glibc 2.5 - patch for GHOST (CVE-2015-0235)

glibc 2.5 - patch for GHOST (CVE-2015-0235)

[czezz]

Hello,
I still use old Slackware 12 that runs glibc 2.5 branch.
Due to latest vulnerability: GHOST (CVE-2015-0235) I want to patch my glibc. However, I cannot find sources of the patch for this issue.

Could you please give me information where can I download it ?

Best regards,
czezz

Re: glibc 2.5 - patch for GHOST (CVE-2015-0235)

[Carlos O'Donell]

On 02/11/2015 11:44 AM, czezz wrote:
> Hello, I still use old Slackware 12 that runs glibc 2.5 branch. Due
> to latest vulnerability: GHOST (CVE-2015-0235) I want to patch my
> glibc. However, I cannot find sources of the patch for this issue.
> 
> Could you please give me information where can I download it ?

The fix is commit d5dd6189d506068ed11c8bfa1e1e9bffde04decd.

c.

Re: glibc 2.5 - patch for GHOST (CVE-2015-0235)

[czezz]

Hello,
I would very appreciate if someone could tell me if I have created .diff file in a correct way/manner.
I executed:
git diff d5dd6189d506068ed11c8bfa1e1e9bffde04decd^..d5dd6189d506068ed11c8bfa1e1e9bffde04decd > glibc.CVE-2015-0235.diff
Here it is: https://www.dropbox.com/s/15rndtw0t0lfi05/glibc.CVE-2015-0235.diff?dl=0

Secondly I tried to add this patch to my Slackware 12 glibc repository (taken from following link).
mirrors.slackware.com/slackware/slackware-12.0/patches/source/glibc/glibc.SlackBuild

NOTE!!! This is glibc 2.5 repository and it already contains following patches:
 
  # Use old-style locale directories rather than a single (and strangely
  # formatted) /usr/lib/locale/locale-archive file:
  zcat $CWD/glibc.locale.no-archive.diff.gz | patch -p1 --verbose || exit 1
  # Fix NIS netgroups:
  zcat $CWD/glibc.nis-netgroups.diff.gz | patch -p1 --verbose || exit 1
  # Evidently glibc never expected Linux kernel versions to be in the
  # format 1.2.3.4.  This patch makes glibc consider the kernel version
  # to be only the first three digit groups found, and drops any
  # trailing non-digit characters:
  zcat $CWD/glibc.kernelversion.diff.gz | patch -p1 --verbose || exit 1
  # Support ru_RU.CP1251 locale:
  zcat $CWD/glibc.ru_RU.CP1251.diff.gz | patch -p1 --verbose || exit 1
  # Support sa_IN locale:
  zcat $CWD/glibc.sa_IN.diff.gz | patch -p1 --verbose || exit 1
  # Fix missing MAX macro in getcwd.c:
  zcat $CWD/glibc.getcwd.max.macro.diff.gz | patch -p1 --verbose || exit 1
  # This fixes a security issue in glibc 2.12.1 and earlier:
  zcat $CWD/glibc.CVE-2010-3847.diff.gz | patch -p1 --verbose || exit 1
  # This fixes a security issue in glibc 2.12.1 and earlier:
  zcat $CWD/glibc.CVE-2010-3856.diff.gz | patch -p1 --verbose || exit 1

At the end I have added mine:
  echo "adding patch: glibc.CVE-2015-0235.diff.gz "
  zcat $CWD/glibc.CVE-2015-0235.diff.gz | patch -p1 --verbose || exit 1

But then during patching I faced that many problems - you can see it hereunder.
I guess this is either wrongly built .diff file by me or I am missing some previous patches before I add glibc.CVE-2015-0235.diff ?
I would say it is the second case as I can see two last patches comment: "This fixes a security issue in glibc 2.12.1 and earlier". Can someone please help me to figure it out ?


adding patch: glibc.CVE-2015-0235.diff.gz:
 
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- a/nss/Makefile
|+++ b/nss/Makefile
--------------------------
Patching file nss/Makefile using Plan A...
Hunk #1 FAILED at 37.
1 out of 1 hunk FAILED -- saving rejects to file nss/Makefile.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- a/nss/digits_dots.c
|+++ b/nss/digits_dots.c
--------------------------
Patching file nss/digits_dots.c using Plan A...
Hunk #1 succeeded at 47 (offset 1 line).
Hunk #2 succeeded at 86.
Hunk #3 succeeded at 115 (offset 1 line).
Hunk #4 succeeded at 154.
Hunk #5 succeeded at 198 (offset 1 line).
Hunk #6 succeeded at 208.
Hunk #7 succeeded at 224 (offset 1 line).
Hunk #8 succeeded at 234.
Hunk #9 succeeded at 247 (offset 1 line).
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|--- a/nss/getXXbyYY_r.c
|+++ b/nss/getXXbyYY_r.c
--------------------------
Patching file nss/getXXbyYY_r.c using Plan A...
Hunk #1 succeeded at 149 (offset -30 lines).
Hunk #2 FAILED at 261.
1 out of 2 hunks FAILED -- saving rejects to file nss/getXXbyYY_r.c.rej
Hmm...  The next patch looks like a unified diff to me...
The text leading up to this was:
--------------------------
|
|--- /dev/null
|+++ b/nss/test-digits-dots.c
--------------------------
Patching file nss/test-digits-dots.c using Plan A...
Hunk #1 succeeded at 1.
done


Best regards,
czezz


Dnia 12 lutego 2015 16:03 "Carlos O'Donell" <carlos@redhat.com> napisał(a):



> 
> > On 02/12/2015 03:32 AM, czezz wrote:
> > thank you for your answer.
> 
> I have moved this discussion to libc-help.
> 
> It seems you are quite new at this process. I would suggest
> that you seek help from a local experienced developer who
> can guide you through the process you are attempting.
> 
> One way to get the glibc sources and patch is like this:
> 
> mkdir -p ~/src
> cd ~/src
> git clone 
> git clone git://sourceware.org/git/glibc.git
> cd glibc
> git diff d5dd6189d506068ed11c8bfa1e1e9bffde04decd^..d5dd6189d506068ed11c8bfa1e1e9bffde04decd > ghost.patch
> 
> The other way is by direct URL referencing the commit id:
> 
> https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=d5dd6189d506068ed11c8bfa1e1e9bffde04decd;hp=fef94eab0bd308d5059a2588c753bf9a4926845d
> 
> Cheers,
> Carlos.