Critical security flaw discovered in GNU C Library, affecting major Linux distributions
Researchers at Qualys have uncovered multiple local privilege escalation (LPE) vulnerabilities in the GNU C Library (glibc), an essential component of virtually every Linux-based system. These vulnerabilities present a significant security concern, as they affect a large number of applications and potentially millions of users worldwide.
The first identified vulnerability (CVE-2023-6246) is a major security flaw found in the glibc’s __vsyslog_internal() function, affecting the syslog() and vsyslog(). This heap-based buffer overflow vulnerability was unintentionally introduced in glibc 2.37 (August 2022) and later backported to glibc 2.36 while addressing another, less severe vulnerability (CVE-2022-39046).
Major Linux distributions such as Debian (versions 12 and 13), Ubuntu (23.04 and 23.10), and Fedora (37 to 39) are known to be vulnerable to this flaw. It allows local privilege escalation, enabling an unprivileged user to acquire full root access.
In their scrutiny of the __vsyslog_internal() function, Qualys also discovered two additional, less severe vulnerabilities. These discoveries underscore the importance of stringent security protocols in software development, especially for core libraries that are widely utilized across numerous systems and applications.
Comments
so, if i didn't misunderstand it, the temporal solution should be to not download non-official programs until the kernel updates to fix it
The kernel is not involved in the attack at all, the attacker must leverage an SUID program which always launches as root even if it's called by a normal user, and then they can execute arbitrary code to gain privileges via the vulnerable syslog and qsort functions.
So in short, just wait for a glibc package update, kernel update is not required.