While studying the patch for a recently fixed vulnerability in the GNU C library (glibc), cybersecurity engineers discovered another issue, which they say affected every Linux distro.
CloudLinux engineer Nikita Popov chanced upon what can essentially be classified as a denial-of-service vulnerability in the upstream glic. Popov believes the bug, tracked as CVE-2021-38604, can be exploited to cause a segmentation fault, causing an application to crash.
“Bear in mind that glibc provides the main system primitives and is linked with most, if not all, other Linux applications, including other language compilers and interpreters. It is the second most important component of a system after the Kernel itself,” wrote CloudLinux in a blog post.
- Here's our choice of the best malware removal software on the market
- These are the best ransomware protection tools
- Protect your devices with these best antivirus software
According to Popov’s analysis, the vulnerability was introduced ironically in the patch that was devised to fix the earlier glibc vulnerability, tracked as CVE-2021-33574.
A patchy fix
Reporting on the development, ZDNet claims that the first glibc issue wasn’t particularly bad. In fact, a Red Hat engineer explained the bug wasn’t easily exploitable and required several conditions to be met before it could negatively impact any app.
The bug still needed to be fixed, but the patch introduced the denial-of-service vulnerability that can reportedly be triggered without much trouble.
CloudLinux published information about the vulnerability and a fix, which has since been rolled into the upstream glibc. Furthermore, it has also submitted a new test for glibc’s automated test suite to prevent the bug from rearing its head again.
“Sometimes, changes in unrelated code paths can lead to behaviours changing elsewhere in the code and the programmer not being aware of it. This test will catch this situation,” writes CloudLinux.
- We've put together a list of the best endpoint protection software
Via ZDNet
