glibc vulnerability

Dagmar d'Surreal dagmar.wants at nospam.com
Sat Jun 14 17:23:11 PDT 2003


On Fri, 2003-06-13 at 04:11, Marnix Kaart wrote:
> On Sunday 01 June 2003 22:22, Dagmar d'Surreal wrote:
> > On Wed, 2003-05-28 at 07:51, Jochen Schroeder wrote:
> > > Suse has released a patch for glibc to fix a security hole in the XDR
> > > code, see here for details:
> > > http://www.suse.de/de/security/2003_027_glibc.html
> >
> > Umm... Took them long enough.  Glibc-2.3.2 doesn't have this problem.
> 
> I have no RPC based services running on my machine, so I am assuming that I am 
> not vulnerable to this specific problem (I am a bit hesitant on recompiling 
> glibc). Any confirmation on this?

Your installation is not vulnerable to _remote_ exploits using the XDR
code.  However, it may be vulnerable to exploitation by local users.  It
is also a very bad practice to leave known flawed code installed on
production machines.

Seriously tho.  If you follow the ch6 instructions, compiling
glibc-2.3.2 is no different from 2.3.1.  No chrooting needed.  If
everything passes the self-tests (make check or make test, can't
remember right now and I script it anyway) there's only an infinitesimal
chance something could go wrong moving from glibc-2.3.1 to glibc-2.3.2.

-- 
The email address above is just as phony as it looks, and for obvious reasons.
Instant messaging contact nfo: AIM: evilDagmar  Jabber: evilDagmar at jabber.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list