CVE 2015-0235

From BCCD 3.0

Jump to: navigation, search

Contents

Introduction

This document explains a security vulnerability called CVE 2015-0235 that affects versions of the Debian operating system, including BCCD. It includes instructions for protecting your BCCD system from the vulnerability.

CVE 2015-0235 is a heap overflow bug in the DNS PTR (IN-ADDR.ARPA zone) parsing logic in glibc. By convincing a victim system to look up a PTR record, an attacker can execute arbitrary code in the client process with the same privileges as that process. Since even root processes make heavy use of glibc, this can be a vector for compromising both regular user and administrator accounts.

Scope

As this bug was introduced in 2000, essentially all systems using a GNU-based userspace are vulnerable to this bug. This includes all releases of BCCD up through v3.3.2, including v2 releases. Both live and liberated modes are impacted.

Patched release

As of 2015-02-01, the only BCCD release not vulnerable to this bug is v3.3.3. Subsequent releases will contain the patch. See the download page for links.

Patching existing BCCD v3.3.x installs

This document describes how to patch an existing BCCD v3.3.x liberated install that you would like to save without having to reinstall. Note that releases prior to v3.3.1 cannot be upgraded in this fashion, as Debian no longer supports those OS releases.

  1. Run this command, supplying the BCCD user password when prompted:
    sudo wget --no-check-certificate -O /etc/apt/sources.list https://cluster.earlham.edu/svn/bccd-ng/tags/bccd-3.3.3/packages/etc/apt/sources.list
  2. Run this command:
    sudo apt-get update
  3. Run this command:
    sudo aptitude -y full-upgrade
    • You might be prompted about untrusted packages - you should answer Yes.
  4. Reboot your system (important to clear out any processes that might be using the old glibc)
Personal tools
Namespaces
Variants
Actions
Navigation
Toolbox