Fixing Problems Like The Ghost Bug

New features which should be implemented in Porteus; suggestions are welcome. All questions or problems with testing releases (alpha, beta, or rc) should go in their relevant thread here, rather than the Bug Reports section.
Post Reply
TT4Foss
White ninja
White ninja
Posts: 4
Joined: 15 Feb 2015, 23:22
Distribution: Porteus
Location: Canada

Fixing Problems Like The Ghost Bug

Post#1 by TT4Foss » 15 Feb 2015, 23:38

Any suggestions on how to quickly fix ghost bug (CVE-2015-0235) in Porteus?

Slackware has a newer /slackware/a/glibc-solibs-2.20-i486-2.txz package available.
Could it just be as simple as downloading the package and creating a new module?
glibc forms part of the core of any linux system. I am not sure how the system is built.
Would everything have to be recompiled?

Similar problems will happen more frequently in the future as more bugs in linux/FOSS packages are discovered and is more than likely to happen just after a new version of Porteus is released. IMO totally unreasonable to ask the Porteus team to put out new release each month.

This time the problem is with glibc, next time it might be with the kernel, bash or some other vital package.

Now for the more interesting question:
Would it be possible for someone to bring forward some ideas on how to fix these problems in the future so that users could fix/update their own systems?

Thanks

Ted

User avatar
fanthom
Site Admin
Site Admin
Posts: 4547
Joined: 28 Dec 2010, 02:42
Distribution: Porteus Kiosk
Location: Poland, currently - Cork, IE
Contact:

Re: Fixing Problems Like The Ghost Bug

Post#2 by fanthom » 16 Feb 2015, 17:24

hi Ted,

Would everything have to be recompiled?
dont think so otherwise Pat would release new Slackware version. its just a matter of uninstalling old package and installing a new one.

1. if you are saving changes then you could do it exactly the same as in Slackware:

Code: Select all

upgradepkg pkgname
if you want things automated then i would recommend to install slackpkg:

Code: Select all

http://mirrors.slackware.com/slackware/slackware-current/slackware/ap/slackpkg-2.82.0-noarch-13.tgz
and then run these two commands:

Code: Select all

slackpkg update
slackpkg upgrade-all
2. if you are not saving changes then its enough to convert txz to xzm and place it in your /porteus/base folder.
aufs layered structure will make that files from core module will get 'covered' in the virtual filesystem by never glibc module.

if you want to say up to date with latest patches then 'changes=' + slackpkg approach is the best (until we get similar functionality in USM).
Please add [Solved] to your thread title if the solution was found.

TT4Foss
White ninja
White ninja
Posts: 4
Joined: 15 Feb 2015, 23:22
Distribution: Porteus
Location: Canada

Re: Fixing Problems Like The Ghost Bug

Post#3 by TT4Foss » 03 Mar 2015, 00:32

@fanthom Thanks for your reply.

I was able to create a module from the slackware glibc*.tgz file and the links seem to be ok but the old 2.17 files are still there (not a show stopper). I may try to roll the new files into an updated 001-core.xzm module and remove the glibc*2.17 files to save on memory as I prefer to load everything into memory.

I have not found time to try any of the update methods yet.

Is there anything in the 05-dev module that needs to be updated for a newer glibc (2.21) version?
I have been looking around the system and at both modules.
The 05-dev module is much larger than the 001-core module.

Thanks again

Ted

Post Reply