如何修補CVE-2015-0235 Linux(CentOS) glibc Ghost 弱點

glibc為GNU C的函式庫，為一開放源碼且被廣泛使用的C語言函式庫，它支援多種Linux平台，被視為Linux平台上的重要元件，缺乏glibc的Linux系統可能無法正常運作。

「GHOST」的漏洞位於Linux glibc library中，此漏洞會被輕易的取得 root 的權限。

CVE-2015-0235 影響範圍

影響的作業系統版本如下：

• RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
• CentOS Linux version 5.x, 6.x & 7.x
• Ubuntu Linux version 10.04, 12.04 LTS
• Debian Linux version 7.x
• Linux Mint version 13.0
• Fedora Linux version 19 or older
• SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
• SUSE Linux Enterprise Software Development Kit 11 SP3
• SUSE Linux Enterprise Server 11 SP3 for VMware
• SUSE Linux Enterprise Server 11 SP3
• SUSE Linux Enterprise Server 11 SP2 LTSS
• SUSE Linux Enterprise Server 11 SP1 LTSS
• SUSE Linux Enterprise Server 10 SP4 LTSS
• SUSE Linux Enterprise Desktop 11 SP3
• Arch Linux glibc version <= 2.18-1

版本自我檢查方法

#! 先用 rpm -qa 查詢現有的版本資訊(輸入上方套件名稱)，

#! 注意底線的是同一行。記錄下現行的版本，並準備好原始 rpm 檔(rollback)時使用。

[root@centos6 ~]# rpm -qa "glibc" "glibc-common" "glibc-devel" "glibc-headers" "glibc-static" "glibc-utils" "nscd" > old_version.txt

[root@centos6 centos6_x86_64_ghost]# cat old_version.txt

glibc-2.12-1.132.el6.x86_64

glibc-devel-2.12-1.132.el6.x86_64

glibc-common-2.12-1.132.el6.x86_64

glibc-headers-2.12-1.132.el6.x86_64

[root@centos6 ~]#

#! 上方雙底線字是指令的輸出，也就是系統上有安裝的rpm檔。

#! 也就是我們需要安裝path的套件!

CVE-2015-0235弱點修補 glibc patch安裝方法

(1) CentOS glibc patch安裝方式

#! 此範例系統中會更新的 patch 數為4個。

[root@centos6 ~]# yum update "glibc" "glibc-common" "glibc-devel" "glibc-headers" "glibc-static" "glibc-utils" "nscd" 

Loaded plugins: fastestmirror, refresh-packagekit, security

Determining fastest mirrors

Setting up Update Process

...... output omitted ......

--> Finished Dependency Resolution

Dependencies Resolved

========================================================================

 Package        Arch     Version              Repository        Size

========================================================================Updating:

 glibc           x86_64  2.12-1.149.el6_6.5 updates           12 M

 glibc-common   x86_64  2.12-1.149.el6_6.5 updates          107 M

 glibc-devel    x86_64  2.12-1.149.el6_6.5 updates          967 k

 glibc-headers  x86_64  2.12-1.149.el6_6.5 updates         2.0 M

Transaction Summary

========================================================================

Upgrade       4 Package(s)

Total size: 123 M

Is this ok [y/N]: y

Downloading Packages:

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

...... output omitted ......

Updated:

  glibc.x86_64 0:2.12-1.149.el6_6.5 glibc-common.x86_64 0:2.12-1.149.el6_6.5 glibc-devel.x86_64 0:2.12-1.149.el6_6.5

  glibc-headers.x86_64 0:2.12-1.149.el6_6.5

Complete!

[root@centos6 ~]#

#! 更新完必需要重開機才算是完成。

[root@centos6 ~]# shutdown -r now

Broadcast message from root@dns.localdomain

(/dev/pts/0) at 18:26 ...

The system is going down for reboot NOW!

#! 重開機後檢查版本，應該已更新完成。

[root@centos6 ~]# rpm -qa "glibc" "glibc-common" "glibc-devel" "glibc-headers" "glibc-static" "glibc-utils" "nscd"

glibc-common-2.12-1.149.el6_6.5.x86_64

glibc-headers-2.12-1.149.el6_6.5.x86_64

glibc-devel-2.12-1.149.el6_6.5.x86_64

glibc-2.12-1.149.el6_6.5.x86_64

[root@centos6 ~]#

(2) RHEL glibc patch安裝方式

將RHEL glibc patch檔上傳至目標主機/tmp/glibc目錄，RHEL 6 x86_64檔案名稱如下：

• glibc-2.12-1.149.el6_6.5.i686.rpm
• glibc-devel-2.12-1.149.el6_6.5.i686.rpm
• glibc-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-common-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-debuginfo-2.12-1.149.el6_6.5.i686.rpm
• glibc-static-2.12-1.149.el6_6.5.i686.rpm
• glibc-debuginfo-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-static-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-debuginfo-common-2.12-1.149.el6_6.5.i686.rpm
• glibc-utils-2.12-1.149.el6_6.5.x86_64.rpm
• glibc-debuginfo-common-2.12-1.149.el6_6.5.x86_64.rpm
• nscd-2.12-1.149.el6_6.5.x86_64.rpm

#! 先用 rpm -qa 查詢現有的版本資訊(輸入上方套件名稱)，

#! 注意底線的是同一行。記錄下現行的版本，並準備好原始 rpm 檔(rollback)時使用。

[root@rhel6 ~]# rpm -qa "glibc" "glibc-common" "glibc-devel" "glibc-headers" "glibc-static" "glibc-utils" "nscd" > old_version.txt

[root@rhel6 rhel6_x86_64_ghost]# cat old_version.txt

glibc-2.12-1.132.el6.x86_64

glibc-devel-2.12-1.132.el6.x86_64

glibc-common-2.12-1.132.el6.x86_64

glibc-headers-2.12-1.132.el6.x86_64

[root@rhel6 ~]#

#! 上方雙底線字是指令的輸出，也就是系統上有安裝的rpm檔。

#! 也就是我們需要安裝path的套件!

#! 此範例系統中會更新的 patch 數為4個。

[root@rhel6 rhel6_x86_64_ghost]# yum --disablerepo=* update *.rpm

Loaded plugins: fastestmirror, refresh-packagekit, security

Determining fastest mirrors

Setting up Update Process

...... output omitted ......

--> Finished Dependency Resolution

Dependencies Resolved

========================================================================

 Package         Arch         Version                 Repository          Size

========================================================================

Updating:

 glibc               x86_64       2.12-1.149.el6_6.5      /glibc-2.12-1.149.el6_6.5.x86_64           12 M

 glibc-common        x86_64       2.12-1.149.el6_6.5      /glibc-common-2.12-1.149.el6_6.5.x86_64    107 M

 glibc-devel         x86_64       2.12-1.149.el6_6.5      /glibc-devel-2.12-1.149.el6_6.5.x86_64     967 k

 glibc-headers       x86_64       2.12-1.149.el6_6.5      /glibc-headers-2.12-1.149.el6_6.5.x86_64   2.0 M

Transaction Summary

========================================================================

Upgrade       4 Package(s)

Total size: 123 M

Is this ok [y/N]: y

Downloading Packages:

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

...... output omitted ......

Updated:

  glibc.x86_64 0:2.12-1.149.el6_6.5 glibc-common.x86_64 0:2.12-1.149.el6_6.5 glibc-devel.x86_64 0:2.12-1.149.el6_6.5

  glibc-headers.x86_64 0:2.12-1.149.el6_6.5

Complete!

[root@rhel6 rhel6_x86_64_ghost]#

#! 更新完必需要重開機才算是完成。

[root@rhel6 rhel6_x86_64_ghost]# shutdown -r now

Broadcast message from root@rhel6.localdomain

(/dev/pts/0) at 18:26 ...

The system is going down for reboot NOW!

#! 重開機後檢查版本，應該已更新完成。

[root@rhel6 rhel6_x86_64_ghost]# rpm -qa "glibc" "glibc-common" "glibc-devel" "glibc-headers" "glibc-static" "glibc-utils" "nscd"

glibc-common-2.12-1.149.el6_6.5.x86_64

glibc-headers-2.12-1.149.el6_6.5.x86_64

glibc-devel-2.12-1.149.el6_6.5.x86_64

glibc-2.12-1.149.el6_6.5.x86_64

[root@rhel6 rhel6_x86_64_ghost]#

復原作業

如果安裝有問題，可依照下面步驟進行復原。

#! 這裡會用到剛剛用 rpm -qa 查詢到的版本資訊，注意底線的是同一行

[root@centos6 centos6_x86_64_ghost]# cat /tmp/centos6_x86_64_ghost/old_version.txt

glibc-2.12-1.132.el6.x86_64

glibc-devel-2.12-1.132.el6.x86_64

glibc-common-2.12-1.132.el6.x86_64

glibc-headers-2.12-1.132.el6.x86_64

[root@centos6 centos6_x86_64_ghost]#

#! 上方雙底線字是指令的輸出，也就是系統上更新 glibc patch之前安裝的版本，

#! 也就是我們要rollback的套件，以下範例假設在"2.2.2 系統安裝之glibc版本檢查"的套件，

#! 已備份於/tmp/centos6_x86_64_ghost/rollback目錄中。

[root@centos6 centos6_x86_64_ghost]# cd rollback/

[root@centos6 rollback]#

[root@centos6 rollback]# ls -l *.rpm

-r--r--r--. 1 root root  1677592 Feb  6  2015 glib2-2.26.1-3.el6.x86_64.rpm

-r--r--r--. 1 root root  3987408 Feb  6  2015 glibc-2.12-1.132.el6.x86_64.rpm

-r--r--r--. 1 root root 14879344 Feb  6  2015 glibc-common-2.12-1.132.el6.x86_64.rpm

-r--r--r--. 1 root root  1001012 Feb  6  2015 glibc-devel-2.12-1.132.el6.x86_64.rpm

-r--r--r--. 1 root root   622736 Feb  6  2015 glibc-headers-2.12-1.132.el6.x86_64.rpm

[root@centos6 rollback]#

#! 注意底線的是同一行

[root@centos6 rollback]# yum --disablerepo=* downgrade *.rpm

Loaded plugins: fastestmirror, refresh-packagekit, security

Setting up Downgrade Process

...... output omitted ......

--> Finished Dependency Resolution

Dependencies Resolved

========================================================================

 Package           Arch      Version         Repository          Size

========================================================================

Downgrading:

 glibc             x86_64    2.12-1.132.el6  /glibc-2.12-1.132.el6.x86_64           12 M

 glibc-common      x86_64    2.12-1.132.el6  /glibc-common-2.12-1.132.el6.x86_64    107 M

 glibc-devel       x86_64    2.12-1.132.el6  /glibc-devel-2.12-1.132.el6.x86_64     966 k

 glibc-headers     x86_64    2.12-1.132.el6  /glibc-headers-2.12-1.132.el6.x86_64   2.0 M

Transaction Summary

========================================================================

Downgrade     4 Package(s)

Total size: 123 M

Is this ok [y/N]: y

Downloading Packages:

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

...... output omitted ......

Removed:

  glibc.x86_64 0:2.12-1.149.el6_6.5 glibc-common.x86_64 0:2.12-1.149.el6_6.5 glibc-devel.x86_64 0:2.12-1.149.el6_6.5                glibc-headers.x86_64 0:2.12-1.149.el6_6.5

Installed:

  glibc.x86_64 0:2.12-1.132.el6 glibc-common.x86_64 0:2.12-1.132.el6 glibc-devel.x86_64 0:2.12-1.132.el6                    glibc-headers.x86_64 0:2.12-1.132.el6

Complete!

[root@centos6 rollback]#

#! rollback完必需要重開機才算是完成。

[root@centos6 rollback]# shutdown -r now

Broadcast message from root@dns.localdomain

(/dev/pts/0) at 18:52 ...

The system is going down for reboot NOW!

#! 重開機後檢查版本，已復原完成。

[root@centos6 ~]# rpm -qa "glibc" "glibc-common" "glibc-devel" "glibc-headers" "glibc-static" "glibc-utils" "nscd"

glibc-devel-2.12-1.132.el6.x86_64

glibc-common-2.12-1.132.el6.x86_64

glibc-2.12-1.132.el6.x86_64

glibc-headers-2.12-1.132.el6.x86_64

[root@centos6 ~]#

參考文件

[CentOS-announce] CESA-2015:0090 Critical CentOS 5 glibc Security Update

http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html

[CentOS-announce] CESA-2015:0090 Critical CentOS 5 glibc Security Update

http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html