Upgrading glibc for the GHOST Vulnerability

Updated by James Stewart

Contribute on GitHub

View Project | View File | Edit File

GHOST is a vulnerability that was announced on January 27th 2015, which affects the glibc library on Linux systems. This vulnerability affects all Linux distributions running versions of glibc older than 2.18, and exploits a buffer overflow in the __nss_hostname_digits_dots() function. This guide will tell you how to safely upgrade your Linux distributions and secure your Linode against the GHOST vulnerability.

Affected Distributions/Versions

Patches are currently available for:

  • Debian 7
  • CentOS 6 & 7
  • Ubuntu 12.04.

Distributions that are unaffected are as follows:

  • Fedora 20 & 21
  • Ubuntu 14.04 and 14.10
  • Arch
  • OpenSuse 13.2

Prior unsupported versions of the listed distributions may not have patches available. It is recommended to upgrade any systems still running unsupported distributions.

Checking Installed glibc version

You can check the version of glibc on your system using your package manager.

Debian and Ubuntu

To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Version::

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Multi-Arch: same
Version: 2.13-38+deb7u6
Priority: required
Section: libs
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Architecture: amd64
Uncompressed Size: 9,687 k
Depends: libc-bin (= 2.13-38+deb7u6), libgcc1
Suggests: glibc-doc, debconf | debconf-2.0, locales
Conflicts: prelink (<= 0.0.20090311-1), tzdata (< 2007k-1), tzdata-etch
Breaks: locales (< 2.13), locales-all (< 2.13), lsb-core (<= 3.2-27), nscd (< 2.13)
Replaces: libc6-amd64
Provides: glibc-2.13-1
Description: Embedded GNU C Library: Shared libraries
 Contains the standard libraries that are used by nearly all programs on the system. This package includes shared versions of the standard C library and the
 standard math library, as well as many others.
Homepage: http://www.eglibc.org

On Debian 7 systems, versions of glibc earlier than 2.13-38+deb7u7 are vulnerable, and on Ubuntu 12.04, versions before 2.15-0ubuntu10.10.

CentOS 6 & 7

To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Release: under the Installed Packages heading:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# yum info glibc

....

Installed Packages
Name        : glibc
Arch        : x86_64
Version     : 2.17
Release     : 55.el7_0.1
Size        : 13 M
Repo        : installed
From repo   : updates
Summary     : The GNU libc libraries
URL         : http://www.gnu.org/software/glibc/
License     : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
Description : The glibc package contains standard libraries which are used by
            : multiple programs on the system. In order to save disk space and
            : memory, as well as to make upgrading easier, common system code is
            : kept in one place and shared between programs. This particular package
            : contains the most important sets of shared libraries: the standard C
            : library and the standard math library. Without these two libraries, a
            : Linux system will not function.

On CentOS 7 systems, versions of glibc before glibc-2.17-55.el7_0.5 are vulnerable, and on CentOS 6 versions before glibc-2.12-1.149.el6_6.5.

Testing with GCC

The original security advisory for CVE-2015-0235 included the following code to test for the vulnerability. This method requires that you have gcc installed on your system. If you don’t, you can install it from your package manager, or use the alternate check above.

  1. Create a GHOST.c file with the following contents.

    ~/GHOST.c
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    #include <netdb.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <errno.h>
    
    #define CANARY "in_the_coal_mine"
    
    struct {
      char buffer[1024];
      char canary[sizeof(CANARY)];
    } temp = { "buffer", CANARY };
    
    int main(void) {
      struct hostent resbuf;
      struct hostent *result;
      int herrno;
      int retval;
    
      /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
      size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
      char name[sizeof(temp.buffer)];
      memset(name, '0', len);
      name[len] = '\0';
    
      retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
    
      if (strcmp(temp.canary, CANARY) != 0) {
        puts("vulnerable");
        exit(EXIT_SUCCESS);
      }
      if (retval == ERANGE) {
        puts("not vulnerable");
        exit(EXIT_SUCCESS);
      }
      puts("should not happen");
      exit(EXIT_FAILURE);
    }
    
  2. Compile the script.

    1
    gcc GHOST.c -o GHOST
    
  3. Execute the compiled GHOST script. Your terminal should print “vulnerable” or “not vulnerable” depening on your system’s status.

    1
    ./GHOST
    

Installing the Upgrade

Below is the relevant information for upgrading glibc and ensuring that your Linode is no longer vulnerable to the bug. Each section is designed for individual distributions. The sections are written with the assumption that you have root access or sudo privileges. If you do not, you will not be able to run these commands.

You will need to reboot after completing your upgrade to ensure that the vulnerable code no longer remains in your system memory. Once you have rebooted, we would recommend re-running the script created in the Testing with GCC section to confirm that the patch has been applied

Ubuntu and Debian

To upgrade glibc on Ubuntu and Debian, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo to each command:

If you have packages that have older dependencies, you may want to utilize apt-get with the upgrade flag, rather than dist-upgrade. This will prevent packages with older dependencies from being removed from your system. If using this method, be sure to check your command output to ensure that the patched version of glibc is actually installed.

1
2
apt-get update
apt-get dist-upgrade

CentOS and Fedora

To upgrade glibc on yum based systems such as CentOS and Fedora, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo to each command:

1
2
yum clean all
yum update

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This guide is published under a CC BY-ND 4.0 license.