Why are we still using glibc?
>New Glibc Flaw Grants Attackers Root Access on Major Linux Distros
>Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc).
>Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally introduced in August 2022 with the release of glibc 2.37.
>"This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access," Saeed Abbasi, product manager of the Threat Research Unit at Qualys, said, adding it impacts major Linux distributions like Debian, Ubuntu, and Fedora.
lmao
>RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387
>google paying devs to patch glibc to compile with LLVM
>GLIBC update breaking EAC for most games that use it
Open source means there's eyes on the code all the time making sure there's less vulnerabilities right?
So how can there be a bug in fucking *glibc* that allow local and remote code execution, affecting all Linux systems dating back to 2000, only be fixed in 2013 and being patched for long-term releases just now? Who has the resources to comb over long established and huge codebases to find vulnerabilities?
>A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.
>The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.
>“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat.
>The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.
---
https://sporks.space/2022/02/27/win32-is-the-stable-linux-userland-abi-and-the-consequences
https://blog.hiler.eu/win32-the-only-stable-abi
GNU isn't Linux and Linux isn't GNU but unless musl suddenly becomes several times faster, I don't think the year of the Linux desktop is ever coming. Well, not unless it involves adding exec wine to everyone's .xprofile.
>Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc).
>Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally introduced in August 2022 with the release of glibc 2.37.
>"This flaw allows local privilege escalation, enabling an unprivileged user to gain full root access," Saeed Abbasi, product manager of the Threat Research Unit at Qualys, said, adding it impacts major Linux distributions like Debian, Ubuntu, and Fedora.
lmao
>RCE in OpenSSH's server, on glibc-based Linux systems (CVE-2024-6387
>google paying devs to patch glibc to compile with LLVM
>GLIBC update breaking EAC for most games that use it
Open source means there's eyes on the code all the time making sure there's less vulnerabilities right?
So how can there be a bug in fucking *glibc* that allow local and remote code execution, affecting all Linux systems dating back to 2000, only be fixed in 2013 and being patched for long-term releases just now? Who has the resources to comb over long established and huge codebases to find vulnerabilities?
>A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.
>The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.
>“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat.
>The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.
---
https://sporks.space/2022/02/27/win32-is-the-stable-linux-userland-abi-and-the-consequences
https://blog.hiler.eu/win32-the-only-stable-abi
GNU isn't Linux and Linux isn't GNU but unless musl suddenly becomes several times faster, I don't think the year of the Linux desktop is ever coming. Well, not unless it involves adding exec wine to everyone's .xprofile.