How To Patch and Protect Linux Glibc Getaddrinfo Stack-based Buffer Overflow Zero Day Vulnerability CVE-2015-7547 and CVE-2015-5229 [ 16/Feb/2016 ]

Author: Last updated: February 17, 2016 14 comments
A stack-based critical buffer overflow was found in the way the libresolv library (glibc) performed dual A/AAAA DNS queries. A remote attacker could crash or, potentially, execute code running the library on Linux. How do I patch and protect my server or workstation against the glibc getaddrinfo on Linux operating system?

GNU C Library (glibc) could be made to crash or run programs or commands if it received specially crafted network traffic. The vulnerability was first reported by Google and Red Hat.

ADVERTISEMENTS

What is the GNU C Library vulnerability?

All the versions of glibc since 2.9 are affected by this bug. The exploit will likely trigger a DNS lookup from a vulnerable system. DNS-based remote code execution vulnerability can cause serious problems. The CVE-2015-5229 causes calloc to return non-zero memory. This can also use to create a denial of service attack. The best option is to patch both Linux based server and client/workstation/laptop against CVE-2015-7547 and CVE-2015-5229.

A list of affected Linux distributions

  1. Red Hat Enterprise Linux Server 7
  2. Red Hat Enterprise Linux Server 6
  3. CentOS Linux 7
  4. CentOS Linux 6
  5. Debian Linux 6 squeeze
  6. Debian Linux 7 wheezy
  7. Debian Linux 8 jessie
  8. Ubuntu Linux 15.10
  9. Ubuntu Linux 14.04 LTS
  10. Ubuntu Linux 12.04 LTS
  11. SUSE Linux Enterprise Linux 11
  12. SUSE Linux Enterprise Linux 12
  13. openSUSE Leap 42.1

What GNU C library (Glibc) version does my Linux system use?

Type the following apt-get command:
$ ldd --version
Sample outputs from Ubuntu Linux 14.04 LTS:

ldd (Ubuntu EGLIBC 2.19-0ubuntu6.6) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Fix the Glibc Getaddrinfo vulnerability on a Debian or Ubuntu Linux

Type the following command:
$ sudo apt-get update
$ sudo apt-get upgrade
Sample outputs:

Fig.01: Fix the glibc vulnerability on a Ubuntu/Debian Linux

Fig.01: Fix the glibc vulnerability on a Ubuntu/Debian Linux

Here are fixed versions:

  • Ubuntu 15.10: libc6 2.21-0ubuntu4.1
  • Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
  • Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13

You must restart the services that depends upon glibc or best option is to reboot the box as per your schedule:
$ sudo reboot

Fix the Glibc Getaddrinfo vulnerability on a RHEL/CentOS Linux

Type the following yum command:
$ sudo yum clean all
$ sudo yum update
You must restart the services that depends upon glibc or best option is to reboot the box as per your schedule:
$ sudo reboot
RHEL/CentOS 7 users can simply run the following command and avoid the rebooting system:
$ sudo systemctl daemon-reexec

Fix the Glibc Getaddrinfo on a SUSE Linux Enterprise (and opensuse)

To simply update installed glibc packages with their newer available versions, run:
# zypper up

References and more info:
🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
UP NEXT
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
14 comments… add one
  • ling Feb 18, 2016 @ 5:58

    thank you

    Reply Link
  • Leandro Feb 18, 2016 @ 9:24

    I’ve followed the steps and now when I run:
    ldd –version

    I get this output:

    ldd (Ubuntu EGLIBC 2.19-0ubuntu6.7) 2.19

    Is this the output of the upgraded “fixed” glibc?

    Reply Link
  • Leandro Feb 18, 2016 @ 9:24

    Is this the correct output once we upgraded glibc?
    ldd (Ubuntu EGLIBC 2.19-0ubuntu6.7) 2.19

    Reply Link
  • Hans Maiser Feb 18, 2016 @ 14:03

    Hi, thanks for this article.

    I have a Debian 7.8.

    Before upgrading my version was:
    ldd (Debian EGLIBC 2.13-38+deb7u8) 2.13

    Now its:
    ldd (Debian EGLIBC 2.13-38+deb7u10) 2.13

    Is this correct?

    Reply Link
  • u-map Feb 18, 2016 @ 14:22

    On redhat, just updating glibc won’t do the trick?
    yum update glibc

    Reply Link
    • 🐧 Vivek Gite Feb 18, 2016 @ 17:33

      Yup. But, it is a good idea to apply all updates:)

      Reply Link
  • Vito Feb 18, 2016 @ 14:42

    Thank you very much for this article! Keep it up :)

    Reply Link
  • Dave B Feb 18, 2016 @ 20:24

    Many thanks for the concise instructions how to fix this.

    All the best.

    DB

    Reply Link
  • Richard Sohal Feb 19, 2016 @ 20:36

    I have ubuntu 7.21 and glibc ver is 2.11.1
    Before update –
    ldd (Ubuntu EGLIBC 2.11.1-0ubuntu7.21) 2.11.1

    I did the the above steps but get the same result
    ldd (Ubuntu EGLIBC 2.11.1-0ubuntu7.21) 2.11.1

    Reply Link
  • Dave Feb 23, 2016 @ 2:42

    Does the glibc update require an system reboot? I’m asking for RHEL & SLES

    Reply Link
  • Zack Feb 25, 2016 @ 0:48

    My Debian has no internet connection. How to download the updates manually and apply the fixes?

    Reply Link
  • Lian Mar 16, 2016 @ 7:28

    I am happy to have this one fixed. I will also add my voice to calls to retire C. (despite being a C programmer) protection of arrays should be mandatory in any modern language.

    Reply Link

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.

Next FAQ:

Previous FAQ: