Monday, October 9, 2023

Time to patch Linux

I've run Linux for years in large part because it's been more secure.  But not invulnerable:

Grab security updates for your Linux distributions: there's a security hole that can be fairly easily exploited by rogue users, intruders, and malicious software to gain root access and take over the box.

Specifically, a buffer overflow vulnerability in the GNU C Library's handling of an environmental variable was spotted by security firm Qualys, which has gone public with some of the details now that patches are being emitted.

The flaw, dubbed Looney Tunables, arises from the GNU C Library's dynamic loader (ld.so) mishandling of the GLIBC_TUNABLES environmental variable. And because GNU C Library, commonly known as glibc, is found in most Linux systems, this is something of an issue.

Essentially, setting GLIBC_TUNABLES to a carefully crafted value can cause a buffer overflow, which could lead to arbitrary code execution within the loader, allowing it to be hijacked.

Besides the funny name, this vulnerability has a very 1990s feel to it.  In any case, if you run Linux, get patching.

4 comments:

  1. GNU C, you've got some 'splainin' to do!

    ReplyDelete
  2. Is that why my frequently updated Debian systems suddenly have a zillion packages to update?

    ReplyDelete
  3. That's why my Update Manager is set to check for updates 10 minutes after bootup and every two hours thereafter. It lights up an icon at the bottom of my screen if there are updates available. Running Linux Mint.

    ReplyDelete
  4. Waiting for it to hit the repos here...

    ReplyDelete

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.