this post was submitted on 01 Feb 2024
68 points (97.2% liked)

Linux

5483 readers
317 users here now

A community for everything relating to the linux operating system

Also check out [email protected]

Original icon base courtesy of [email protected] and The GIMP

founded 2 years ago
MODERATORS
 

๐Ÿ˜ฑ

all 11 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 14 points 10 months ago

Very well executed responsible disclosure. Good to see all the linux distro's and vendors cooperating. Read the timeline :
https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog

[โ€“] jeremyparker 9 points 10 months ago* (last edited 10 months ago) (2 children)

Noob question: that's a really old library, right? Has this issue been there for decades before someone found it, or is this vulnerability part of some newer addition to it?

Edit: I didn't understand the first sentence of the article so I figured I wouldn't understand any of it -- but my question is answered pretty early on:

It's said to have been accidentally introduced in August 2022 with the release of glibc 2.37.

[โ€“] swordsmanluke 8 points 10 months ago

glibc is the library that provides basic functionality for C programs. It provides the bottom level implementation for things like opening files, requesting memory, and other OS-level stuff.

glibc isn't the only implementation out there. Even on Linux, there are other options, such as muslc.

It gets updated regularly, as the C standard or operating system needs. So while it has been around for a very long time (by software standards anyway) it's still an active and evolving piece of software. --and one that underpins many critical functions of our systems.

[โ€“] CameronDev 3 points 10 months ago

Its been around a long time, but evolves with the C standard and the linux kernel. It is basically a layer between C and the kernel.

[โ€“] [email protected] 8 points 10 months ago (1 children)
[โ€“] [email protected] 5 points 10 months ago (1 children)
[โ€“] [email protected] 2 points 10 months ago

Don't worry, it's extremely unlikely, given how large and ancient glibc is. The most that might happen is that some new parts are implemented in Rust.

[โ€“] [email protected] 6 points 10 months ago* (last edited 10 months ago)

updated glibc already pushed to fedora repos.

[โ€“] costalfy 3 points 10 months ago
[โ€“] [email protected] 1 points 10 months ago

OpenSuse Tumbleweed uses 2.38 so not affected by this.