GHOST

GNU C Library buffer overflow in __nss_hostname_digits_dots() (CVE-2015-0235 aka GHOST)

It was discovered that a buffer overflow existed in the __nss_hostname_digits_dots function in the GNU C Library. An attacker could use this issue to execute arbitrary code or cause an application crash, resulting in a denial of service.

The GNU C Library upstream had already addressed this issue in its 2.18 release; however, the security impact of the fix was not recognized at the time. Because of this, only Ubuntu 12.04 LTS (Precise) and Ubuntu 10.04 LTS (Lucid) were affected. To address the issue, ensure that libc6 2.15-0ubuntu10.10 (Ubuntu 12.04 LTS) or libc6 2.11.1-0ubuntu7.20 (Ubuntu 10.04 LTS) are installed. These updates were announced in USN 2485-1.

Timeline

  • 2015 Jan 18: the Ubuntu Security team is notified by Qualsys via the linux-distros list, with a pending CRD of 2015-01-27 18:00 UTC
  • 2015 Jan 27: issue becomes public a few hours before the CRD; Ubuntu and other distributions release updates
  • 2015 Jan 28: Cloud image updates (see below)

Cloud Image Updates

While the updated GNU C Library packages were immediately available to cloud guests via apt, new Ubuntu Cloud images have been generated in response to Ghost.

  • Amazon AWS AMI's

  • Windows Azure: b39f27a8b8c64d52b05eac6a62ebad85__Ubuntu_DAILY_BUILD-precise-12_04_5-LTS-amd64-server-20150127-en-us-30GB

  • Google Compute Engine: ubuntu-1204-precise-v20150127

  • Ubuntu Core

Other cloud partners have been notified of new image availability.

SecurityTeam/KnowledgeBase/GHOST (last edited 2015-01-28 17:28:56 by jdstrand)