For your convenience:
The researchers pointed out that the vulnerability cannot be exploited remotely. An attacker can trigger the issue by providing crafted inputs to applications that employ these [syslog] logging functions [in apps that allow the user to feed crafted data to those functions].
This is a privilege escalation.
The hero we need."; DROP TABLE “users”;
If it isn’t little Bobby Tables again.
This may be difficult to exploit in practice - I don’t think most user applications use syslog.
Unless you have user access to a system with gcc on it.
You still need some privileged process to exploit. Glibc code doesn’t get any higher privileges than the rest of the process. From kernel’s point of view, it’s just a part of the program like any other code.
So if triggering the bug in your own process was enough for privilege escalation, it would also be a critical security vulnerability in the kernel - it can’t allow you to execute a magic sequence of instructions in your process and become a root, that completely destroys any semblance of process / user isolation.
“GNU Library C?”
I’d just like to interject for a moment. What you call “GNU Library C” is actually GNU with Linux library C and some C++ for those nifty templates, or as we like to call it “GNU/Linux Library C/C++”. Which, to be honest, it’s more like “GNU/Linux Library C/C-with-Classes” the way they’re teaching it at school, oh well.
Carry on.
Let’s go Musl!
Yeah Musl is pretty good to learn C libs but the main red flag is the MIT Licence
Why? MIT is more liberal than GPL. Why is it a red flag?
At a time where proprietary software is becoming more and more nasty and prevalent, on top of what has always accompanied it, we shouldn’t be letting proprietary software developers take advantage of free code only to lock theirs away as proprietary. It advantages nobody except proprietary devs, who don’t have the users at heart.
The goal of the GPL is to fight that.
The problem with pushover licenses like MIT in this case is that a lot of this software is designed to displace copylefted code. And when it does, you lose the protection of copyleft in that particular area and all of a sudden proprietary software gets a leg up on us. It’s bad for software freedom and the users by extension, and good for proprietary software developers.
But the licence is chosen by the software author - unless that right to choose is taken away by a viral licence like the GPL, of course. In any case, I licence everything I write that I can as 3-clause BSD because I don’t give a fuck. I wrote the software for me, and it costs me nothing if it’s used by a shitty proprietary software stealer, or a noble OSS developer. Neither of them are paying me.
OSS should, is, and eventually will drive for-pay software to extinction, and it should do it through merit, not some legal trickery.
You’re missing the point. Yes, the license is chosen by the author, but if that pushover licensed software becomes favoured over copyleft software, then proprietary software has a leg up as I explained. That’s it.
GPL is also not a “viral” license, because that would imply that it seeks out and infects anything it can find. But developers choose which code they use, it doesn’t just appear in their own code without permission. So a better analogy would be “spiderplant” license, since you’re taking part of a GPL program (a spiderplant), and putting it in your own (where the GPLs influence “grows” to). That is completely the software developers decision and not like a virus at all.
It might not cost you anything personally if a proprietary developer usurps your code, but it does cost overall user freedom and increases proprietary dominance, where copyleft licenses would have done the opposite if your code was worth using. For that reason, I like strong copyleft. But by all means, keep using the license you want to, as long as it’s not proprietary I won’t judge. This is just my thoughts.
The point of free/open source licenses isn’t to remove money from software either, it’s perfectly possible to sell libre software. It’s about what the recipients of that software have the freedom to do with it, and not giving the developer control over their users. We should serve the community, not betray them.
Lastly, although free alternatives are often technically superior to their closed-source competitors, at the end of the day, if you have a slightly faster program which does nasty spying, locking of functionality, etc, and a slightly slower program which does not, I’d be inclined to say that the slower program should be preferred by virtue that it does not do nasty things to it’s users, and that then you won’t be supporting such behaviour.
Lastly, although free alternatives are often technically superior to their closed-source competitors, at the end of the day
I am 100% in agreement with you here. While I’m not by any means a Libertarian, I prefer MIT and BSD licenses because they are truely free. The GPL is not: it removes freedoms. Now, you argue that limiting freedom can be a net good - we limit the freedom to rape and murder, and that’s good. I don’t agree that the freedoms the GPL removes are equivalent, and can indeed be harmful.
I don’t mind others using the GPL, but I won’t.
We can agree to disagree on the freedom point. The only “freedom” I see being taken away with the GPL is the removing of the freedom of other people.
I don’t mind the MIT/BSD licenses, but I won’t use them. We can agree on that.
glibc is great, but holy shit the source code is obscured into oblivion, so hard to understand, with hardcoded optimizations, and compiler optimizations. I understand how difficult is to find vulnerabilities. A bit sad that the only C lib truely free software is so hard to actually read its code or even contribute to it.
For what it’s worth, glibc is very much performance-critical, so this shouldn’t be a surprise. Any possible optimization is worth it.
There are a ton of free software libc implementations outside of glibc. I think most implementations of libc are free software at this point. There’s Bionic, the BSD libcs, musl, the Haiku libc, the OpenSolaris/OpenIndiana libc, Newlib, relibc, the ToaruOS libc, the SerenityOS libc and a bunch more. Pretty sure Wine/ReactOS also have free implementations of the Windows libc.
That’s why you need to rock and roll
(Arch btw.)
Try having
unattended-upgradeswith a rolling distro.I don’t want unattended upgrades >:/
Just don’t upgrade for a while and you become debian
It’s not like windows forcing you to reboot every Tuesday so Edge can come back
you shouldn’t be throwing boots through your windows
