For your convenience:
The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these [syslog] logging functions [in apps that allow the user to feed crafted data to those functions].
This is a privilege escalation.
The hero we need."; DROP TABLE “users”;
If it isn’t little Bobby Tables again.
"A qsort vulnerability is due to a missing bounds check and can lead to memory corruption. It has been present in all versions of glibc since 1992. "
This one amazes me. Imagine how many vulnerabilities future researchers will discover in ancient software that persisted/persist for decades.
That’s not the main part of the article, just a footnote, for anyone wondering.
The flaw resides in the glibc’s syslog function, an attacker can exploit the flaw to gain root access through a privilege escalation.
The vulnerability was introduced in glibc 2.37 in August 2022.
So, it must be with the BSDs too?
Iirc bad does not use glibc, but I’m not very involved with BSD.
Yikes.
I’d switch to musl on all of my boxes if it weren’t that nearly all precompiled software (closed source, games mainly) are compiled against glibc.
So this means you need either Alpine repos or compile everything yourself?
Void offers musl too. Unless they’ve discontinued it.
But
compile everything yourself?
I do (almost) exactly that. I run Gentoo almost everywhere. The ‘almost’ is because Gentoo now offers an official bin repository too, so I can mix compiled and pre-compiled software. (Although you’ve always had the option to set up your own binary host).
How are you going to run steam though? Like at least alpine has wine, but there’s no way to recompile steam unfortunately.
I was never into gaming really, and while I like the progress I dont really care tbh?