How to patch Glibc Ghost Vulnerability # CVE-2015-0235 on CentOS 4 , RHEL 4 , Oracle Enterprise Linux 4

A Heap-based buffer overflow was discovered by Qualys, Inc in the __nss_hostname_digits_dots function, used by gethostbyname and gethostbyname2, in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code or cause an application crash, resulting in a denial of service, via vectors related to the gethostbyname or gethostbyname2 functions, aka “GHOST.”
This is unfortunate for people still running CentOS version 4 and are unable to upgrade.

All versions of CentOS 4.x, RHEL 4.x and EL 4.X are vulnerable, including RHEL 4.0 , 4.1 , 4.2 , 4.3 , 4.4 , 4.5 , 4.6 , 4.7, 4.8 and 4.9.

On Thu, 29 Jan 2015 22:43:18 -0800 , Oracle has released RPMS with a fix for the Ghost Vulnerability # CVE-2015-0235 , Oracle alert ELSA-2015-0101 (glibc).
The change is reported as “CVE-2015-0235 Fix parsing of numeric hosts in gethostbyname_r (John Haxby) [orabug 20439586]”

These packages can be used to patch systems running CentOS 4.x, RHEL 4.x and Oracle Enterprise Linux 4.x and don’t require a subscription.

You can use these packages if you are running Red Hat Linux 4.x without a subscription.
You must reboot or restart all running processes using glibc after updating.

Disclaimer: Proceed at your own risk, I am not responsible if the commands suggested here break something. Always have a backup in place just in case.

Index Of all the patches for x86_64 systems is
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/x86_64/

Index Of all the patches for i386/i686 systems is
http://public-yum.oracle.com/repo/EnterpriseLinux/EL4/latest/i386/

Update example for X86_64 systems:

Update example for i686 systems:

Equivalent RPMs provided by RedHat in advisory RHSA-2015:0101-1 for Red Hat Enterprise Linux ELS (v. 4)

8 thoughts on “How to patch Glibc Ghost Vulnerability # CVE-2015-0235 on CentOS 4 , RHEL 4 , Oracle Enterprise Linux 4

  1. Thanks for this info.

    I did notice a problem though:

    Your x86_64 instructions are pulling down an old vulnerable version. glibc-common-2.3.4-2.57.x86_64.rpm is from 2012 and should not be in your wgets. This results in the rpm command above overwriting the fixed version with the vulnerable one.

    nscd should also be upgraded and is available from the same repos. You’ll need to use the –nodeps command when installing both of these.

    nscd-2.3.4-2.57.0.1.el4.1.i386.rpm
    nscd-2.3.4-2.57.0.1.el4.1.x86_64.rpm

  2. Thanks for this, very handy. A couple of questions – after updating I somehow ended up with two glibc-common packages installed, both the old and new. I removed the older package (2.3.4-2.41) with rpm -e and it seems like all is now well:

    # rpm -qa | grep glibc
    glibc-2.3.4-2.57.0.1.el4.1
    glibc-common-2.3.4-2.57.0.1.el4.1
    glibc-headers-2.3.4-2.57.0.1.el4.1
    glibc-common-2.3.4-2.41
    glibc-kernheaders-2.4-9.1.103.EL
    glibc-devel-2.3.4-2.57.0.1.el4.1
    # rpm -e glibc-common-2.3.4-2.41
    # rpm -qa | grep glibc
    glibc-2.3.4-2.57.0.1.el4.1
    glibc-common-2.3.4-2.57.0.1.el4.1
    glibc-headers-2.3.4-2.57.0.1.el4.1
    glibc-kernheaders-2.4-9.1.103.EL
    glibc-devel-2.3.4-2.57.0.1.el4.1

    Additionally, there is another older package (glibc-kernheaders-2.4-9.1.103.EL) that cannot be removed as it seems to be required by glibc-headers:

    # rpm -e glibc-kernheaders-2.4-9.1.103.EL
    error: Failed dependencies:
    kernel-headers is needed by (installed) glibc-headers-2.3.4-2.57.0.1.el4.1.i386
    kernel-headers >= 2.2.1 is needed by (installed) glibc-headers-2.3.4-2.57.0.1.el4.1.i386

    I am assuming that kernheaders doesn’t need to be updated to fix the ghost vulnerability. Would appreciate any input, thanks.

    1. Strange, I don’t know how you ended up with two glibc-common packages.
      Did you also have two before you began?
      On Centos 4.8 i386 I only had one.
      Maybe one was x86_64 and one was i386?
      I’ve updated the rpm command to display architecture in case people have problems with this.

      glibc-kernheaders only contains source files – .h headers, this has no relevance to the vulnerability.
      Redhat also did not release such an updated package on their subscription service for this.

  3. Thanks for the helpful post! I though for sure patching a 4.9 box was going to be a nightmare. I did however have some trouble with dependencies when running rpm installation commands. Regardless of the order I would get and errors like this…

    # rpm -U glibc*2.3.4*2.57*
    warning: glibc-2.3.4-2.57.0.1.el4.1.i686.rpm: V3 DSA signature: NOKEY, key ID b38a8516
    error: Failed dependencies:
    glibc = 2.3.4-2.57 is needed by (installed) nscd-2.3.4-2.57.i386
    # rpm -U nscd*2.3.4*2.57*
    warning: nscd-2.3.4-2.57.0.1.el4.1.i386.rpm: V3 DSA signature: NOKEY, key ID b38a8516
    error: Failed dependencies:
    glibc = 2.3.4-2.57.0.1.el4.1 is needed by nscd-2.3.4-2.57.0.1.el4.1.i386

    Running the single command, rpm -U *2.3.4*2.57* allows the dependencies to be resolved. If your working in a clean directory(you should be!) rpm -U * would work just fine as well.

    I used the c code provided by CVE-2015-0235 to test and it confirmed a ‘not vulnerable’.

    Just for reference I’ve also included the rpm query/grep before and after
    Before:
    glibc-common-2.3.4.i386
    glibc-devel-2.3.4.i386
    glibc-2.3.4.i686
    glibc-headers-2.3.4.i386

    After:
    glibc-common-2.3.4.i386
    glibc-devel-2.3.4.i386
    glibc-2.3.4.i686
    glibc-headers-2.3.4.i386

    1. Yeah, sorry.
      You are right, I’ve modified the instructions for rpm -U and added the minor release version to the rpm -qa format.

  4. Hello everyone ,
    I’ve a problem to make this update.
    Firstly I make this command that contain just the rpms ” rpm -U *2.3.4*2.57*” , but I’m confronted with the error below:
    error: Failed dependencies:
    libgd.so.2 is needed by glibc-utils-2.3.4-2.57.0.1.el4.1.i386
    Suggested resolutions:
    /var/spool/up2dategd-2.0.28-5.4E.el4_6.1.i386.rpm

    After I’ve Instaled the “gd-2.0.33-2_11.src.rpm”, but the problem still persists.
    Please, could someone help me, I don’t have a connexion web in my server.

Leave a Reply

Your email address will not be published. Required fields are marked *