian based systems, use apt-get command, and either upgrade only glibc, or use this opportunity to upgrade all the packages including system as shown below:

sudo apt-get -u install glibc

sudo apt-get -u upgrade

For debian, look at CVE-2015-0235 (link below) from debian security tracker, which shows the exact version of glibc or eglibc where this issue is fixed. Also, check this Debian security advisor DSA-3142 (link below) more for details.

Additional Information

For those who are interested, here are some random additional information to read about this vulnerability:

• From Debian DSA-3142: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
• From Debian Security Tracker: Qualys discovered that the gethostbyname and gethostbyname2 functions were subject to a buffer overflow if provided with a crafted IP address argument. This could be used by an attacker to execute arbitrary code in processes which called the affected functions.
• From Sourceware Bugzilla – Bug 18665 By Robert: A condition occurs when the recvfrom function receives data using a newly created buffer but does not use the newly created buffer size then the buffer is accessed and causes the program to crash.
• Google online security blog: CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
• [PATCH] CVE-2015-7547 — glibc getaddrinfo() stack-based buffer overflow By Carlos O’Donell: A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.