A SEVERE BUG in a widely used open source library has left hundreds of thousands of Linux apps and hardware open to hackers and malware.
Serial bug spotters Google and Red Hat discovered the flaw in the GNU C Library (glibc) that provides open source code to a huge amount of software and hardware.
The flaw is in a function known as getaddrinfo() when used by apps and hardware such as routers based on glibc code to communicate with IP addresses using domain name servers (DNS).
It triggers a bug that messes with the buffer that is meant to prevent the memory allocated to a program being overwhelmed with data.
If the getaddrinfo() function is aimed at a server or web address controlled by malicious parties, or intercepted on its way to a server, malware can be inserted into the return data and remotely executed by the type of people you don’t want digging around in your computer, app or router.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” said the Google security boffins in a blog post.
Hackers using the exploit could get up to all sorts of trouble, crashing apps, swiping passwords, snooping like digital voyeurs or just taking control of the vulnerable device.
The bug affects glibc versions 2.9 and above. Google and Red Hat have a patch to plug the problem, but developers using earlier versions of the library are advised to get updating as well.
This is a nasty bug, but the real issue is how long it took to fix as it is thought to have been introduced into glibc in 2008.
It seems that it hadn’t been fixed, despite Google saying that the chaps who maintain glibc were warned about the bug several years ago. Not that we’re calling them lazy, but perhaps they should have looked at the emails with 'OMG! BUG ALERT' in the subject line.
"To our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015," the Google researchers said, possibly a bit smugly.
The bug highlights that, while open source code might be a cheap way to build apps, software and firmware for all manner of smart gadgets, you need to rely on a community to maintain that source code.
So if the community takes a holiday or decides to ignore Google’s phone calls, you could find your fancy new smart fridge ordering 20,000 pints of milk and a ton of haddock. µ
Home, Home on the strange
Team Red is prepping Navi for the budget GPU arena
Early-adopters beta be careful
China back in your hands