Very well executed responsible disclosure. Good to see all the linux distro's and vendors cooperating. Read the timeline :
https://blog.qualys.com/vulnerabilities-threat-research/2024/01/30/qualys-tru-discovers-important-vulnerabilities-in-gnu-c-librarys-syslog
Noob question: that's a really old library, right? Has this issue been there for decades before someone found it, or is this vulnerability part of some newer addition to it?
Edit: I didn't understand the first sentence of the article so I figured I wouldn't understand any of it -- but my question is answered pretty early on:
It's said to have been accidentally introduced in August 2022 with the release of glibc 2.37.
glibc is the library that provides basic functionality for C programs. It provides the bottom level implementation for things like opening files, requesting memory, and other OS-level stuff.
glibc isn't the only implementation out there. Even on Linux, there are other options, such as muslc.
It gets updated regularly, as the C standard or operating system needs. So while it has been around for a very long time (by software standards anyway) it's still an active and evolving piece of software. --and one that underpins many critical functions of our systems.
Its been around a long time, but evolves with the C standard and the linux kernel. It is basically a layer between C and the kernel.
Pls no
Don't worry, it's extremely unlikely, given how large and ancient glibc is. The most that might happen is that some new parts are implemented in Rust.
Major Linux Distros: all unaffected.
updated glibc already pushed to fedora repos.
OpenSuse Tumbleweed uses 2.38 so not affected by this.
A community for everything relating to the linux operating system
Also check out !linux_memes@programming.dev
Original icon base courtesy of lewing@isc.tamu.edu and The GIMP