5

There is a right way to patch GHOST on Debian Lenny and Squeeze?

According to this link there are no plans to patch Lenny https://security-tracker.debian.org/tracker/CVE-2015-0235

Thanks!

user200799
  • 63
  • 1
  • 3

5 Answers5

7

Install devscripts

Get the patch for lenny from http://pastebin.com/Hhsut197 (based on the official glibc patch, removed ChangeLog, NEWS stuff, adapted Makefile for lenny, removed patch #2 for getXXbyYY_r.c)

Run: apt-get update && apt-get source libc6; apt-get build-dep libc6

Copy your patch in glibc-2.7/debian/patches/all

Add the patch name in glibc-2.7/debian/patches/series

Run rebuild (or install devscripts package and run debuild) and you should be done

The idea should be the same for etch. Adapted patch for etch is here: pastebin.com/UXGnJd6A

Squeeze is patched (libc6-2.11.3-4+deb6u4) only if you have squeeze-lts repository in your sources.list:

deb http://ftp.uk.debian.org/debian squeeze-lts main
Michal Švamberg
  • 3
  • 1
Michael
  • 71
  • 2
  • The patch for lenny doesn't apply. All hunks on `nss/digits_dots.c` fail. – jonhattan Jan 28 '15 at 19:03
  • 1
    Michael's procedure worked for me but not the patchfile that was provided; here's the patch that worked for me: http://pastebin.com/N0SSivW6 EDIT: actually, I'm willing to bet that one doesn't work either, due to screwy whitespace issues from cutting and pasting; I'll put it directly here: http://richardhoward.net/lenny-ghost.diff – rhowardiv Jan 28 '15 at 19:18
  • Sorry, but can you write de command needed to "debuild" or "rebuild", I don't know if debuild is the correct name or if there is a mistake and the correct command is rebuild. Thanks –  Jan 29 '15 at 08:35
  • I complete the build using the Michael and rhowardiv indications to update the libc6 packages in debian 5 lenny. You can see the detailed procedure here: https://gist.github.com/eduherraiz/b3180f2c405a91a2ef25 –  Jan 30 '15 at 08:25
  • thanks for deb http://ftp.uk.debian.org/debian squeeze-lts main – Isis Apr 06 '15 at 15:35
3

You can also use the eglibc patch from Squeeze LTS to build patched Lenny packages: http://sources.debian.net/data/main/e/eglibc/2.11.3-4+deb6u4/debian/patches/any/cvs-gethostbyname.diff

Put it in glibc-2.7/debian/patches/any and add it to the end of the glibc-2.7/debian/patches/series file. Now build the packages, upgrade your system with them and test your system with the GHOST tool: https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c

Jeremy

autostatic
  • 31
  • 2
1

I've recompiled the glibc-2.7 sources for Debian Lenny including the CVE-2015-0235 patch of Debian Squeeze LTS.

As it takes quite some time to compile these packages you may grab a copy via https://flo.sh/debian-lenny-cve-2015-0235-glibc-patch/

Vulnerability check looks ok, now: [00:15:26] root@[...]: /usr/src/ghost> ./ghost not vulnerable

Thank you guys for adding this compact summary on this issue, -Flo

Flo
  • 45
  • 1
0

Note, that you must have a source repository set-up in your /etc/apt/sources.list :

deb http://archive.debian.org/debian/ lenny main contrib non-free
deb-src http://archive.debian.org/debian/ lenny main contrib non-free
jlecour
  • 236
  • 2
  • 6
0

I was waiting to see if someone would package a lenny glibc .deb like a guy from linux.it did for shell shock.

Finally, I did it myself and managed to apply the original patch from pastebin.com mentioned previously width -l option to patch.

We have also old debian sarge still running, and the same patch could be applied to glibc-2.3.2 with little modification:

http://www.saitis.net/~ndesir/cve-2015-0235-old-debian/sarge/cve-2015-0235.dpatch

and add it to debian/patches/00list before running debuild

seems to work well till now.

If you trust me enough, http://www.saitis.net/~ndesir/cve-2015-0235-old-debian/ also contains the .deb for lenny and sarge (intel).

Nicolas
  • 1