New 'Looney Tunables' Linux bug gives root on major distros
New 'Looney Tunables' Linux bug gives root on major distros
From BeepingComputer.
45 comments
-
-
It says "sysadmins should prioritise patching", but... has it been patched yet?
-
Just like…make a patch. It’s not that hard lol /j
-
To show you the power of Flex Tape, I sawed this library in half!
-
-
Yes, most of the major distributions have package updates with the fix. A few people have mentioned updates for Arch, Debian, and RedHat already.
Ubuntu released an update yesterday as well:
https://launchpad.net/ubuntu/+source/glibc/2.35-0ubuntu3.4
Ubuntu derivatives such as Pop!_OS should have also received this update, along with the X11 patches.
-
-
I wonder if this could be used to root previously unrootable Android based devices.
-
Android doesn't use glibc, but Bionic, a C standard library developed by Google. So I don't think this vulnerability affects Android.
-
Think Android uses Bionic instead of glibc (where the vulnerability is being exploited).
-
-
Just got some glibc updates in Arch yesterday. I wonder if they contain fixes for this.
-
-
Makes me wonder. LMDE got a glibc update too and Mint is very much not leading edge when it comes to non-critical updates.
Case in point, at roughly the same time as the glibc update, we (LMDE users) were upgraded to the latest Thunderbird, 115.3.1, four or five days after that sub-version came out. That's the sort of lag we generally see. (115.x was a bit of a surprise too as we've been on 102.x, but that's not strictly relevant here.)
-
Ran nala after seeing this post and got a libc update on Debian myself
-
-
Wonder if musl is fine. If so,Void people are certainly having fun now.
-
-
Distro developers were notified a month ago. At least Redhat and Debian have have published fixed versions. This is common procedure.
-
Security through obscurity is never good.
-
It's better that vulnerabilities be discussed openly. In general, people knowing the truth allows them to make better decisions.
-
It's not only the good guys that find vulnerabilities. There're many states and companies (selling to those governments) as well as regular criminal organizations paying people for vulnerabilities and exploits.
If the issue wasn't reported, it is likely that it would have been found by someone else at some point. It might even be known already, but just not reported.
45 comments
It’s always memory management
No wonder everyone's crazy about Rust.
It's certainly why it is being used to build browsers and OSs now. Those are places were memory management problems are a huge problem. It probably doesn't make sense for every match 3 game to be made in Rust, but when errors cause massive breaches or death, it's a lot safer than C++, taking human faulability into account.
Didn't Microsoft do a study on security vulnerabilities and found that the overwhelmingly number of bugs was due to memory management?
I think you're referring to this: https://www.zdnet.com/article/microsoft-70-percent-of-all-security-bugs-are-memory-safety-issues/
See? All code sucks.