Multilib glibc patched for GHOST vulnerability (CVE-2015-0235)

There was some unrest about the most recent glibc update in the stable releases of Slackware (slackware-current excluded). Glibc was patched against a new vulnerability, CVE-2015-0235, for which the only known exploit currently is in the MTA Exim (software which is not part of Slackware) and an exploit for this vulnerability is difficult to write apparently. I usually am quite fast in following up on Slackware updates for gcc and especially glibc. This time, I was busy with answering questions about the new KDE 5 at night, and buried in shit at work during the day.

Nevertheless, when there were no updated multilib versions of glibc the next day, some people asked when they could expect a patched package. Others were less polite and demanded updated packages. That sucked.

Here is where you can find the updated packages:

For the un-initiated: multilib is needed if you want to use binary-only 32-bit software on 64-bit Slackware. Examples of that are Skype, Valve’s Steam Client, the WINE emulator, the Pipelight browser plugin, Citrix client etc.

Instructions on how to add or update multilib on your 64-bit Slackware can be found on the Slackware Documentation Project.

Cheers, Eric

 

13 thoughts on “Multilib glibc patched for GHOST vulnerability (CVE-2015-0235)

  1. I’ve managed to goof things up with the Ghost fix. I failed to think and used slackpkg to address the problem. Now I can’t run my single 32-bit package. I’m trying to figure out how to fix this. I’ve gone and blacklisted things according to directions, but it’s too late to save me on this.

    Do you have any ready-made directions that might allow me to fix this?

    Thanks.




  2. MikeVx – if you used slackpkg and did not blacklist my packages, then slackpkg will have installed Slackware’s own gcc and glibc.
    If that is the case, simply install the gcc and glibc packages manually (using upgradepkg) and then add these blacklist lines to slackpkg’s blacklist file:

    [0-9]+alien
    [0-9]+compat32



  3. “And there was much rejoicing!”

    That did it. I have Skype operating again, and I can now see to installing my old 32-bit games and such. (The Skype was critical, and thus the one thing I had to make work, the rest, nice but survivable if I couldn’t have them.)

    I had already blacklisted your packages in slackpkg when I realized I had targeted my own foot, but it was a bit late by then. (Hobble….hobble.)

    Thanks for the tip, and thanks for your work on multilib support. I discovered it years ago when I first went 64-bit with Slackware and had failures on some of my old utilities for which I had lost the source code. Some searching listed your project, and I now wait to upgrade Slackware until you have your packages out for the new version.

    Don’t let the entitlement brigade get you down. At least some of us out here are glad you put in the work on this project and I appreciate the aggravation that I haven’t had to deal with because of it.

    Again, thanks for the multilib project, and for the quick tip today that fixed my problem in under 5 minutes from reading the solution to making it work.


  4. am i missing something? the creation dates for glibc-zoneinfo and version “i” are still the same (25-oct-2014) when i access the links. the changelogs at slackware.com shows version “j”. or it doesn’t matter? thank you


  5. Thank you very much Eric !

    ALL my 32-bit programs are working again after updating glibc on 13.37 !

    I am truly sorry to hear about the ungrateful people who demanded that you spend YOUR time and YOUR experience to update the packages that you’ve enabled them to update for themselves.

    That DOES suck.

    You’ve provided a number of valuable gifts to the world and I am sure most people see your HOWTOs, scripts and packages that way too.

    Thanks again for all you do, Eric !

    — kjh


  6. Pingback: Vulnerabilidade Ghost corrigida na multilib, para Slackware Linux | Caminhando Livre



  7. Hi Nolre,

    The reason is that there were no updates to glibc in Slackware-current except for the zoneinfo package. The GHOST bug is not present in the glibc of slackware-current.

    You can use the zoneinfo package of slackware64-current on your multilib computer.
    I will update that file sometime soon in the multilib repository but I do not have the time now.



Leave a Reply to fabio Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.