2015년 4월 6일 월요일

glibc patch for non-LTS Ubuntu 12.10

A few weeks ago when the glibc 'ghost' vulnerability was announced, sysadmins and system engineers the world over frantically began patching systems. Although most of the servers my company manages have been patched by now, I got a weird request from a client - they have an old development machine still running Ubuntu 12.10 Quantal Quetzal, a non-LTS release that went out of support in 2014. The Ubuntu security advisory for glibc (known as eglibc in Ubuntu provided by package libc6) indicates that patches are available for 12.04 and 10.04, but 12.10 is left out in the cold.

Taking a look at the packages depending on libc6 in Ubuntu 12.04 reveals 19 packages including libc6 itself:

libc6 (mandatory)
libc-bin (mandatory)
libc6-i386
libc6-dbg
libc6-dev
libc6-dev-i386
linux-libc-dev (req'd by libc6-dev, libc6-dev-i386)
libc-dev-bin
libc6-pic
libc6-prof
glibc-doc
nscd

libc6-amd64 (i386)
libc6-dev-amd64 (i386)
libc6-xen (i386)
libnss-files-udeb (debian installer build only!)
libnss-dns-udeb (debian installer build only!)
libc6-udeb (debian installer build only!)
multiarch-support (dummy pkg)

All of the above packages must be upgraded to version 2.15-0ubuntu10.10 or above for Ubuntu 12.04!

Since my client is running 12.10 64-bit on x86 hardware, however, packages for the i386 architecture (indicated in red) can be ignored. The libc6-i386 and libc6-dev-i386 packages cannot be ignored, however, as they are multiarch 32-bit glibc packages for 64-bit Ubuntu. Also the debian installer build packages with the '-udeb' suffix and the dummy package can be ignored as well.

To check the current eglibc version in use by 12.10 Quantal Quetzal, run the following from the commandline:

ldd -version
Ubuntu eglibc 2.15-0ubuntu-20

Hmm... the unpatched version of eglibc in Ubuntu 12.10 is nominally higher than that of the patched version (2.15-0ubuntu10.10) in Ubuntu 12.04. But the higher version doesn't mean we are safe because the Quantal Quetzal packages don't receive updates!

One solution is to manually downgrade all the 12.10 eglibc packages to patched 12.04 versions.

First we need to find which glibc/eglibc packages are currently installed on the Ubuntu 12.10 machine, because during the patch we don't want to install any unnecessary packages.

Enter the following bash for-loop on the command-line:

for i in {libc6,libc-bin,libc-dev,libc-i386,glibc-doc,nscd}; do
  dpkg -l | grep $i
done

Installed packages matching from the list will be displayed one to a line. Here's what I get when I run the above command on a minimal 12.10 install:

ii  libc6:amd64                        2.15-0ubuntu20             amd64        Embedded GNU C Library: Shared libraries
ii  libc-bin                           2.15-0ubuntu20             amd64        Embedded GNU C Library: Binaries


Only two glibc-related packages are installed but on a development machine it would not be surprising for more packages to be returned.

Updated 12.04 LTS packages can still be downloaded from the web (which is unfortunately no longer the case for 12.10, as it is no longer supported). At the following link you can download the latest libc6 for 12.04:

http://packages.ubuntu.com/precise/amd64/libc6

And from packages.ubuntu.com you can also search for the other packages you need (listed in the security advisory link presented earlier).

OK- so now you have downloaded all the packages you need to some directory on your 12.10 box. Now it's time to "downgrade" your 12.10 libc6-related packages to those from 12.04:

Assuming all the downloaded .deb files for downgrade exist in the same folder, you can run the following:

$ sudo dpkg –i *.deb
dpkg: warning: downgrading libc6:amd64 from 2.15-0ubuntu20 to 2.15-ubuntu10.11
...
Although you are downgrading the packages, you are downgrading to patched versions from 12.04 LTS.

Now if you reboot and run ldd -version, you will see that your system is now running the patched version of eglibc:

$ ldd –version
ldd (Ubuntu EGLIBC 2.15-0ubuntu10.11) 2.15


A Note about enabling apt-get for unsupported Ubuntu versions

If you try to run sudo apt-get install foo in Ubuntu 12.10 you will get a message that this version is no longer supported. But what if you want to upgrade to 13.04 and from there to 14.04 LTS? Or what if you plan to stay at 12.10 but just want to download additional packages from that version?

First of all, you need to edit your /etc/apt/sources.list file and change the URL for the package repository from us.archive.ubuntu.com to old-releases.ubuntu.com

Sure, you could do this manually, copy-pasting multiple times, but I suggest you use vi's global find-replace for this task: Enter the following in the vi buffer while editing sources.list:

:%s:us-archive.ubuntu.com:old-releases.ubuntu.com:g

where s means substitution
g means global replace
instead of / as a field delimiter, I have chosen to use :

Now apply changes to sources.list:

sudo apt-get update

You will find that you can now use apt-get to install packages from 12.10 or even upgrade the distro to supported (and patched) versions of Ubuntu.